diff -u drupal5-5.7/debian/changelog drupal5-5.7/debian/changelog
--- drupal5-5.7/debian/changelog
+++ drupal5-5.7/debian/changelog
@@ -1,3 +1,31 @@
+drupal5 (5.7-1ubuntu1.2) hardy-security; urgency=low
+
+  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
+    were discovered in Drupal. (LP: #431080):
+    - 12_SA-2008-046
+    - 13_SA-2008-047
+    - 14_SA-2008-060
+    - 15_SA-2008-067
+    - 16_SA-2008-073
+    - 17_SA-CORE-2009-001
+    - 18_SA-CORE-2009-005
+    - 19_SA-CORE-2009-006
+    - 20_SA-CORE-2009-007
+    - 21_SA-CORE-2009-008
+    - 22_SA-CORE-2009-009
+
+  * Fixes:
+    - CVE-2008-6171
+    - CVE-2008-6532
+    - CVE-2008-6533
+    - CVE-2009-1576
+    - CVE-2009-2372
+    - CVE-2009-2373
+    - CVE-2009-2374
+    - CVE-2009-4370
+
+ -- Artur Rona <ari-tczew@tlen.pl>  Sun, 31 Jan 2010 14:40:34 +0100
+
 drupal5 (5.7-1ubuntu1.1) hardy-security; urgency=high
 
   * SECURITY UPDATE:
diff -u drupal5-5.7/debian/patches/00list drupal5-5.7/debian/patches/00list
--- drupal5-5.7/debian/patches/00list
+++ drupal5-5.7/debian/patches/00list
@@ -3,0 +4,10 @@
+13_SA-2008-047
+14_SA-2008-060
+15_SA-2008-067
+16_SA-2008-073
+17_SA-CORE-2009-001
+18_SA-CORE-2009-005
+19_SA-CORE-2009-006
+20_SA-CORE-2009-007
+21_SA-CORE-2009-008
+22_SA-CORE-2009-009
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/18_SA-CORE-2009-005.dpatch
+++ drupal5-5.7/debian/patches/18_SA-CORE-2009-005.dpatch
@@ -0,0 +1,114 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 18_SA-CORE-2009-005.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Cross site scripting.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/449078
+## Patch: http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.15.orig/includes/bootstrap.inc drupal-5.15/includes/bootstrap.inc
+--- drupal-5.15.orig/includes/bootstrap.inc	2009-01-14 20:12:27.000000000 +0100
++++ drupal-5.15/includes/bootstrap.inc	2009-10-21 00:55:49.000000000 +0200
+@@ -725,7 +725,8 @@ function request_uri() {
+       $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
+     }
+   }
+-
++  // Prevent multiple slashes to avoid cross site requests via the FAPI.
++  $uri = '/'. ltrim($uri, '/');
+   return $uri;
+ }
+ 
+diff -pruN -x '*~' drupal-5.15.orig/includes/common.inc drupal-5.15/includes/common.inc
+--- drupal-5.15.orig/includes/common.inc	2008-12-25 21:37:07.000000000 +0100
++++ drupal-5.15/includes/common.inc	2009-10-21 00:56:43.000000000 +0200
+@@ -152,6 +152,15 @@ function drupal_get_headers() {
+ }
+ 
+ /**
++ * Make any final alterations to the rendered xhtml.
++ */
++function drupal_final_markup($content) {
++  // Make sure that the charset is always specified as the first element of the
++  // head region to prevent encoding-based attacks.
++  return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
++}
++
++/**
+  * Add a feed URL for the current page.
+  *
+  * @param $url
+diff -pruN -x '*~' drupal-5.15.orig/includes/theme.inc drupal-5.15/includes/theme.inc
+--- drupal-5.15.orig/includes/theme.inc	2008-12-05 23:32:50.000000000 +0100
++++ drupal-5.15/includes/theme.inc	2009-10-21 00:57:25.000000000 +0200
+@@ -168,7 +168,12 @@ function theme() {
+     $functions[$function] = theme_get_function($function);
+   }
+   if ($functions[$function]) {
+-    return call_user_func_array($functions[$function], $args);
++    $output = call_user_func_array($functions[$function], $args);
++    // Add final markup to the full page.
++    if ($function == 'page') {
++      $output = drupal_final_markup($output);
++    }
++    return $output;
+   }
+ }
+ 
+diff -pruN -x '*~' drupal-5.15.orig/themes/bluemarine/page.tpl.php drupal-5.15/themes/bluemarine/page.tpl.php
+--- drupal-5.15.orig/themes/bluemarine/page.tpl.php	2006-08-30 09:37:13.000000000 +0200
++++ drupal-5.15/themes/bluemarine/page.tpl.php	2009-10-21 00:58:03.000000000 +0200
+@@ -2,8 +2,8 @@
+ <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
+ 
+ <head>
+-  <title><?php print $head_title ?></title>
+   <?php print $head ?>
++  <title><?php print $head_title ?></title>
+   <?php print $styles ?>
+   <?php print $scripts ?>
+   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
+diff -pruN -x '*~' drupal-5.15.orig/themes/chameleon/chameleon.theme drupal-5.15/themes/chameleon/chameleon.theme
+--- drupal-5.15.orig/themes/chameleon/chameleon.theme	2007-05-31 08:13:36.000000000 +0200
++++ drupal-5.15/themes/chameleon/chameleon.theme	2009-10-21 00:58:49.000000000 +0200
+@@ -39,8 +39,8 @@ function chameleon_page($content, $show_
+   $output  = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
+   $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\">\n";
+   $output .= "<head>\n";
+-  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
+   $output .= drupal_get_html_head();
++  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
+   $output .= drupal_get_css();
+   $output .= drupal_get_js();
+   $output .= "</head>";
+diff -pruN -x '*~' drupal-5.15.orig/themes/garland/page.tpl.php drupal-5.15/themes/garland/page.tpl.php
+--- drupal-5.15.orig/themes/garland/page.tpl.php	2006-12-14 01:37:00.000000000 +0100
++++ drupal-5.15/themes/garland/page.tpl.php	2009-10-21 00:59:27.000000000 +0200
+@@ -2,8 +2,8 @@
+   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language ?>" lang="<?php print $language ?>">
+   <head>
+-    <title><?php print $head_title ?></title>
+     <?php print $head ?>
++    <title><?php print $head_title ?></title>
+     <?php print $styles ?>
+     <?php print $scripts ?>
+     <style type="text/css" media="print">@import "<?php print base_path() . path_to_theme() ?>/print.css";</style>
+diff -pruN -x '*~' drupal-5.15.orig/themes/pushbutton/page.tpl.php drupal-5.15/themes/pushbutton/page.tpl.php
+--- drupal-5.15.orig/themes/pushbutton/page.tpl.php	2006-08-30 09:37:14.000000000 +0200
++++ drupal-5.15/themes/pushbutton/page.tpl.php	2009-10-21 00:59:53.000000000 +0200
+@@ -1,9 +1,9 @@
+ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+ <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
+ <head>
+-  <title><?php print $head_title ?></title>
+   <meta http-equiv="Content-Style-Type" content="text/css" />
+   <?php print $head ?>
++  <title><?php print $head_title ?></title>
+   <?php print $styles ?>
+   <?php print $scripts ?>
+ </head>
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/14_SA-2008-060.dpatch
+++ drupal5-5.7/debian/patches/14_SA-2008-060.dpatch
@@ -0,0 +1,257 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 14_SA-2008-060.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Multiple vulnerabilities and weaknesses were discovered in Drupal.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/318706
+## Patch: http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.10.orig/modules/blogapi/blogapi.module drupal-5.10/modules/blogapi/blogapi.module
+--- drupal-5.10.orig/modules/blogapi/blogapi.module	2008-08-14 01:59:09.000000000 +0200
++++ drupal-5.10/modules/blogapi/blogapi.module	2009-11-30 20:38:13.000000000 +0100
+@@ -217,6 +217,11 @@ function blogapi_blogger_new_post($appke
+ 
+   node_invoke_nodeapi($edit, 'blogapi new');
+ 
++  $valid = blogapi_status_error_check($edit, $publish);
++  if ($valid !== TRUE) {
++    return $valid;
++  }
++
+   node_validate($edit);
+   if ($errors = form_get_errors()) {
+     return blogapi_error(implode("\n", $errors));
+@@ -254,7 +259,8 @@ function blogapi_blogger_edit_post($appk
+   if (!node_access('update', $node)) {
+     return blogapi_error(t('You do not have permission to update this post.'));
+   }
+-
++  // Save the original status for validation of permissions.
++  $original_status = $node->status;
+   $node->status = $publish;
+ 
+   // check for bloggerAPI vs. metaWeblogAPI
+@@ -270,6 +276,11 @@ function blogapi_blogger_edit_post($appk
+ 
+   node_invoke_nodeapi($node, 'blogapi edit');
+ 
++  $valid = blogapi_status_error_check($node, $original_status);
++  if ($valid !== TRUE) {
++    return $valid;
++  }
++
+   node_validate($node);
+   if ($errors = form_get_errors()) {
+     return blogapi_error(implode("\n", $errors));
+@@ -303,6 +314,33 @@ function blogapi_blogger_get_post($appke
+ }
+ 
+ /**
++ * Check that the user has permission to save the node with the chosen status.
++ *
++ * @return
++ *   TRUE if no error, or the blogapi_error().
++ */
++function blogapi_status_error_check($node, $original_status) {
++  
++  $node = (object) $node;
++
++  $node_type_default = variable_get('node_options_'. $node->type, array('status', 'promote'));
++
++  // If we don't have the 'administer nodes' permission and the status is
++  // changing or for a new node the status is not the content type's default,
++  // then return an error.
++  if (!user_access('administer nodes') && (($node->status != $original_status) || (empty($node->nid) && $node->status != in_array('status', $node_type_default)))) {
++    if ($node->status) {
++      return blogapi_error(t('You do not have permission to publish this type of post. Please save it as a draft instead.'));
++    }
++    else {
++      return blogapi_error(t('You do not have permission to save this post as a draft. Please publish it instead.'));
++    }
++  }
++  return TRUE;
++}
++
++
++/**
+  * Blogging API callback. Removes the specified blog node.
+  */
+ function blogapi_blogger_delete_post($appkey, $postid, $username, $password, $publish) {
+@@ -492,11 +530,60 @@ function blogapi_mt_set_post_categories(
+   foreach ($categories as $category) {
+     $node->taxonomy[] = $category['categoryId'];
+   }
++  $validated = blogapi_mt_validate_terms($node);
++  if ($validated !== TRUE) {
++    return $validated;
++  }
+   node_save($node);
+   return TRUE;
+ }
+ 
+ /**
++ * Blogging API helper - find allowed taxonomy terms for a node type.
++ */
++function blogapi_mt_validate_terms($node) {
++  // We do a lot of heavy lifting here since taxonomy module doesn't have a
++  // stand-alone validation function.
++  if (module_exists('taxonomy')) {
++    $found_terms = array();
++    if (!empty($node->taxonomy)) {
++      $term_list = array_unique($node->taxonomy);
++      $placeholders = implode(', ', array_fill(0, count($term_list), '%d'));
++      $params = $term_list;
++      $params[] = $node->type;
++      $result = db_query(db_rewrite_sql("SELECT t.tid, t.vid FROM {term_data} t INNER JOIN {vocabulary_node_types} n ON t.vid = n.vid WHERE t.tid IN (". $placeholders .") AND n.type = '%s'", 't', 'tid'), $params);
++      $found_terms = array();
++      $found_count = 0;
++      while ($term = db_fetch_object($result)) {
++        $found_terms[$term->vid][$term->tid] = $term->tid;
++        $found_count++;
++      }
++      // If the counts don't match, some terms are invalid or not accessible to this user.
++      if (count($term_list) != $found_count) {
++        return blogapi_error(t('Invalid categories submitted.'));
++      }
++    }
++    // Look up all the vocabularies for this node type.
++    $result2 = db_query(db_rewrite_sql("SELECT v.vid, v.name, v.required, v.multiple FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s'", 'v', 'vid'), $node->type);
++    // Check each vocabulary associated with this node type.
++    while ($vocabulary = db_fetch_object($result2)) {
++      // Required vocabularies must have at least one term.
++      if ($vocabulary->required && empty($found_terms[$vocabulary->vid])) {
++        return blogapi_error(t('A category from the @vocabulary_name vocabulary is required.', array('@vocabulary_name' => $vocabulary->name)));
++      }
++      // Vocabularies that don't allow multiple terms may have at most one.
++      if (!($vocabulary->multiple) && (isset($found_terms[$vocabulary->vid]) && count($found_terms[$vocabulary->vid]) > 1)) {
++        return blogapi_error(t('You may only choose one category from the @vocabulary_name vocabulary.'), array('@vocabulary_name' => $vocabulary->name));
++      }
++    }
++  }
++  elseif (!empty($node->taxonomy)) {
++    return blogapi_error(t('Error saving categories. This feature is not available.'));
++  }
++  return TRUE;
++}
++
++/**
+  * Blogging API callback. Sends a list of available input formats.
+  */
+ function blogapi_mt_supported_text_filters() {
+@@ -527,11 +614,16 @@ function blogapi_mt_publish_post($postid
+     return blogapi_error(t('Invalid post.'));
+   }
+ 
+-  $node->status = 1;
+-  if (!node_access('update', $node)) {
++  // Nothing needs to be done if already published.
++  if ($node->status) {
++    return;
++  }
++
++  if (!node_access('update', $node) || !user_access('administer nodes')) {
+     return blogapi_error(t('You do not have permission to update this post.'));
+   }
+ 
++  $node->status = 1;
+   node_save($node);
+ 
+   return TRUE;
+diff -pruN -x '*~' drupal-5.10.orig/modules/node/node.module drupal-5.10/modules/node/node.module
+--- drupal-5.10.orig/modules/node/node.module	2008-07-16 21:04:21.000000000 +0200
++++ drupal-5.10/modules/node/node.module	2009-11-30 20:39:30.000000000 +0100
+@@ -2165,6 +2165,14 @@ function node_form($node, $form_values =
+     $form['delete'] = array('#type' => 'button', '#value' => t('Delete'), '#weight' => 50);
+   }
+   $form['#after_build'] = array('node_form_add_preview');
++  // Ensure that node_validate() will always get called.
++  $form['#validate']['node_form_validate'] = array();
++  // Also, if the module defines its own _validate() routine based on the
++  // form_id, include that in the #validate array, as well.
++  $node_validate = $node->type .'_node_form_validate';
++  if (function_exists($node_validate)) {
++    $form['#validate'][$node_validate] = array();
++  }
+   $form['#base'] = 'node_form';
+   return $form;
+ }
+diff -pruN -x '*~' drupal-5.10.orig/modules/upload/upload.module drupal-5.10/modules/upload/upload.module
+--- drupal-5.10.orig/modules/upload/upload.module	2008-05-26 07:03:47.000000000 +0200
++++ drupal-5.10/modules/upload/upload.module	2009-11-30 20:41:31.000000000 +0100
+@@ -878,8 +878,21 @@ function _upload_image($file) {
+  * Menu-callback for JavaScript-based uploads.
+  */
+ function upload_js() {
+-  // We only do the upload.module part of the node validation process.
+-  $node = (object)$_POST;
++  if (isset($_POST['vid']) && is_numeric($_POST['vid'])) {
++    // Load the node and check the user is allowed to post attachments to it.
++    $node = node_load(array('vid' => $_POST['vid']));
++    if (!$node || !node_access('update', $node) || !variable_get('upload_'. $node->type, TRUE)) {
++      // Setting this error will cause the form to fail validation.
++      form_set_error('form_token', t('Validation error, please try again. If this error persists, please contact the site administrator.'));
++      $output = theme('status_messages');
++      print drupal_to_js(array('status' => TRUE, 'data' => $output));
++      exit();
++    }
++  }
++  else {
++    // This is a new node.
++    $node = new stdClass();
++  }
+ 
+   // Load existing node files.
+   $node->files = upload_load($node);
+diff -pruN -x '*~' drupal-5.10.orig/modules/user/user.module drupal-5.10/modules/user/user.module
+--- drupal-5.10.orig/modules/user/user.module	2008-08-14 01:59:09.000000000 +0200
++++ drupal-5.10/modules/user/user.module	2009-11-30 20:43:38.000000000 +0100
+@@ -979,8 +979,17 @@ function user_authenticate($name, $pass)
+ 
+   // Try to log in the user locally. Don't set $user unless successful.
+   if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
+-    $user = $account;
+-    return $user;
++    // Check if the e-mail is denied by an access rule.
++    // Doing this check here saves us a user_load() in user_login_validate()
++    // and introduces less code change for a security fix.
++    if (drupal_is_denied('mail', $account->mail)) {
++      form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $account->name)));
++      return;
++    }
++    else {
++      $user = $account;
++      return $user;
++    }
+   }
+ 
+   // Strip name and server from ID:
+@@ -1064,6 +1073,13 @@ function user_pass() {
+ 
+ function user_pass_validate($form_id, $form_values) {
+   $name = $form_values['name'];
++
++  // Blocked accounts cannot request a new password,
++  // check provided username and email against access rules.
++  if (drupal_is_denied('user', $name) || drupal_is_denied('mail', $name)) {
++    form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));
++  }
++
+   $account = user_load(array('mail' => $name, 'status' => 1));
+   if (!$account) {
+     $account = user_load(array('name' => $name, 'status' => 1));
+@@ -1116,6 +1132,11 @@ function user_pass_reset($uid, $timestam
+     $current = time();
+     // Some redundant checks for extra security ?
+     if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) {
++      // Deny one-time login to blocked accounts.
++      if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
++        drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');
++        drupal_goto();
++      }
+       // No time out for first time login.
+       if ($account->login && $current - $timestamp > $timeout) {
+         drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/20_SA-CORE-2009-007.dpatch
+++ drupal5-5.7/debian/patches/20_SA-CORE-2009-007.dpatch
@@ -0,0 +1,51 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_SA-CORE-2009-007.dpatch by Nico Golde <nion@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix password leakage in URL
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/507572
+## Patch: http://drupal.org/files/sa-core-2009-007/SA-CORE-2009-007-5.18.patch
+
+@DPATCH@
+
+diff -urNad drupal5-5.18~/includes/pager.inc drupal5-5.18/includes/pager.inc
+--- drupal5-5.18~/includes/pager.inc	2006-10-15 21:57:05.000000000 +0200
++++ drupal5-5.18/includes/pager.inc	2009-07-06 20:21:30.000000000 +0200
+@@ -85,7 +85,7 @@
+ function pager_get_querystring() {
+   static $string = NULL;
+   if (!isset($string)) {
+-    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
++    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
+   }
+   return $string;
+ }
+diff -urNad drupal5-5.18~/includes/tablesort.inc drupal5-5.18/includes/tablesort.inc
+--- drupal5-5.18~/includes/tablesort.inc	2007-06-17 00:29:25.000000000 +0200
++++ drupal5-5.18/includes/tablesort.inc	2009-07-06 20:21:30.000000000 +0200
+@@ -131,7 +131,7 @@
+  *   except for those pertaining to table sorting.
+  */
+ function tablesort_get_querystring() {
+-  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
++  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
+ }
+ 
+ /**
+diff -urNad drupal5-5.18~/modules/forum/forum.module drupal5-5.18/modules/forum/forum.module
+--- drupal5-5.18~/modules/forum/forum.module	2009-04-29 20:53:38.000000000 +0200
++++ drupal5-5.18/modules/forum/forum.module	2009-07-06 20:21:30.000000000 +0200
+@@ -833,6 +833,11 @@
+  * Menu callback; prints a forum listing.
+  */
+ function forum_page($tid = 0) {
++  if (!is_numeric($tid)) {
++    return MENU_NOT_FOUND;
++  }
++  $tid = (int)$tid;
++
+   drupal_add_css(drupal_get_path('module', 'forum') .'/forum.css');
+   $forum_per_page = variable_get('forum_per_page', 25);
+   $sortby = variable_get('forum_order', 1);
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/21_SA-CORE-2009-008.dpatch
+++ drupal5-5.7/debian/patches/21_SA-CORE-2009-008.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 21_SA-CORE-2009-008.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix a critical security vulnerability.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/579482
+## Patch: http://drupal.org/files/sa-core-2009-008/SA-CORE-2009-008-5.19.patch
+
+@DPATCH@
+
+diff -ruN -x '*~' drupal-5.18.orig/modules/user/user.module drupal-5.18/modules/user/user.module
+--- drupal-5.18.orig/modules/user/user.module	2008-10-08 22:10:26.000000000 +0200
++++ drupal-5.18/modules/user/user.module	2009-10-06 22:25:26.000000000 +0200
+@@ -1149,6 +1149,8 @@
+           $user = $account;
+           // And proceed with normal login, going to user page.
+           $edit = array();
++          // Regenerate the session ID to prevent against session fixation attacks.
++          sess_regenerate();
+           user_module_invoke('login', $edit, $user);
+           drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
+           drupal_goto('user/'. $user->uid .'/edit');
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/16_SA-2008-073.dpatch
+++ drupal5-5.7/debian/patches/16_SA-2008-073.dpatch
@@ -0,0 +1,89 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 16_SA-2008-073.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Multiple vulnerabilities and weaknesses were discovered in Drupal.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/345441
+## Patch: http://drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.10.orig/modules/filter/filter.module drupal-5.10/modules/filter/filter.module
+--- drupal-5.10.orig/modules/filter/filter.module	2008-08-14 01:59:09.000000000 +0200
++++ drupal-5.10/modules/filter/filter.module	2009-10-31 17:34:40.000000000 +0100
+@@ -709,13 +709,20 @@ function filter_list_format($format) {
+   static $filters = array();
+ 
+   if (!isset($filters[$format])) {
+-    $filters[$format] = array();
+     $result = db_query("SELECT * FROM {filters} WHERE format = %d ORDER BY weight ASC", $format);
+-    while ($filter = db_fetch_object($result)) {
+-      $list = module_invoke($filter->module, 'filter', 'list');
+-      if (isset($list) && is_array($list) && isset($list[$filter->delta])) {
+-        $filter->name = $list[$filter->delta];
+-        $filters[$format][$filter->module .'/'. $filter->delta] = $filter;
++    if (db_num_rows($result) == 0 && !db_result(db_query("SELECT 1 FROM {filter_formats} WHERE format = %d", $format))) {
++      // The format has no filters and does not exist, use the default input
++      // format.
++      $filters[$format] = filter_list_format(variable_get('filter_default_format', 1));
++   }
++    else {
++      $filters[$format] = array();
++      while ($filter = db_fetch_object($result)) {
++        $list = module_invoke($filter->module, 'filter', 'list');
++        if (isset($list) && is_array($list) && isset($list[$filter->delta])) {
++          $filter->name = $list[$filter->delta];
++          $filters[$format][$filter->module .'/'. $filter->delta] = $filter;
++        }
+       }
+     }
+   }
+diff -pruN -x '*~' drupal-5.10.orig/update.php drupal-5.10/update.php
+--- drupal-5.10.orig/update.php	2007-04-08 02:54:04.000000000 +0200
++++ drupal-5.10/update.php	2009-10-31 17:47:33.000000000 +0100
+@@ -562,10 +562,11 @@ function update_finished_page($success) 
+ 
+ function update_info_page() {
+   drupal_set_title('Drupal database update');
++  $link = 'update.php?op=selection&token='. drupal_get_token('update');
+   $output = "<ol>\n";
+   $output .= "<li>Use this script to <strong>upgrade an existing Drupal installation</strong>. You don't need this script when installing Drupal from scratch.</li>";
+   $output .= "<li>Before doing anything, backup your database. This process will change your database and its values, and some things might get lost.</li>\n";
+-  $output .= "<li>Update your Drupal sources, check the notes below and <a href=\"update.php?op=selection\">run the database upgrade script</a>. Don't upgrade your database twice as it may cause problems.</li>\n";
++  $output .= "<li>Update your Drupal sources, check the notes below and <a href=\"$link\">run the database upgrade script</a>. Don't upgrade your database twice as it may cause problems.</li>\n";
+   $output .= "<li>Go through the various administration pages to change the existing and new settings to your liking.</li>\n";
+   $output .= "</ol>";
+   $output .= '<p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>';
+@@ -793,9 +794,6 @@ if (($access_check == FALSE) || ($user->
+ 
+   $op = isset($_REQUEST['op']) ? $_REQUEST['op'] : '';
+   switch ($op) {
+-    case 'Update':
+-      $output = update_update_page();
+-      break;
+ 
+     case 'finished':
+       $output = update_finished_page(TRUE);
+@@ -813,9 +811,18 @@ if (($access_check == FALSE) || ($user->
+       $output = update_progress_page_nojs();
+       break;
+ 
++    case 'Update':
++      if ($_GET['token'] == drupal_get_token('update')) {
++        $output = update_update_page();
++        break;
++      }
++      // If the token did not match we just display the default page.
+     case 'selection':
+-      $output = update_selection_page();
+-      break;
++      if ($_GET['token'] == drupal_get_token('update')) {
++        $output = update_selection_page();
++        break;
++      }
++      // If the token did not match we just display the default page.
+ 
+     default:
+       $output = update_info_page();
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/19_SA-CORE-2009-006.dpatch
+++ drupal5-5.7/debian/patches/19_SA-CORE-2009-006.dpatch
@@ -0,0 +1,56 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 19_SA-CORE-2009-006.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Cross site scripting.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/461886
+## Patch: http://drupal.org/files/sa-core-2009-006/SA-CORE-2009-006-5.17.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.15.orig/modules/book/book.module drupal-5.15/modules/book/book.module
+--- drupal-5.15.orig/modules/book/book.module	2007-02-14 05:30:33.000000000 +0100
++++ drupal-5.15/modules/book/book.module	2009-10-23 19:31:57.000000000 +0200
+@@ -702,8 +702,9 @@ function theme_book_export_html($title, 
+   global $base_url;
+   $html = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n";
+   $html .= '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">';
+-  $html .= "<head>\n<title>". $title ."</title>\n";
++  $html .= "\n<head>\n";
+   $html .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
++  $html .= "\n<title>". $title ."</title>\n";
+   $html .= '<base href="'. $base_url .'/" />' . "\n";
+   $html .= "<style type=\"text/css\">\n@import url(misc/print.css);\n</style>\n";
+   $html .= "</head>\n<body>\n". $content ."\n</body>\n</html>\n";
+diff -pruN -x '*~' drupal-5.15.orig/modules/taxonomy/taxonomy.module drupal-5.15/modules/taxonomy/taxonomy.module
+--- drupal-5.15.orig/modules/taxonomy/taxonomy.module	2008-07-06 02:50:44.000000000 +0200
++++ drupal-5.15/modules/taxonomy/taxonomy.module	2009-10-23 19:34:20.000000000 +0200
+@@ -621,7 +621,7 @@ function taxonomy_term_confirm_delete_su
+  */
+ function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') {
+   $vocabulary = taxonomy_get_vocabulary($vid);
+-  $help = ($help) ? $help : $vocabulary->help;
++  $help = ($help) ? $help : filter_xss_admin($vocabulary->help);
+ 
+   if (!$vocabulary->multiple) {
+     $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -');
+@@ -718,7 +718,7 @@ function taxonomy_form_alter($form_id, &
+         $typed_string = implode(', ', $typed_terms) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL);
+ 
+         if ($vocabulary->help) {
+-          $help = $vocabulary->help;
++          $help = filter_xss_admin($vocabulary->help);
+         }
+         else {
+           $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".');
+@@ -741,7 +741,7 @@ function taxonomy_form_alter($form_id, &
+             $default_terms[$term->tid] = $term;
+           }
+         }
+-        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help);
++        $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help));
+         $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight;
+         $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required;
+       }
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/22_SA-CORE-2009-009.dpatch
+++ drupal5-5.7/debian/patches/22_SA-CORE-2009-009.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 22_SA-CORE-2009-009.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Multiple vulnerabilities and weaknesses were discovered in Drupal.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/661586
+## Patch: http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-5.20.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.10.orig/modules/contact/contact.module drupal-5.10/modules/contact/contact.module
+--- drupal-5.10.orig/modules/contact/contact.module	2007-06-05 09:18:05.000000000 +0200
++++ drupal-5.10/modules/contact/contact.module	2009-12-20 22:08:32.000000000 +0100
+@@ -145,7 +145,7 @@ function contact_admin_categories() {
+   $result = db_query('SELECT cid, category, recipients, selected FROM {contact} ORDER BY weight, category');
+   $rows = array();
+   while ($category = db_fetch_object($result)) {
+-    $rows[] = array($category->category, $category->recipients, ($category->selected ? t('Yes') : t('No')), l(t('edit'), 'admin/build/contact/edit/'. $category->cid), l(t('delete'), 'admin/build/contact/delete/'. $category->cid));
++    $rows[] = array(check_plain($category->category), check_plain($category->recipients), ($category->selected ? t('Yes') : t('No')), l(t('edit'), 'admin/build/contact/edit/'. $category->cid), l(t('delete'), 'admin/build/contact/delete/'. $category->cid));
+   }
+   $header = array(t('Category'), t('Recipients'), t('Selected'), array('data' => t('Operations'), 'colspan' => 2));
+ 
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/13_SA-2008-047.dpatch
+++ drupal5-5.7/debian/patches/13_SA-2008-047.dpatch
@@ -0,0 +1,751 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 13_SA-2008-047.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Multiple vulnerabilities and weaknesses were discovered in Drupal.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/295053
+## Patch: http://drupal.org/files/sa-2008-047/SA-2008-047-5.9.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.7.orig/includes/file.inc drupal-5.7/includes/file.inc
+--- drupal-5.7.orig/includes/file.inc	2008-01-07 02:00:22.000000000 +0100
++++ drupal-5.7/includes/file.inc	2010-01-30 20:02:49.000000000 +0100
+@@ -227,7 +227,7 @@ function file_check_upload($source = 'up
+     // requires an absolute path, so we use realpath().
+     $file->filepath = tempnam(realpath(file_directory_temp()), 'tmp_');
+ 
+-    $file->filemime = $_FILES["files"]["type"][$source];
++    $file->filemime = file_get_mimetype($file->filename);
+ 
+     // Rename potentially executable files, to help prevent exploits.
+     if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
+@@ -734,3 +734,375 @@ function file_upload_max_size() {
+   }
+   return $max_size;
+ }
++
++/**
++ * Determine an Internet Media Type, or MIME type from a filename.
++ *
++ * @param $filename
++ *   Name of the file, including extension.
++ * @param $mapping
++ *   An optional array of extension to media type mappings in the form
++ *   'extension1|extension2|...' => 'type'.
++ *
++ * @return
++ *   The internet media type registered for the extension or application/octet-stream for unknown extensions.
++ */
++function file_get_mimetype($filename, $mapping = NULL) {
++  if (!is_array($mapping)) {
++    $mapping = variable_get('mime_extension_mapping', array(
++      'ez' => 'application/andrew-inset',
++      'atom' => 'application/atom',
++      'atomcat' => 'application/atomcat+xml',
++      'atomsrv' => 'application/atomserv+xml',
++      'cap|pcap' => 'application/cap',
++      'cu' => 'application/cu-seeme',
++      'tsp' => 'application/dsptype',
++      'spl' => 'application/x-futuresplash',
++      'hta' => 'application/hta',
++      'jar' => 'application/java-archive',
++      'ser' => 'application/java-serialized-object',
++      'class' => 'application/java-vm',
++      'hqx' => 'application/mac-binhex40',
++      'cpt' => 'image/x-corelphotopaint',
++      'nb' => 'application/mathematica',
++      'mdb' => 'application/msaccess',
++      'doc|dot' => 'application/msword',
++      'bin' => 'application/octet-stream',
++      'oda' => 'application/oda',
++      'ogg|ogx' => 'application/ogg',
++      'pdf' => 'application/pdf',
++      'key' => 'application/pgp-keys',
++      'pgp' => 'application/pgp-signature',
++      'prf' => 'application/pics-rules',
++      'ps|ai|eps' => 'application/postscript',
++      'rar' => 'application/rar',
++      'rdf' => 'application/rdf+xml',
++      'rss' => 'application/rss+xml',
++      'rtf' => 'application/rtf',
++      'smi|smil' => 'application/smil',
++      'wpd' => 'application/wordperfect',
++      'wp5' => 'application/wordperfect5.1',
++      'xhtml|xht' => 'application/xhtml+xml',
++      'xml|xsl' => 'application/xml',
++      'zip' => 'application/zip',
++      'cdy' => 'application/vnd.cinderella',
++      'kml' => 'application/vnd.google-earth.kml+xml',
++      'kmz' => 'application/vnd.google-earth.kmz',
++      'xul' => 'application/vnd.mozilla.xul+xml',
++      'xls|xlb|xlt' => 'application/vnd.ms-excel',
++      'cat' => 'application/vnd.ms-pki.seccat',
++      'stl' => 'application/vnd.ms-pki.stl',
++      'ppt|pps' => 'application/vnd.ms-powerpoint',
++      'odc' => 'application/vnd.oasis.opendocument.chart',
++      'odb' => 'application/vnd.oasis.opendocument.database',
++      'odf' => 'application/vnd.oasis.opendocument.formula',
++      'odg' => 'application/vnd.oasis.opendocument.graphics',
++      'otg' => 'application/vnd.oasis.opendocument.graphics-template',
++      'odi' => 'application/vnd.oasis.opendocument.image',
++      'odp' => 'application/vnd.oasis.opendocument.presentation',
++      'otp' => 'application/vnd.oasis.opendocument.presentation-template',
++      'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
++      'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template',
++      'odt' => 'application/vnd.oasis.opendocument.text',
++      'odm' => 'application/vnd.oasis.opendocument.text-master',
++      'ott' => 'application/vnd.oasis.opendocument.text-template',
++      'oth' => 'application/vnd.oasis.opendocument.text-web',
++      'docm' => 'application/vnd.ms-word.document.macroEnabled.12',
++      'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
++      'dotm' => 'application/vnd.ms-word.template.macroEnabled.12',
++      'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
++      'potm' => 'application/vnd.ms-powerpoint.template.macroEnabled.12',
++      'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
++      'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
++      'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
++      'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
++      'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
++      'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
++      'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
++      'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
++      'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12',
++      'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
++      'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12',
++      'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
++      'cod' => 'application/vnd.rim.cod',
++      'mmf' => 'application/vnd.smaf',
++      'sdc' => 'application/vnd.stardivision.calc',
++      'sds' => 'application/vnd.stardivision.chart',
++      'sda' => 'application/vnd.stardivision.draw',
++      'sdd' => 'application/vnd.stardivision.impress',
++      'sdf' => 'application/vnd.stardivision.math',
++      'sdw' => 'application/vnd.stardivision.writer',
++      'sgl' => 'application/vnd.stardivision.writer-global',
++      'sxc' => 'application/vnd.sun.xml.calc',
++      'stc' => 'application/vnd.sun.xml.calc.template',
++      'sxd' => 'application/vnd.sun.xml.draw',
++      'std' => 'application/vnd.sun.xml.draw.template',
++      'sxi' => 'application/vnd.sun.xml.impress',
++      'sti' => 'application/vnd.sun.xml.impress.template',
++      'sxm' => 'application/vnd.sun.xml.math',
++      'sxw' => 'application/vnd.sun.xml.writer',
++      'sxg' => 'application/vnd.sun.xml.writer.global',
++      'stw' => 'application/vnd.sun.xml.writer.template',
++      'sis' => 'application/vnd.symbian.install',
++      'vsd' => 'application/vnd.visio',
++      'wbxml' => 'application/vnd.wap.wbxml',
++      'wmlc' => 'application/vnd.wap.wmlc',
++      'wmlsc' => 'application/vnd.wap.wmlscriptc',
++      'wk' => 'application/x-123',
++      '7z' => 'application/x-7z-compressed',
++      'abw' => 'application/x-abiword',
++      'dmg' => 'application/x-apple-diskimage',
++      'bcpio' => 'application/x-bcpio',
++      'torrent' => 'application/x-bittorrent',
++      'cab' => 'application/x-cab',
++      'cbr' => 'application/x-cbr',
++      'cbz' => 'application/x-cbz',
++      'cdf' => 'application/x-cdf',
++      'vcd' => 'application/x-cdlink',
++      'pgn' => 'application/x-chess-pgn',
++      'cpio' => 'application/x-cpio',
++      'csh' => 'text/x-csh',
++      'deb|udeb' => 'application/x-debian-package',
++      'dcr|dir|dxr' => 'application/x-director',
++      'dms' => 'application/x-dms',
++      'wad' => 'application/x-doom',
++      'dvi' => 'application/x-dvi',
++      'rhtml' => 'application/x-httpd-eruby',
++      'flac' => 'application/x-flac',
++      'pfa|pfb|gsf|pcf|pcf.Z' => 'application/x-font',
++      'mm' => 'application/x-freemind',
++      'gnumeric' => 'application/x-gnumeric',
++      'sgf' => 'application/x-go-sgf',
++      'gcf' => 'application/x-graphing-calculator',
++      'gtar|tgz|taz' => 'application/x-gtar',
++      'hdf' => 'application/x-hdf',
++      'phtml|pht|php' => 'application/x-httpd-php',
++      'phps' => 'application/x-httpd-php-source',
++      'php3' => 'application/x-httpd-php3',
++      'php3p' => 'application/x-httpd-php3-preprocessed',
++      'php4' => 'application/x-httpd-php4',
++      'ica' => 'application/x-ica',
++      'ins|isp' => 'application/x-internet-signup',
++      'iii' => 'application/x-iphone',
++      'iso' => 'application/x-iso9660-image',
++      'jnlp' => 'application/x-java-jnlp-file',
++      'js' => 'application/x-javascript',
++      'jmz' => 'application/x-jmol',
++      'chrt' => 'application/x-kchart',
++      'kil' => 'application/x-killustrator',
++      'skp|skd|skt|skm' => 'application/x-koan',
++      'kpr|kpt' => 'application/x-kpresenter',
++      'ksp' => 'application/x-kspread',
++      'kwd|kwt' => 'application/x-kword',
++      'latex' => 'application/x-latex',
++      'lha' => 'application/x-lha',
++      'lyx' => 'application/x-lyx',
++      'lzh' => 'application/x-lzh',
++      'lzx' => 'application/x-lzx',
++      'frm|maker|frame|fm|fb|book|fbdoc' => 'application/x-maker',
++      'mif' => 'application/x-mif',
++      'wmd' => 'application/x-ms-wmd',
++      'wmz' => 'application/x-ms-wmz',
++      'com|exe|bat|dll' => 'application/x-msdos-program',
++      'msi' => 'application/x-msi',
++      'nc' => 'application/x-netcdf',
++      'pac' => 'application/x-ns-proxy-autoconfig',
++      'nwc' => 'application/x-nwc',
++      'o' => 'application/x-object',
++      'oza' => 'application/x-oz-application',
++      'p7r' => 'application/x-pkcs7-certreqresp',
++      'crl' => 'application/x-pkcs7-crl',
++      'pyc|pyo' => 'application/x-python-code',
++      'qtl' => 'application/x-quicktimeplayer',
++      'rpm' => 'application/x-redhat-package-manager',
++      'sh' => 'text/x-sh',
++      'shar' => 'application/x-shar',
++      'swf|swfl' => 'application/x-shockwave-flash',
++      'sit|sitx' => 'application/x-stuffit',
++      'sv4cpio' => 'application/x-sv4cpio',
++      'sv4crc' => 'application/x-sv4crc',
++      'tar' => 'application/x-tar',
++      'tcl' => 'application/x-tcl',
++      'gf' => 'application/x-tex-gf',
++      'pk' => 'application/x-tex-pk',
++      'texinfo|texi' => 'application/x-texinfo',
++      '~|%|bak|old|sik' => 'application/x-trash',
++      't|tr|roff' => 'application/x-troff',
++      'man' => 'application/x-troff-man',
++      'me' => 'application/x-troff-me',
++      'ms' => 'application/x-troff-ms',
++      'ustar' => 'application/x-ustar',
++      'src' => 'application/x-wais-source',
++      'wz' => 'application/x-wingz',
++      'crt' => 'application/x-x509-ca-cert',
++      'xcf' => 'application/x-xcf',
++      'fig' => 'application/x-xfig',
++      'xpi' => 'application/x-xpinstall',
++      'au|snd' => 'audio/basic',
++      'mid|midi|kar' => 'audio/midi',
++      'mpga|mpega|mp2|mp3|m4a' => 'audio/mpeg',
++      'm3u' => 'audio/x-mpegurl',
++      'oga|spx' => 'audio/ogg',
++      'sid' => 'audio/prs.sid',
++      'aif|aiff|aifc' => 'audio/x-aiff',
++      'gsm' => 'audio/x-gsm',
++      'wma' => 'audio/x-ms-wma',
++      'wax' => 'audio/x-ms-wax',
++      'ra|rm|ram' => 'audio/x-pn-realaudio',
++      'ra' => 'audio/x-realaudio',
++      'pls' => 'audio/x-scpls',
++      'sd2' => 'audio/x-sd2',
++      'wav' => 'audio/x-wav',
++      'alc' => 'chemical/x-alchemy',
++      'cac|cache' => 'chemical/x-cache',
++      'csf' => 'chemical/x-cache-csf',
++      'cbin|cascii|ctab' => 'chemical/x-cactvs-binary',
++      'cdx' => 'chemical/x-cdx',
++      'cer' => 'chemical/x-cerius',
++      'c3d' => 'chemical/x-chem3d',
++      'chm' => 'chemical/x-chemdraw',
++      'cif' => 'chemical/x-cif',
++      'cmdf' => 'chemical/x-cmdf',
++      'cml' => 'chemical/x-cml',
++      'cpa' => 'chemical/x-compass',
++      'bsd' => 'chemical/x-crossfire',
++      'csml|csm' => 'chemical/x-csml',
++      'ctx' => 'chemical/x-ctx',
++      'cxf|cef' => 'chemical/x-cxf',
++      'emb|embl' => 'chemical/x-embl-dl-nucleotide',
++      'spc' => 'chemical/x-galactic-spc',
++      'inp|gam|gamin' => 'chemical/x-gamess-input',
++      'fch|fchk' => 'chemical/x-gaussian-checkpoint',
++      'cub' => 'chemical/x-gaussian-cube',
++      'gau|gjc|gjf' => 'chemical/x-gaussian-input',
++      'gal' => 'chemical/x-gaussian-log',
++      'gcg' => 'chemical/x-gcg8-sequence',
++      'gen' => 'chemical/x-genbank',
++      'hin' => 'chemical/x-hin',
++      'istr|ist' => 'chemical/x-isostar',
++      'jdx|dx' => 'chemical/x-jcamp-dx',
++      'kin' => 'chemical/x-kinemage',
++      'mcm' => 'chemical/x-macmolecule',
++      'mmd|mmod' => 'chemical/x-macromodel-input',
++      'mol' => 'chemical/x-mdl-molfile',
++      'rd' => 'chemical/x-mdl-rdfile',
++      'rxn' => 'chemical/x-mdl-rxnfile',
++      'sd|sdf' => 'chemical/x-mdl-sdfile',
++      'tgf' => 'chemical/x-mdl-tgf',
++      'mcif' => 'chemical/x-mmcif',
++      'mol2' => 'chemical/x-mol2',
++      'b' => 'chemical/x-molconn-Z',
++      'gpt' => 'chemical/x-mopac-graph',
++      'mop|mopcrt|mpc|dat|zmt' => 'chemical/x-mopac-input',
++      'moo' => 'chemical/x-mopac-out',
++      'mvb' => 'chemical/x-mopac-vib',
++      'asn' => 'chemical/x-ncbi-asn1-spec',
++      'prt|ent' => 'chemical/x-ncbi-asn1-ascii',
++      'val|aso' => 'chemical/x-ncbi-asn1-binary',
++      'pdb|ent' => 'chemical/x-pdb',
++      'ros' => 'chemical/x-rosdal',
++      'sw' => 'chemical/x-swissprot',
++      'vms' => 'chemical/x-vamas-iso14976',
++      'vmd' => 'chemical/x-vmd',
++      'xtel' => 'chemical/x-xtel',
++      'xyz' => 'chemical/x-xyz',
++      'gif' => 'image/gif',
++      'ief' => 'image/ief',
++      'jpeg|jpg|jpe' => 'image/jpeg',
++      'pcx' => 'image/pcx',
++      'png' => 'image/png',
++      'svg|svgz' => 'image/svg+xml',
++      'tiff|tif' => 'image/tiff',
++      'djvu|djv' => 'image/vnd.djvu',
++      'wbmp' => 'image/vnd.wap.wbmp',
++      'ras' => 'image/x-cmu-raster',
++      'cdr' => 'image/x-coreldraw',
++      'pat' => 'image/x-coreldrawpattern',
++      'cdt' => 'image/x-coreldrawtemplate',
++      'ico' => 'image/x-icon',
++      'art' => 'image/x-jg',
++      'jng' => 'image/x-jng',
++      'bmp' => 'image/x-ms-bmp',
++      'psd' => 'image/x-photoshop',
++      'pnm' => 'image/x-portable-anymap',
++      'pbm' => 'image/x-portable-bitmap',
++      'pgm' => 'image/x-portable-graymap',
++      'ppm' => 'image/x-portable-pixmap',
++      'rgb' => 'image/x-rgb',
++      'xbm' => 'image/x-xbitmap',
++      'xpm' => 'image/x-xpixmap',
++      'xwd' => 'image/x-xwindowdump',
++      'eml' => 'message/rfc822',
++      'igs|iges' => 'model/iges',
++      'msh|mesh|silo' => 'model/mesh',
++      'wrl|vrml' => 'model/vrml',
++      'ics|icz' => 'text/calendar',
++      'css' => 'text/css',
++      'csv' => 'text/csv',
++      '323' => 'text/h323',
++      'html|htm|shtml' => 'text/html',
++      'uls' => 'text/iuls',
++      'mml' => 'text/mathml',
++      'asc|txt|text|pot' => 'text/plain',
++      'rtx' => 'text/richtext',
++      'sct|wsc' => 'text/scriptlet',
++      'tm|ts' => 'text/texmacs',
++      'tsv' => 'text/tab-separated-values',
++      'jad' => 'text/vnd.sun.j2me.app-descriptor',
++      'wml' => 'text/vnd.wap.wml',
++      'wmls' => 'text/vnd.wap.wmlscript',
++      'bib' => 'text/x-bibtex',
++      'boo' => 'text/x-boo',
++      'h++|hpp|hxx|hh' => 'text/x-c++hdr',
++      'c++|cpp|cxx|cc' => 'text/x-c++src',
++      'h' => 'text/x-chdr',
++      'htc' => 'text/x-component',
++      'c' => 'text/x-csrc',
++      'd' => 'text/x-dsrc',
++      'diff|patch' => 'text/x-diff',
++      'hs' => 'text/x-haskell',
++      'java' => 'text/x-java',
++      'lhs' => 'text/x-literate-haskell',
++      'moc' => 'text/x-moc',
++      'p|pas' => 'text/x-pascal',
++      'gcd' => 'text/x-pcs-gcd',
++      'pl|pm' => 'text/x-perl',
++      'py' => 'text/x-python',
++      'etx' => 'text/x-setext',
++      'tcl|tk' => 'text/x-tcl',
++      'tex|ltx|sty|cls' => 'text/x-tex',
++      'vcs' => 'text/x-vcalendar',
++      'vcf' => 'text/x-vcard',
++      '3gp' => 'video/3gpp',
++      'dl' => 'video/dl',
++      'dif|dv' => 'video/dv',
++      'fli' => 'video/fli',
++      'gl' => 'video/gl',
++      'mpeg|mpg|mpe' => 'video/mpeg',
++      'mp4' => 'video/mp4',
++      'ogv' => 'video/ogg',
++      'qt|mov' => 'video/quicktime',
++      'mxu' => 'video/vnd.mpegurl',
++      'lsf|lsx' => 'video/x-la-asf',
++      'mng' => 'video/x-mng',
++      'asf|asx' => 'video/x-ms-asf',
++      'wm' => 'video/x-ms-wm',
++      'wmv' => 'video/x-ms-wmv',
++      'wmx' => 'video/x-ms-wmx',
++      'wvx' => 'video/x-ms-wvx',
++      'avi' => 'video/x-msvideo',
++      'movie' => 'video/x-sgi-movie',
++      'ice' => 'x-conference/x-cooltalk',
++      'sisx' => 'x-epoc/x-sisx-app',
++      'vrm|vrml|wrl' => 'x-world/x-vrml',
++      'xps' => 'application/vnd.ms-xpsdocument',
++    ));
++  }
++  foreach ($mapping as $ext_preg => $mime_match) {
++    if (preg_match('!\.('. $ext_preg .')$!i', $filename)) {
++      return $mime_match;
++    }
++  }
++
++  return 'application/octet-stream';
++}
+diff -pruN -x '*~' drupal-5.7.orig/modules/blogapi/blogapi.install drupal-5.7/modules/blogapi/blogapi.install
+--- drupal-5.7.orig/modules/blogapi/blogapi.install	2010-01-30 17:43:40.000000000 +0100
++++ drupal-5.7/modules/blogapi/blogapi.install	2010-01-30 20:08:22.000000000 +0100
+@@ -0,0 +1,90 @@
++<?php
++// $Id: blogapi.install,v 1.1 2008/01/09 09:51:34 goba Exp $
++
++/**
++ * Implementation of hook_install().
++ */
++function blogapi_install() {
++  // Create table.
++  switch ($GLOBALS['db_type']) {
++    case 'mysql':
++    case 'mysqli':
++      db_query("CREATE TABLE {blogapi_files} (
++        fid int NOT NULL auto_increment,
++        uid int unsigned NOT NULL default 0,
++        filepath varchar(255) NOT NULL default '',
++        filesize int unsigned NOT NULL default 0,
++        PRIMARY KEY (fid),
++        KEY uid (uid)
++      ) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
++      break;
++
++    case 'pgsql':
++      db_query("CREATE TABLE {blogapi_files} (
++        fid serial,
++        filename varchar(255) NOT NULL default '',
++        filepath varchar(255) NOT NULL default '',
++        filesize int_unsigned NOT NULL default 0,
++        PRIMARY KEY (fid)
++      )");
++
++      db_query("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
++      break;
++  }
++
++}
++
++/**
++ * Implementation of hook_uninstall().
++ */
++function blogapi_uninstall() {
++  // Remove table.
++  db_query("DROP TABLE {blogapi_files}");
++}
++
++/**
++ * @defgroup updates-5.x-extra Extra blogapi updates for 5.x
++ * @{
++ */
++
++/**
++ * Add blogapi_files table to enable size restriction for BlogAPI file uploads.
++ *
++ * Added in Drupal 5.10 (and 6.4).
++ */
++function blogapi_update_5000() {
++  $ret = array();
++  switch ($GLOBALS['db_type']) {
++    case 'mysql':
++    case 'mysqli':
++      $ret[] = update_sql("CREATE TABLE {blogapi_files} (
++        fid int NOT NULL auto_increment,
++        uid int unsigned NOT NULL default 0,
++        filepath varchar(255) NOT NULL default '',
++        filesize int unsigned NOT NULL default 0,
++        PRIMARY KEY (fid),
++        KEY uid (uid)
++      ) /*!40100 DEFAULT CHARACTER SET UTF8 */ ");
++      break;
++
++    case 'pgsql':
++      $ret[] = update_sql("CREATE TABLE {blogapi_files} (
++        fid serial,
++        filename varchar(255) NOT NULL default '',
++        filepath varchar(255) NOT NULL default '',
++        filesize int_unsigned NOT NULL default 0,
++        PRIMARY KEY (fid)
++      )");
++
++      $ret[] = update_sql("CREATE INDEX {blogapi_files}_uid_idx ON {blogapi_files} (uid)");
++      break;
++  }
++
++  return $ret;
++}
++
++
++/**
++ * @} End of "defgroup updates-5.x-extra"
++ */
++
+diff -pruN -x '*~' drupal-5.7.orig/modules/blogapi/blogapi.module drupal-5.7/modules/blogapi/blogapi.module
+--- drupal-5.7.orig/modules/blogapi/blogapi.module	2007-07-26 21:16:45.000000000 +0200
++++ drupal-5.7/modules/blogapi/blogapi.module	2010-01-30 20:27:14.000000000 +0100
+@@ -355,20 +355,63 @@ function blogapi_metaweblog_new_media_ob
+     return blogapi_error($user);
+   }
+ 
++  $usersize = 0;
++  $uploadsize = 0;
++
++  $roles = array_intersect(user_roles(0, 'administer content with blog api'), $user->roles);
++
++  foreach ($roles as $rid => $name) {
++    $extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp')));
++    $usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024);
++    $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024);
++  }
++
++  $filesize = strlen($file['bits']);
++
++  if ($filesize > $uploadsize) {
++    return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize))));
++  }
++
++  if (_blogapi_space_used($user->uid) + $filesize > $usersize) {
++    return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize))));
++  }
++
++  // Only allow files with whitelisted extensions and convert remaining dots to
++  // underscores to prevent attacks via non-terminal executable extensions with
++  // files such as exploit.php.jpg.
++
++  $whitelist = array_unique(explode(' ', trim($extensions)));
++
+   $name = basename($file['name']);
++
++  if ($extension_position = strrpos($name, '.')) {
++    $filename = drupal_substr($name, 0, $extension_position);
++    $final_extension = drupal_substr($name, $extension_position + 1);
++
++    if (!in_array(strtolower($final_extension), $whitelist)) {
++      return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist))));
++    }
++
++    $filename = str_replace('.', '_', $filename);
++    $filename .= '.'. $final_extension;
++  }
++
+   $data = $file['bits'];
+ 
+   if (!$data) {
+     return blogapi_error(t('No file sent.'));
+   }
+ 
+-  if (!$file = file_save_data($data, $name)) {
++  if (!$file = file_save_data($data, $filename)) {
+     return blogapi_error(t('Error storing file.'));
+   }
+ 
++  db_query("INSERT INTO {blogapi_files} (uid, filepath, filesize) VALUES (%d, '%s', %d)", $user->uid, $file, $filesize);
++
+   // Return the successful result.
+   return array('url' => file_create_url($file), 'struct');
+ }
++
+ /**
+  * Blogging API callback. Returns a list of the taxonomy terms that can be
+  * associated with a blog node.
+@@ -548,6 +591,82 @@ function blogapi_admin_settings() {
+     '#description' => t('Select the content types for which you wish to enable posting via blogapi. Each type will appear as a different "blog" in the client application (if supported).')
+   );
+ 
++  $blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
++  $blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1);
++  $blogapi_usersize_default = variable_get('blogapi_usersize_default', 1);
++
++  $form['settings_general'] = array(
++    '#type' => 'fieldset',
++    '#title' => t('File settings'),
++    '#collapsible' => TRUE,
++  );
++
++  $form['settings_general']['blogapi_extensions_default'] = array(
++    '#type' => 'textfield',
++    '#title' => t('Default permitted file extensions'),
++    '#default_value' => $blogapi_extensions_default,
++    '#maxlength' => 255,
++    '#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'),
++  );
++
++  $form['settings_general']['blogapi_uploadsize_default'] = array(
++    '#type' => 'textfield',
++    '#title' => t('Default maximum file size per upload'),
++    '#default_value' => $blogapi_uploadsize_default,
++    '#size' => 5,
++    '#maxlength' => 5,
++    '#description' => t('The default maximum file size a user can upload.'),
++    '#field_suffix' => t('MB')
++  );
++
++  $form['settings_general']['blogapi_usersize_default'] = array(
++    '#type' => 'textfield',
++    '#title' => t('Default total file size per user'),
++    '#default_value' => $blogapi_usersize_default,
++    '#size' => 5,
++    '#maxlength' => 5,
++    '#description' => t('The default maximum size of all files a user can have on the site.'),
++    '#field_suffix' => t('MB')
++  );
++
++  $form['settings_general']['upload_max_size'] = array('#value' => '<p>'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'</p>');
++
++  $roles = user_roles(0, 'administer content with blog api');
++  $form['roles'] = array('#type' => 'value', '#value' => $roles);
++
++  foreach ($roles as $rid => $role) {
++    $form['settings_role_'. $rid] = array(
++      '#type' => 'fieldset',
++      '#title' => t('Settings for @role', array('@role' => $role)),
++      '#collapsible' => TRUE,
++      '#collapsed' => TRUE,
++    );
++    $form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array(
++      '#type' => 'textfield',
++      '#title' => t('Permitted file extensions'),
++      '#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default),
++      '#maxlength' => 255,
++      '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'),
++    );
++    $form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array(
++      '#type' => 'textfield',
++      '#title' => t('Maximum file size per upload'),
++      '#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default),
++      '#size' => 5,
++      '#maxlength' => 5,
++      '#description' => t('The maximum size of a file a user can upload (in megabytes).'),
++    );
++    $form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array(
++      '#type' => 'textfield',
++      '#title' => t('Total file size per user'),
++      '#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default),
++      '#size' => 5,
++      '#maxlength' => 5,
++      '#description' => t('The maximum size of all files a user can have on the site (in megabytes).'),
++    );
++  }
++
++
+   return system_settings_form($form);
+ }
+ 
+@@ -713,3 +832,6 @@ function _blogapi_get_node_types() {
+   return $types;
+ }
+ 
++function _blogapi_space_used($uid) {
++  return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid));
++}
+diff -pruN -x '*~' drupal-5.7.orig/modules/filter/filter.module drupal-5.7/modules/filter/filter.module
+--- drupal-5.7.orig/modules/filter/filter.module	2008-01-22 09:43:34.000000000 +0100
++++ drupal-5.7/modules/filter/filter.module	2010-01-30 20:33:21.000000000 +0100
+@@ -1295,7 +1295,7 @@ function filter_xss($string, $allowed_ta
+     (
+     <(?=[^a-zA-Z!/])  # a lone <
+     |                 # or
+-    <[^>]*.(>|$)      # a string that starts with a <, up until the > or the end of the string
++    <[^>]*(>|$)       # a string that starts with a <, up until the > or the end of the string
+     |                 # or
+     >                 # just a >
+     )%x', '_filter_xss_split', $string);
+diff -pruN -x '*~' drupal-5.7.orig/modules/user/user.module drupal-5.7/modules/user/user.module
+--- drupal-5.7.orig/modules/user/user.module	2008-01-07 03:30:35.000000000 +0100
++++ drupal-5.7/modules/user/user.module	2010-01-30 20:41:21.000000000 +0100
+@@ -1653,21 +1653,10 @@ function user_admin_access_check_submit(
+  * Menu callback: add an access rule
+  */
+ function user_admin_access_add($mask = NULL, $type = NULL) {
+-  if ($edit = $_POST) {
+-    if (!$edit['mask']) {
+-      form_set_error('mask', t('You must enter a mask.'));
+-    }
+-    else {
+-      $aid = db_next_id('{access}_aid');
+-      db_query("INSERT INTO {access} (aid, mask, type, status) VALUES ('%s', '%s', '%s', %d)", $aid, $edit['mask'], $edit['type'], $edit['status']);
+-      drupal_set_message(t('The access rule has been added.'));
+-      drupal_goto('admin/user/rules');
+-    }
+-  }
+-  else {
+-    $edit['mask'] = $mask;
+-    $edit['type'] = $type;
+-  }
++  $edit = array();
++  $edit['aid'] = 0;
++  $edit['mask'] = $mask;
++  $edit['type'] = $type;
+   return drupal_get_form('user_admin_access_add_form', $edit, t('Add rule'));
+ }
+ 
+@@ -1699,23 +1688,16 @@ function user_admin_access_delete_confir
+  * Menu callback: edit an access rule
+  */
+ function user_admin_access_edit($aid = 0) {
+-  if ($edit = $_POST) {
+-    if (!$edit['mask']) {
+-      form_set_error('mask', t('You must enter a mask.'));
+-    }
+-    else {
+-      db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $edit['mask'], $edit['type'], $edit['status'], $aid);
+-      drupal_set_message(t('The access rule has been saved.'));
+-      drupal_goto('admin/user/rules');
+-    }
+-  }
+-  else {
+-    $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
+-  }
++  $edit = db_fetch_array(db_query('SELECT aid, type, status, mask FROM {access} WHERE aid = %d', $aid));
+   return drupal_get_form('user_admin_access_edit_form', $edit, t('Save rule'));
+ }
+ 
+ function user_admin_access_form($edit, $submit) {
++  $form = array();
++  $form['aid'] = array(
++    '#type' => 'value',
++    '#value' => $edit['aid'],
++  );
+   $form['status'] = array(
+     '#type' => 'radios',
+     '#title' => t('Access type'),
+@@ -1739,11 +1721,27 @@ function user_admin_access_form($edit, $
+     '#required' => TRUE,
+   );
+   $form['submit'] = array('#type' => 'submit', '#value' => $submit);
++  $form['#base'] = 'user_admin_access_form';
+ 
+   return $form;
+ }
+ 
+ /**
++ * Submit callback for user_admin_access_form().
++ */
++function user_admin_access_form_submit($form_id, $form_values) {
++  if ($form_values['aid']) {
++    db_query("UPDATE {access} SET mask = '%s', type = '%s', status = '%s' WHERE aid = %d", $form_values['mask'], $form_values['type'], $form_values['status'], $form_values['aid']);
++    drupal_set_message(t('The access rule has been saved.'));
++  }
++  else {
++    db_query("INSERT INTO {access} (mask, type, status) VALUES ('%s', '%s', %d)", $form_values['mask'], $form_values['type'], $form_values['status']);
++    drupal_set_message(t('The access rule has been added.'));
++  }
++  return 'admin/user/rules'; 
++}
++
++/**
+  * Menu callback: list all access rules
+  */
+ function user_admin_access() {
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/17_SA-CORE-2009-001.dpatch
+++ drupal5-5.7/debian/patches/17_SA-CORE-2009-001.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 17_SA-CORE-2009-001.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Multiple vulnerabilities and weaknesses were discovered in Drupal.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/358957
+## Patch: http://drupal.org/files/sa-core-2009-001/SA-CORE-2009-001-5.14.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.10.orig/modules/node/node.module drupal-5.10/modules/node/node.module
+--- drupal-5.10.orig/modules/node/node.module	2008-07-16 21:04:21.000000000 +0200
++++ drupal-5.10/modules/node/node.module	2009-10-30 16:33:20.000000000 +0100
+@@ -2745,6 +2745,11 @@ function node_search_validate($form_id, 
+ function node_access($op, $node = NULL) {
+   global $user;
+ 
++  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
++    // If there was no node to check against, or the $op was not one of the
++    // supported ones, we return access denied.
++    return FALSE;
++  }
+   // Convert the node to an object if necessary:
+   if ($op != 'create') {
+     $node = (object)$node;
only in patch2:
unchanged:
--- drupal5-5.7.orig/debian/patches/15_SA-2008-067.dpatch
+++ drupal5-5.7/debian/patches/15_SA-2008-067.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 15_SA-2008-067.dpatch by Artur Rona <ari-tczew@tlen.pl>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Multiple vulnerabilities and weaknesses were discovered in Drupal.
+##
+## Ubuntu: https://bugs.launchpad.net/bugs/431080
+## Upstream: http://drupal.org/node/324824
+## Patch: http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch
+
+@DPATCH@
+
+diff -pruN -x '*~' drupal-5.10.orig/includes/bootstrap.inc drupal-5.10/includes/bootstrap.inc
+--- drupal-5.10.orig/includes/bootstrap.inc	2008-01-10 23:14:24.000000000 +0100
++++ drupal-5.10/includes/bootstrap.inc	2009-11-05 19:01:41.000000000 +0100
+@@ -201,6 +201,11 @@ function conf_path() {
+ 
+   $confdir = 'sites';
+   $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
++  if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) {
++    // A HTTP_HOST containing slashes may be an attack and is invalid.
++    header('HTTP/1.1 400 Bad Request');
++    exit;
++  }
+   $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
+   for ($i = count($uri) - 1; $i > 0; $i--) {
+     for ($j = count($server); $j > 0; $j--) {