diff -u lighttpd-1.4.26/debian/changelog lighttpd-1.4.26/debian/changelog
--- lighttpd-1.4.26/debian/changelog
+++ lighttpd-1.4.26/debian/changelog
@@ -1,3 +1,12 @@
+lighttpd (1.4.26-1.1ubuntu3.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: Fix DoS because of incorrect code in src/http_auth.c:67
+    (LP: #906792)
+    - debian/patches/CVE-2011-4362.patch: patch derived from upstream
+    - CVE-2011-4362
+
+ -- Mahyuddin Susanto <udienz@ubuntu.com>  Tue, 20 Dec 2011 17:34:44 +0700
+
 lighttpd (1.4.26-1.1ubuntu3) lucid; urgency=low
 
   * debian/control: Rebuild for libmysqlclient transition. 
diff -u lighttpd-1.4.26/debian/patches/series lighttpd-1.4.26/debian/patches/series
--- lighttpd-1.4.26/debian/patches/series
+++ lighttpd-1.4.26/debian/patches/series
@@ -2,0 +3 @@
+CVE-2011-4362.patch
only in patch2:
unchanged:
--- lighttpd-1.4.26.orig/debian/patches/CVE-2011-4362.patch
+++ lighttpd-1.4.26/debian/patches/CVE-2011-4362.patch
@@ -0,0 +1,19 @@
+Description: DoS because of incorrect code in src/http_auth.c:67
+Origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
+Bug: http://redmine.lighttpd.net/issues/2370
+Bug-Debian: http://bugs.debian.org/652726
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/906792
+
+Index: lighttpd-1.4.26/src/http_auth.c
+===================================================================
+--- lighttpd-1.4.26.orig/src/http_auth.c	2010-02-02 06:28:20.000000000 +0700
++++ lighttpd-1.4.26/src/http_auth.c	2011-12-20 16:29:07.441524722 +0700
+@@ -89,7 +89,7 @@
+ 	ch = in[0];
+ 	/* run through the whole string, converting as we go */
+ 	for (i = 0; i < in_len; i++) {
+-		ch = in[i];
++		ch = (unsigned char) in[i];
+ 
+ 		if (ch == '\0') break;
+