diff -u unbound-1.4.9/debian/changelog unbound-1.4.9/debian/changelog
--- unbound-1.4.9/debian/changelog
+++ unbound-1.4.9/debian/changelog
@@ -1,3 +1,11 @@
+unbound (1.4.9-0ubuntu1.1) natty-security; urgency=high
+
+  * SECURITY UPDATE:
+  * References: CVE 2011-1922 (LP: #788818)
+  * Add debian/patches/30_cve2011-1922 backported from 1.4.10
+
+ -- Scott Kitterman <scott@kitterman.com>  Fri, 27 May 2011 00:23:21 -0400
+
 unbound (1.4.9-0ubuntu1) natty; urgency=low
 
   * New bugfix upstream release
diff -u unbound-1.4.9/debian/patches/series unbound-1.4.9/debian/patches/series
--- unbound-1.4.9/debian/patches/series
+++ unbound-1.4.9/debian/patches/series
@@ -1,2 +1,3 @@
+30_cve2011-1922
 20_example_conf_default_chroot
 10_libev_library
only in patch2:
unchanged:
--- unbound-1.4.9.orig/debian/patches/30_cve2011-1922
+++ unbound-1.4.9/debian/patches/30_cve2011-1922
@@ -0,0 +1,14 @@
+Fixes CVE 2011-1922, see upstream changes in 1.4.10.
+
+Index: unbound-1.4.9/daemon/worker.c
+===================================================================
+--- unbound-1.4.9.orig/daemon/worker.c	2011-05-27 00:22:00.752317797 -0400
++++ unbound-1.4.9/daemon/worker.c	2011-05-27 00:22:07.304317795 -0400
+@@ -777,6 +777,7 @@
+ 		qinfo.qtype == LDNS_RR_TYPE_IXFR) {
+ 		verbose(VERB_ALGO, "worker request: refused zone transfer.");
+ 		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
++		ldns_buffer_rewind(c->buffer);
+ 		LDNS_QR_SET(ldns_buffer_begin(c->buffer));
+ 		LDNS_RCODE_SET(ldns_buffer_begin(c->buffer), 
+ 			LDNS_RCODE_REFUSED);