diff -u tikiwiki-1.9.7+dfsg/debian/patches/00list tikiwiki-1.9.7+dfsg/debian/patches/00list
--- tikiwiki-1.9.7+dfsg/debian/patches/00list
+++ tikiwiki-1.9.7+dfsg/debian/patches/00list
@@ -1,0 +2,2 @@
+90_CVE-2007-4554.dpatch
+90_CVE-2007-5423_CVE-2007-5682.dpatch
diff -u tikiwiki-1.9.7+dfsg/debian/changelog tikiwiki-1.9.7+dfsg/debian/changelog
--- tikiwiki-1.9.7+dfsg/debian/changelog
+++ tikiwiki-1.9.7+dfsg/debian/changelog
@@ -1,3 +1,27 @@
+tikiwiki (1.9.7+dfsg-1ubuntu1.1) feisty-security; urgency=low
+
+  * SECURITY UPDATE: (LP: #163833)
+    + CVE-2007-4554: Cross-site scripting (XSS) vulnerability in
+      tiki-remind_password.php in Tikiwiki (aka Tiki CMS/Groupware) 1.9.7 allows
+      remote attackers to inject arbitrary web script or HTML via the username
+      parameter. NOTE: this issue might be related to CVE-2006-2635.7.
+    + CVE-2007-5423: Eval injection vulnerability in tiki-graph_formula.php in
+      TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP
+      sequences in the f array parameter. 
+    + CVE-2007-5682: Unspecified vulnerability in tiki-graph_formula.php in
+      TikiWiki before 1.9.8.2 has unknown impact and attack vectors, a different
+      vulnerability than CVE-2007-5423.
+  * debian/patches/90_CVE-2007-4554.dpatch: 
+    - Applied patch by upstream
+  * debian/patches/90_CVE-2007-5423_CVE-2007-5682.dpatch:
+    - Applied patch by upstream
+  * References:
+    CVE-2007-4554
+    CVE-2007-5423
+    CVE-2007-5682
+
+ -- Stephan Hermann <sh@sourcecode.de>  Mon, 26 Nov 2007 15:34:47 +0100
+
 tikiwiki (1.9.7+dfsg-1ubuntu1) feisty; urgency=low
 
   * Depends on PHP 5 packages (LP: 96361)
only in patch2:
unchanged:
--- tikiwiki-1.9.7+dfsg.orig/debian/patches/90_CVE-2007-4554.dpatch
+++ tikiwiki-1.9.7+dfsg/debian/patches/90_CVE-2007-4554.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 90_CVE-2007-4554.dpatch by Stephan Hermann <sh@sourcecode.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad tikiwiki-1.9.7+dfsg~/templates/tiki-remind_password.tpl tikiwiki-1.9.7+dfsg/templates/tiki-remind_password.tpl
+--- tikiwiki-1.9.7+dfsg~/templates/tiki-remind_password.tpl	2005-08-17 22:28:55.000000000 +0200
++++ tikiwiki-1.9.7+dfsg/templates/tiki-remind_password.tpl	2007-11-26 14:49:46.455259119 +0100
+@@ -2,7 +2,7 @@
+ 
+ {if $showmsg ne 'n'}
+   {if $showmsg eq 'e'}<span class="warn">{/if}
+-  {$msg}
++  {$msg|escape 'html'}
+   {if $showmsg eq 'e'}</span>{/if}
+   <br /><br />
+ {/if}
only in patch2:
unchanged:
--- tikiwiki-1.9.7+dfsg.orig/debian/patches/90_CVE-2007-5423_CVE-2007-5682.dpatch
+++ tikiwiki-1.9.7+dfsg/debian/patches/90_CVE-2007-5423_CVE-2007-5682.dpatch
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 90_CVE-2007-5423_CVE-2007-5682.dpatch by Stephan Hermann <sh@sourcecode.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad tikiwiki-1.9.7+dfsg~/tiki-graph_formula.php tikiwiki-1.9.7+dfsg/tiki-graph_formula.php
+--- tikiwiki-1.9.7+dfsg~/tiki-graph_formula.php	2005-05-13 00:20:03.000000000 +0200
++++ tikiwiki-1.9.7+dfsg/tiki-graph_formula.php	2007-11-26 15:22:04.565705780 +0100
+@@ -44,16 +44,15 @@
+ 	global $valid;
+ 
+ 	// Stripping all quotes
+-	$formula = str_replace( '`', '', $formula );
+-	$formula = str_replace( '"', '', $formula );
+-	$formula = str_replace( "'", '', $formula );
++	$chars = array( '`', "'", '"', '&', '[', ']', '$', '{', '}' );
++	$formula = str_replace( $chars, array_fill( 0, count($chars), '' ), $formula );
+ 
+ 	// Make sure only valid functions are used
+ 	preg_match_all( '/([a-z0-9_]+)/i', $formula, $out, PREG_PATTERN_ORDER );
+-	foreach( $out as $match )
+-		if( !in_array( strtolower( $match[1] ), $valid ) && $match[1] !== 'x' )
+-			die( "Invalid function call {$match[1]}" );
+-	
++	foreach( $out[0] as $match )
++		if( !is_numeric( $match ) && !in_array( strtolower( $match ), $valid ) && $match !== 'x' )
++			die( "Invalid function call {$match}" );
++
+ 	// Replace spaces for commas
+ 	$formula = preg_replace( "/\s+/", ', ', $formula );
+ 
+@@ -61,6 +60,13 @@
+ 
+ 	return create_function('$x', "return $formula;");
+ }
++// Now check permissions to access this page
++if ($feature_sheet != 'y') {
++	$smarty->assign('msg', tra("This feature is disabled").": feature_sheets, feature_charts");
++
++	$smarty->display("error.tpl");
++	die;
++}
+ 
+ if( !( is_numeric( $_GET['w'] )
+ 	&& is_numeric( $_GET['h'] )