From libunimod/AUTHORS:
"""
Code in this directory was modified by Paolo Bonzini <bonzini@gnu.org>
starting from libmikmod 3.1.8

libmikmod was cleaned up, removing code that was needed by libmikmod's
portability (MD_) layer and data that were needed by the player.  The
player itself now forms the core of TiMidity++'s mod.c file but is
detached from libunimod which is nothing more a generic module->UNI
converter.  In addition, libmikmod's own portable file I/O routines were
changed to rely on libarc's URL objects.
"""

We do need to deal with this, but upstream mikmod was last merged in in
2000 and I'm a bit worried about what exactly was "cleaned up", so I'm not
really looking forward to dealing with this before fixing the more
pressing bugs like the FTBFS. So I'm filing an RC bug and uploading with a
Lintian override, and will take a closer look sometime later. This bug has
been presumably present since forever, but the Lintian check is new as of
this February.

I'm also a bit skeptical of this libarc directory (what it does, whether
it's _actually_ free, etc.), incidentally.

Well, there has been some upstream development of mikmod:

http://sourceforge.net/projects/mikmod/
http://mikmod.hg.sourceforge.net/hgweb/mikmod/mikmod/file/tip/libmikmod/loaders

Not sure if a libmikmod could be produced from that package and how easy it
would be to tie that to timidity++.

As for libarc, see
http://www.onicos.com/staff/iz/release/
below. AFAIK, it has GPL license...

Yours,
	Yair K.

severity 649344 important
thanks

Hi,

I'm lowering severity, for policy 4.13 is a "should", and violations of
it are not considered release critical.

Regards,

Guo Yixuan

The embedded fork is vulnerable for CVE-2009-0179, CVE-2009-3996, CVE-2010-2546, and CVE-2010-2971,
as indicated by upstream version 2.15.0's changelog.

Please update or replace the embedded fork.