diff --git a/Formula/libquicktime.rb b/Formula/libquicktime.rb
index 2ebf334c55..d58d52b045 100644
--- a/Formula/libquicktime.rb
+++ b/Formula/libquicktime.rb
@@ -3,7 +3,7 @@ class Libquicktime < Formula
   homepage "https://libquicktime.sourceforge.io/"
   url "https://downloads.sourceforge.net/project/libquicktime/libquicktime/1.2.4/libquicktime-1.2.4.tar.gz"
   sha256 "1c53359c33b31347b4d7b00d3611463fe5e942cae3ec0fefe0d2fd413fd47368"
-  revision 3
+  revision 4
 
   bottle do
     sha256 "20531455d4851267e616601cba034fac72193dd7a2436c07d7c0fbf54284ebf1" => :sierra
@@ -28,11 +28,14 @@ class Libquicktime < Formula
   patch :DATA
 
   # Fix CVE-2016-2399. Applied upstream on March 6th 2017.
+  # Also, fixes from upstream for CVE-2017-9122 through CVE-2017-9128, applied
+  # by Debian since 30 Jun 2017.
   patch do
-    url "https://mirrors.ocf.berkeley.edu/debian/pool/main/libq/libquicktime/libquicktime_1.2.4-10.debian.tar.xz"
-    mirror "https://mirrorservice.org/sites/ftp.debian.org/debian/pool/main/libq/libquicktime/libquicktime_1.2.4-10.debian.tar.xz"
-    sha256 "550cc827c675aeb37727f6daaa311b649246dc9f952e830f0796c25af1137340"
+    url "https://mirrors.ocf.berkeley.edu/debian/pool/main/libq/libquicktime/libquicktime_1.2.4-11.debian.tar.xz"
+    mirror "https://mirrorservice.org/sites/ftp.debian.org/debian/pool/main/libq/libquicktime/libquicktime_1.2.4-11.debian.tar.xz"
+    sha256 "3f655fdab37fcad2d2e7d20672ff8bad6eec64a9d5a7dc702c79082346ba878b"
     apply "patches/CVE-2016-2399.patch"
+    apply "patches/CVE-2017-9122_et_al.patch"
   end
 
   def install