diff -u unbound-1.4.9/debian/changelog unbound-1.4.9/debian/changelog
--- unbound-1.4.9/debian/changelog
+++ unbound-1.4.9/debian/changelog
@@ -1,3 +1,12 @@
+unbound (1.4.9-0ubuntu1.2) natty-security; urgency=high
+
+  * SECURITY UPDATE:
+  * References: CVE 2011-4528, 2011-4869 (LP: #907983)
+  * Add debian/patches/CVE-2011-4528 to fix DoS with DNSSEC
+    - Patch from Debian security update
+
+ -- Scott Kitterman <scott@kitterman.com>  Fri, 23 Dec 2011 00:12:43 -0500
+
 unbound (1.4.9-0ubuntu1.1) natty-security; urgency=high
 
   * SECURITY UPDATE:
diff -u unbound-1.4.9/debian/patches/series unbound-1.4.9/debian/patches/series
--- unbound-1.4.9/debian/patches/series
+++ unbound-1.4.9/debian/patches/series
@@ -3,0 +4 @@
+CVE-2011-4528
only in patch2:
unchanged:
--- unbound-1.4.9.orig/debian/patches/CVE-2011-4528
+++ unbound-1.4.9/debian/patches/CVE-2011-4528
@@ -0,0 +1,34 @@
+Index: unbound-1.4.9/iterator/iter_scrub.c
+===================================================================
+--- unbound-1.4.9.orig/iterator/iter_scrub.c	2011-01-28 11:11:49.000000000 -0500
++++ unbound-1.4.9/iterator/iter_scrub.c	2011-12-23 00:13:36.180917042 -0500
+@@ -187,11 +187,14 @@
+ 	size_t* snamelen)
+ {
+ 	if(rrset->rr_count != 1) {
++		struct rr_parse* sig;
+ 		verbose(VERB_ALGO, "Found CNAME rrset with "
+ 			"size > 1: %u", (unsigned)rrset->rr_count);
+ 		/* use the first CNAME! */
+ 		rrset->rr_count = 1;
+ 		rrset->size = rrset->rr_first->size;
++		for(sig=rrset->rrsig_first; sig; sig=sig->next)
++			rrset->size += sig->size;
+ 		rrset->rr_last = rrset->rr_first;
+ 		rrset->rr_first->next = NULL;
+ 	}
+Index: unbound-1.4.9/validator/val_nsec3.c
+===================================================================
+--- unbound-1.4.9.orig/validator/val_nsec3.c	2011-03-01 07:48:45.000000000 -0500
++++ unbound-1.4.9/validator/val_nsec3.c	2011-12-23 00:13:36.180917042 -0500
+@@ -1196,6 +1196,10 @@
+ 	 * can see the ordinary unsigned data from a zone beneath an
+ 	 * insecure delegation under an optout here */
+ 
++	if(!ce.nc_rrset) {
++		verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3");
++		return sec_status_bogus;
++	}
+ 	/* We need to make sure that the covering NSEC3 is opt-out. */
+ 	log_assert(ce.nc_rrset);
+ 	if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {