diff -Nru /tmp/4leDVklOYM/drupal5-5.2/debian/changelog /tmp/coD0P0Q6g1/drupal5-5.2/debian/changelog
--- /tmp/4leDVklOYM/drupal5-5.2/debian/changelog	2008-01-11 14:10:59.000000000 +0100
+++ /tmp/coD0P0Q6g1/drupal5-5.2/debian/changelog	2008-01-11 14:11:00.000000000 +0100
@@ -1,3 +1,14 @@
+drupal5 (5.2-2ubuntu2.2) gutsy-security; urgency=low
+
+  * SECURITY UPDATE:
+    Fix several security issues found in drupal 5.2.
+  * Patches are taken from the drupal security announcements:
+    - SA-2007-031: SQL injection possible when certain contributed modules are enabled
+  * References:
+    - SA-2007-031: http://drupal.org/node/198162
+
+ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Fri, 11 Jan 2008 14:03:27 +0100
+
 drupal5 (5.2-2ubuntu2.1) gutsy-security; urgency=low
 
   * SECURITY UPDATE:
diff -Nru /tmp/4leDVklOYM/drupal5-5.2/debian/patches/00list /tmp/coD0P0Q6g1/drupal5-5.2/debian/patches/00list
--- /tmp/4leDVklOYM/drupal5-5.2/debian/patches/00list	2008-01-11 14:10:59.000000000 +0100
+++ /tmp/coD0P0Q6g1/drupal5-5.2/debian/patches/00list	2008-01-11 14:11:00.000000000 +0100
@@ -5,3 +5,4 @@
 SA-2007-026-5.2
 SA-2007-029-5.2
 SA-2007-030-5.2
+SA-2007-031-5.2
diff -Nru /tmp/4leDVklOYM/drupal5-5.2/debian/patches/SA-2007-031-5.2.dpatch /tmp/coD0P0Q6g1/drupal5-5.2/debian/patches/SA-2007-031-5.2.dpatch
--- /tmp/4leDVklOYM/drupal5-5.2/debian/patches/SA-2007-031-5.2.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ /tmp/coD0P0Q6g1/drupal5-5.2/debian/patches/SA-2007-031-5.2.dpatch	2008-01-11 14:11:00.000000000 +0100
@@ -0,0 +1,48 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## SA-2007-031-5.2.dpatch by Emanuele Gentili <emgent@emanuele-gentili.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad drupal5-5.2~/modules/taxonomy/taxonomy.module drupal5-5.2/modules/taxonomy/taxonomy.module
+--- drupal5-5.2~/modules/taxonomy/taxonomy.module	2007-07-26 21:16:49.000000000 +0200
++++ drupal5-5.2/modules/taxonomy/taxonomy.module	2008-01-11 14:01:46.000000000 +0100
+@@ -1248,16 +1248,20 @@
+     }
+ 
+     if ($operator == 'or') {
+-      $str_tids = implode(',', call_user_func_array('array_merge', $descendant_tids));
+-      $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1 ORDER BY '. $order;
+-      $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1';
++      $args = call_user_func_array('array_merge', $descendant_tids);
++      $placeholders = implode(',', array_fill(0, count($args), '%d'));
++      $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1 ORDER BY '. $order;
++      $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $placeholders .') AND n.status = 1';
+     }
+     else {
+       $joins = '';
+       $wheres = '';
++      $args = array();
+       foreach ($descendant_tids as $index => $tids) {
+         $joins .= ' INNER JOIN {term_node} tn'. $index .' ON n.nid = tn'. $index .'.nid';
+-        $wheres .= ' AND tn'. $index .'.tid IN ('. implode(',', $tids) .')';
++        $placeholders = implode(',', array_fill(0, count($tids), '%d'));
++        $wheres .= ' AND tn'. $index .'.tid IN ('. $placeholders .')';
++        $args = array_merge($args, $tids)
+       }
+       $sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres .' ORDER BY '. $order;
+       $sql_count = 'SELECT COUNT(DISTINCT(n.nid)) FROM {node} n '. $joins .' WHERE n.status = 1 '. $wheres;
+@@ -1265,10 +1269,10 @@
+     $sql = db_rewrite_sql($sql);
+     $sql_count = db_rewrite_sql($sql_count);
+     if ($pager) {
+-      $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count);
++      $result = pager_query($sql, variable_get('default_nodes_main', 10), 0, $sql_count, $args);
+     }
+     else {
+-      $result = db_query_range($sql, 0, variable_get('feed_default_items', 10));
++      $result = db_query_range($sql, 0, variable_get('feed_default_items', 10), $args);
+     }
+   }
+