An updated thunderstonePatch package, 1.26, has been released. It will remove the unused Webalizer package and the extra "/usage" directory it makes visible via http. There's no real-world vulnerability involved but it may be necessary to pass security audits.