BIND 9 Security Release and Multi-Vendor Vulnerability Handling, CVE-2023-50387 and CVE-2023-50868 contains detailed description and also a link to the corresponding Unbound 1.19.1 Release Announcement
The problem: Debian 11.* bullseye (should be updated to 11.9 ASAP with the standard update + upgrade procedure) does not have appropriate versions of BIND & Unbound and probably will never get these.
Solution for BIND: use ISC Debian .deb repository instead of Debian Main, it has bind 9.18.24 for bullseye
Solution for Unbound: while the main repo is stuck with unbound 1.13.1, and backports repo has 1.18.smth, the “testing” repo (supposedly, for 12/13 branches) already has unbound 1.9.1-1 source package available. Following this manual for building your private, local, unofficial backports, I’ve just built a set of .deb packages on one of my Debian 11.9 servers, with all the Debian custom patches included (because I took the Debian “testing” sources so the patches are already there). Build Ok with no errors, now testing it.
Hope it helps! Regards, Andreas