diff -Nru /tmp/3gDbSqUz0f/drupal5-5.2/debian/changelog /tmp/9grhRloLvo/drupal5-5.2/debian/changelog
--- /tmp/3gDbSqUz0f/drupal5-5.2/debian/changelog	2008-01-11 13:12:58.000000000 +0100
+++ /tmp/9grhRloLvo/drupal5-5.2/debian/changelog	2008-01-11 13:12:58.000000000 +0100
@@ -1,3 +1,14 @@
+drupal5 (5.2-2ubuntu2.2) gutsy-security; urgency=low
+
+  * SECURITY UPDATE:
+    Fix several security issues found in drupal 5.4.
+  * Patches are taken from the drupal security announcememnts:
+    - SA-2007-31: SQJ injection possible when certain contributed modules are enabled
+  * References:
+    - SA-2007-31: http://drupal.org/node/198162
+
+ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Fri, 11 Jan 2008 13:05:02 +0100
+
 drupal5 (5.2-2ubuntu2.1) gutsy-security; urgency=low
 
   * SECURITY UPDATE:
diff -Nru /tmp/3gDbSqUz0f/drupal5-5.2/modules/taxonomy/taxonomy.module /tmp/9grhRloLvo/drupal5-5.2/modules/taxonomy/taxonomy.module
--- /tmp/3gDbSqUz0f/drupal5-5.2/modules/taxonomy/taxonomy.module	2007-07-26 21:16:49.000000000 +0200
+++ /tmp/9grhRloLvo/drupal5-5.2/modules/taxonomy/taxonomy.module	2008-01-11 13:12:58.000000000 +0100
@@ -1248,27 +1248,31 @@
     }
 
     if ($operator == 'or') {
-      $str_tids = implode(',', call_user_func_array('array_merge', $descendant_tids));
-      $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1 ORDER BY '. $order;
-      $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1';
+	$args = call_user_func_array('array_merge', $descendant_tids);
+	$placeholders = implode(',', array_fill(0, count($args), '%d'));
+	$sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1 ORDER BY '. $order;
+	$sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1';
     }
     else {
       $joins = '';
       $wheres = '';
+      $args = array();
       foreach ($descendant_tids as $index => $tids) {
         $joins .= ' INNER JOIN {term_node} tn'. $index .' ON n.nid = tn'. $index .'.nid';
-        $wheres .= ' AND tn'. $index .'.tid IN ('. implode(',', $tids) .')';
-      }
+        $placeholders = implode(',', array_fill(0, count($tids), '%d'));
+        $wheres .= ' AND tn'. $index .'.tid IN ('. $placeholders .')';
+        $args = array_merge($args, $tids);  
+       }
       $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres .' ORDER BY '. $order;
       $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres;
     }
     $sql = db_rewrite_sql($sql);
     $sql_count = db_rewrite_sql($sql_count);
     if ($pager) {
-      $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count);
+      $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count, $args);
     }
     else {
-      $result = db_query_range($sql, 0, variable_get('feed_default_items', 10));
+      $result = db_query_range($sql, 0, variable_get('feed_default_items', 10), $args);
     }
   }