diff -Nru lighttpd-1.4.28/debian/changelog lighttpd-1.4.28/debian/changelog
--- lighttpd-1.4.28/debian/changelog	2011-11-24 14:54:14.000000000 +0700
+++ lighttpd-1.4.28/debian/changelog	2011-12-20 17:33:30.000000000 +0700
@@ -1,3 +1,11 @@
+lighttpd (1.4.28-2ubuntu4) precise; urgency=low
+
+  * debian/patches/CVE-2011-4362.patch: Fix DoS because of incorrect code in
+    src/http_auth.c:67 (LP: #906792)
+    - CVE-2011-4362
+
+ -- Mahyuddin Susanto <udienz@ubuntu.com>  Tue, 20 Dec 2011 17:32:22 +0700
+
 lighttpd (1.4.28-2ubuntu3) precise; urgency=low
 
   * Rebuild for libmysqlclient transition
diff -Nru lighttpd-1.4.28/debian/patches/CVE-2011-4362.patch lighttpd-1.4.28/debian/patches/CVE-2011-4362.patch
--- lighttpd-1.4.28/debian/patches/CVE-2011-4362.patch	1970-01-01 07:00:00.000000000 +0700
+++ lighttpd-1.4.28/debian/patches/CVE-2011-4362.patch	2011-12-20 17:33:49.000000000 +0700
@@ -0,0 +1,19 @@
+Description: DoS because of incorrect code in src/http_auth.c:67
+Origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
+Bug: http://redmine.lighttpd.net/issues/2370
+Bug-Debian: http://bugs.debian.org/652726
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/906792
+
+Index: lighttpd-1.4.28/src/http_auth.c
+===================================================================
+--- lighttpd-1.4.28.orig/src/http_auth.c	2010-08-17 16:04:38.000000000 +0700
++++ lighttpd-1.4.28/src/http_auth.c	2011-12-20 17:32:18.312322671 +0700
+@@ -89,7 +89,7 @@
+ 	ch = in[0];
+ 	/* run through the whole string, converting as we go */
+ 	for (i = 0; i < in_len; i++) {
+-		ch = in[i];
++		ch = (unsigned char) in[i];
+ 
+ 		if (ch == '\0') break;
+ 
diff -Nru lighttpd-1.4.28/debian/patches/series lighttpd-1.4.28/debian/patches/series
--- lighttpd-1.4.28/debian/patches/series	2010-11-21 13:32:56.000000000 +0700
+++ lighttpd-1.4.28/debian/patches/series	2011-12-20 17:32:01.000000000 +0700
@@ -2,3 +2,4 @@
 silence-errors.diff
 debian-changes-1.4.28-2
 
+CVE-2011-4362.patch