Just shortly after I put our family tree online, I discover the 4.1.4 update of PhpGedView still packages an outdated (and vulnerable) version of PunBB. (A slightly newer version of PunBB is in the PhpGedView repository head.) Granted this is a contributed module, but this is a nuisance.
In this case, it's easier to apply the changes between 1.2.12 and 1.2.17, to the version of 1.2.12 included with PGV. (The patchfile is 66K in size. In contrast, the diff file between vanilla 1.2.12 and the hacked version included with PGV was over 1M in size, and touched nearly twice as many files.)