CVE-2011-4973 [mod_nss FakeBasicAuth authentication bypass]
	- libapache2-mod-nss <unfixed> (low; bug #729626)
CVE-2011-4972 [CKEditor module for Drupal access bypass]
	NOT-FOR-US: Drupal module
CVE-2011-4970 [Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM)]
	- lcgdm 1.8.6-1 (low; bug #702895)
CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server]
	- nginx <unfixed> (low; bug #697940)
CVE-2011-4967
	NOT-FOR-US: OpenPegasus
CVE-2011-4958 [silverstripe:XSS]
	- silverstripe <itp> (bug #528461)
CVE-2011-4955
	NOT-FOR-US: wordpress bsuite plugin
CVE-2011-4954
	- cobbler <itp> (bug #545583)
CVE-2011-4953
	- cobbler <itp> (bug #545583)
CVE-2011-4952
	- cobbler <itp> (bug #545583)
CVE-2011-4938
	NOT-FOR-US: Ariadne CMS not in Debian
CVE-2011-4937
	- joomla <itp> (bug #571794)
CVE-2011-4936
	- joomla <itp> (bug #571794)
CVE-2011-4935
	- joomla <itp> (bug #571794)
CVE-2011-4934
	- joomla <itp> (bug #571794)
CVE-2011-4933
	- joomla <itp> (bug #571794)
CVE-2011-4931
	- gpw <unfixed> (unimportant; bug #651510)
CVE-2011-4930
	- condor <not-affected> (Fixed before initial release)
CVE-2011-4924
	- zope2.12 2.12.22-1
CVE-2011-4919 [mpack info disclosure]
	- mpack 1.6-8 (low; bug #655971)
CVE-2011-4917
	- linux-2.6 <unfixed> (unimportant)
CVE-2011-4915
	- linux-2.6 <unfixed> (unimportant)
CVE-2011-4912
	NOT-FOR-US: Joomla
CVE-2011-4908
	NOT-FOR-US: Joomla
CVE-2011-4907
	NOT-FOR-US: Joomla
CVE-2011-4906
	NOT-FOR-US: Joomla
CVE-2011-4904
	{DSA-2289-1}
CVE-2011-4903
	{DSA-2289-1}
CVE-2011-4902
	{DSA-2289-1}
CVE-2011-4901
	{DSA-2289-1}
CVE-2011-4900
	{DSA-2289-1}
CVE-2011-4632
	{DSA-2289-1}
CVE-2011-4631
	{DSA-2289-1}
CVE-2011-4630
	{DSA-2289-1}
CVE-2011-4629
	{DSA-2289-1}
CVE-2011-4628
	{DSA-2289-1}
CVE-2011-4627
	{DSA-2289-1}
CVE-2011-4626
	{DSA-2289-1}
CVE-2011-4625 [simplesamlphp xml encryption issues]
	{DSA-2330-1}
CVE-2011-4624
	NOT-FOR-US: WordPress flash-album-gallery
CVE-2011-4613 [X launcher permission bypass]
	{DSA-2364-1}
CVE-2011-4610
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2011-4600
	- libvirt 0.9.9-1 (low)
CVE-2011-4595
	NOT-FOR-US: WordPress pretty-link plugin
CVE-2011-4580
	NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-4573
	NOT-FOR-US: JBoss Operations Network
CVE-2011-4558
	- tikiwiki <removed>
CVE-2011-4455
	- tikiwiki <removed>
CVE-2011-4454
	- tikiwiki <removed>
CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to]
	- software-properties 0.76.7debian2+nmu2
CVE-2011-4406
	- accountsservice 0.6.15-3
CVE-2011-4366
	NOT-FOR-US: ** REJECT ** duplicate of CVE-2011-4090
CVE-2011-4365
	NOTE: duplicate of CVE-2011-4090
CVE-2011-4350
	- yaws 1.91-2 (bug #650009)
CVE-2011-4343
	NOT-FOR-US: Apache MyFaces
CVE-2011-4338
	NOT-FOR-US: Arch-Linux specific tool
CVE-2011-4336
	NOT-FOR-US: Tiki Wiki
CVE-2011-4334
	NOT-FOR-US: LabWiki
CVE-2011-4333
	NOT-FOR-US: LabWiki
CVE-2011-4327
	- openssh <not-affected> (Only affects platforms w/o /dev/random)
CVE-2011-4322
	NOT-FOR-US: websitebaker
CVE-2011-4310
	- cmsms <itp> (bug #608888)
CVE-2011-4195
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4193
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4192
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4121
	- ruby1.9.1 <not-affected> (Only affected trunk versions)
CVE-2011-4120 [authentication bypass by pressing ctrl-d]
	- yubico-pam 2.10-1
CVE-2011-4117
	NOT-FOR-US: perl Batch::BatchRun CPAN module
CVE-2011-4116
	- perl <unfixed> (unimportant)
CVE-2011-4115
	- libparallel-forkmanager-perl <not-affected> (issue introduced in 0.7.6 upstream, never in Debian)
CVE-2011-4111
	- qemu 0.15.1+dfsg-2
CVE-2011-4104
	- django-tastypie 0.9.10-1 (bug #647314)
CVE-2011-4103 [YAML deserialization vulnerability in Piston framework]
	{DSA-2344-1}
CVE-2011-4099
	- libcap2 1:2.22-1 (low)
CVE-2011-4095
	NOT-FOR-US: Jara
CVE-2011-4094
	NOT-FOR-US: Jara
CVE-2011-4093
	- net6 1:1.3.14-1 (low; bug #647318)
CVE-2011-4092
	- obby <unfixed> (low; bug #647317)
CVE-2011-4091
	[squeeze] - net6 <no-dsa> (Minor issue)
CVE-2011-4090 [serendipity before 1.6 backend XSS in karma plugin]
	- serendipity <removed> (bug #650937)
CVE-2011-4089
	- bzip2 1.0.6-1 (low; bug #632862)
CVE-2011-4088
	NOT-FOR-US: abrt/libreport
CVE-2011-4083
	NOT-FOR-US: RedHat sos
CVE-2011-4082
	- phpldapadmin 0.9.8-1
CVE-2011-3923
	- libstruts1.2-java <not-affected> (Only affects 2.x)
CVE-2011-3642 [flowplayer-core: Arbitrary plugins with remote code execution (XSS)]
	- mahara <removed> (low; bug #699230)
CVE-2011-3634
	- apt 0.8.11 (low)
CVE-2011-3632 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3631 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3630 [hardlink has buffer overflows, is unsafe on changing trees]
	- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3629
	NOT-FOR-US: Joomla
CVE-2011-3628
	- pam 1.1.3-7 (low; bug #670076)
CVE-2011-3625 [mplayer SAMI subtitle parsing buffer overflow]
	- mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bug #645987)
CVE-2011-3624
	- ruby1.8 <unfixed> (low; bug #646020)
CVE-2011-3623 [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers]
	- vlc 1.1.3-1
CVE-2011-3622
	NOT-FOR-US: phorum
CVE-2011-3621
	NOT-FOR-US: fluxbb
CVE-2011-3618 [atop insecure tempfile handling]
	- atop 1.23-1.1 (low; bug #622794)
CVE-2011-3617 [tahoe-lafs: an unauthorized user can delete files]
	- tahoe-lafs 1.8.3-1 (bug #641540)
CVE-2011-3614 [vanilla plugin access control]
	NOT-FOR-US: Vanilla Forums
CVE-2011-3613 [vanilla forums cookie theft]
	NOT-FOR-US: Vanilla Forums
CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB]
	NOT-FOR-US: UseBB
CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB]
	NOT-FOR-US: UseBB
CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others]
	NOT-FOR-US: Serendipity plugin
CVE-2011-3609 [CSRF in the JBoss AS 7 administration console & HTTP management API]
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3606 [DOM based XSS in the JBoss AS 7 administration console]
	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3605
	{DSA-2323-1}
CVE-2011-3604
	{DSA-2323-1}
CVE-2011-3603
	NOTE: http://seclists.org/oss-sec/2011/q4/30
CVE-2011-3602
	{DSA-2323-1}
CVE-2011-3601
	{DSA-2323-1}
CVE-2011-3600
	- libxmlrpc3-java 3.1.3-1 (low)
CVE-2011-3596
	- polipo 1.0.4.1-1.2 (bug #644289)
CVE-2011-3595
	- joomla <itp> (bug #571794)
CVE-2011-3592 [phpMyAdmin did not properly sanitize the content of db, table, and column names prior use of their values.]
	- phpmyadmin 4:3.4.5-1
CVE-2011-3591 [PMASA-2011-14 XSS]
	- phpmyadmin 4:3.4.5-1
CVE-2011-3590 [mkdumprd utility created the final initial ramdisk image with...]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3589 [mkdumprd utility copied content of certain directories into newly...]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3588 [kdump/mkdumprd: the default value of "StrictHostKeyChecking=no"]
	- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3586
	NOTE: Dupe of CVE-2011-3504, to be rejected
CVE-2011-3585
	- samba 2:3.4.7~dfsg-2 (low)
CVE-2011-3584 [TYPO3-SA-2011-003]
	- typo3-src 4.5.6+dfsg1-1 (low; bug #641683)
CVE-2011-3583 [TYPO3-SA-2011-002]
	- typo3-src 4.5.6+dfsg1-1 (low; bug #641682)
CVE-2011-3582
	NOT-FOR-US: Advanced Electron Forums
CVE-2011-3350 [masqmail improper privilege dropping]
	- masqmail 0.2.30-1 (low; bug #638002)
CVE-2011-3377 [IcedTea browser plugin Same Origin Policy suffix issue]
	{DSA-2420-1}
CVE-2011-3374 [apt-key insecure validation]
	- apt <unfixed> (unimportant; bug #642480)
CVE-2011-3373
	NOT-FOR-US: Views Bulk Operations module for Drupal
CVE-2011-3370
	- statusnet <itp> (bug #491723)
CVE-2011-3355
	- evolution-data-server3 3.2.1-1 (bug #641052)
CVE-2011-3352
	NOT-FOR-US: Zikula
CVE-2011-3351
	- openvas-scanner <unfixed> (bug #641327; low)
CVE-2011-3349 [lightdm denial of service]
	- lightdm 0.9.6-1 (bug #639151)
CVE-2011-3346
	- qemu-kvm 0.15.1+dfsg-1 (bug #646118)
CVE-2011-3344
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-3203 [Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution]
	NOT-FOR-US: Jcow
CVE-2011-3202 [Jcow CMS 4.2 <= | Cross Site Scripting]
	NOT-FOR-US: Jcow
CVE-2011-3199
	{DSA-2365-1}
CVE-2011-3198
	{DSA-2365-1}
CVE-2011-3197
	{DSA-2365-1}
CVE-2011-3196
	{DSA-2365-1}
CVE-2011-3195
	{DSA-2365-1}
CVE-2011-3183
	NOT-FOR-US: Concrete CMS
CVE-2011-3180
	NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-3154
	- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3153
	- lightdm 1.0.6-2
CVE-2011-3152
	- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3145
	{DSA-2382-1}
CVE-2011-2941
	NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-2936
	- elgg <itp> (bug #526197)
CVE-2011-2935
	- elgg <itp> (bug #526197)
CVE-2011-2934
	NOT-FOR-US: WebsiteBaker
CVE-2011-2933
	NOT-FOR-US: WebsiteBaker
CVE-2011-2927
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2924
	- foomatic-filters 4.0.12-1 (low)
CVE-2011-2923
	- foomatic-filters <unfixed> (unimportant)
CVE-2011-2922
	- ktsuss <removed>
CVE-2011-2921
	- ktsuss <removed>
CVE-2011-2920
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2919
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2916
	- qtnx <removed> (low; bug #637439)
CVE-2011-2910
	- ax25-tools 0.0.8-13.2 (low; bug #638198)
CVE-2011-2909
	{DSA-2303-1}
CVE-2011-2902 [xpdf: insecure tempfile usage]
	- xpdf 3.02-19 (low; bug #635849)
CVE-2011-2897
	- gdk-pixbuf <not-affected> (This only applies to the old standalone copy shipped until Lenny)
CVE-2011-2765 [pyro: insecure use of temporary pid file]
	- pyro 1:3.14-1 (low; bug #631912)
CVE-2011-2727
	NOT-FOR-US: Tribiq CMS
CVE-2011-2726 [SA-CORE-2011-003]
	- drupal7 7.6-1
CVE-2011-2725 [ark directory traversal]
	- kdeutils 4:4.6.5-4 (low; bug #635541)
CVE-2011-2717
	NOT-FOR-US: udhcp6c
CVE-2011-2715
	NOT-FOR-US: Drupal data module
CVE-2011-2714
	NOT-FOR-US: Drupal data module
CVE-2011-2706
	NOT-FOR-US: sNews
CVE-2011-2702 [eglibc signedness vulnerability in ssse3 optimizations]
	- eglibc 2.13-10
CVE-2011-2684
	- foo2zjs 20110722dfsg-1 (low; bug #633870)
CVE-2011-2683
	- reseed <removed>
CVE-2011-2538
	- plone3 <removed>
CVE-2011-2523
	- vsftpd <not-affected> (backdoored version was never in the Debian archive)
CVE-2011-2515
	- packagekit 0.6.17-1
CVE-2011-2514
	- openjdk-6 6b21~pre1-1
CVE-2011-2513
	- openjdk-6 6b21~pre1-1
CVE-2011-2500
	- nfs-utils 1:1.2.4-1 (bug #633155)
CVE-2011-2499
	NOT-FOR-US: Mambo CMS
CVE-2011-2498
	- linux-2.6 2.6.39-1 (low)
CVE-2011-2487
	NOT-FOR-US: Apache CXF
CVE-2011-2480 [kfreebsd info disclosure]
	- kfreebsd-9 9.0~svn223502-1 (bug #631160)
CVE-2011-2207
	- dirmngr <unfixed> (unimportant; bug #627377)
CVE-2011-2187
	- xscreensaver 5.14-1 (bug #627382)
CVE-2011-2186
	NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298
CVE-2011-2177
	- libreoffice <undetermined>
CVE-2011-2198 [vte memory exhaustion]
	- vte 1:0.28.1-1 (low; bug #629688)
CVE-2011-2054
	NOT-FOR-US: ** REJECT ** CVE-2011-2054 misused as CVE-2011-2524
CVE-2011-1939
	- zendframework 1.11.6-1 (low)
CVE-2011-1935 [packet truncation in libpcap]
	- libpcap 1.1.1-4 (low; bug #623868)
CVE-2011-1934 [lilo: lilo.conf world-readable]
	- lilo 23.1-2 (low; bug #615103)
CVE-2011-1933
	- libjifty-dbi-perl 0.68-1 (low; bug #622919)
CVE-2011-1930
	- klibc 1.5.22-1 (low)
CVE-2011-1837
	{DSA-2382-1}
CVE-2011-1836
	- ecryptfs-utils 92-1
CVE-2011-1835
	{DSA-2382-1}
CVE-2011-1834
	{DSA-2382-1}
CVE-2011-1832
	{DSA-2382-1}
CVE-2011-1831
	{DSA-2382-1}
CVE-2011-1798
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1796
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1795
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1794
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1793
	- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1773
	NOT-FOR-US: virt-v2v
CVE-2011-1749 [nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE]
	- nfs-utils 1:1.2.3-3 (low; bug #629420)
CVE-2011-1597
	NOT-FOR-US: OpenVAS Manager
CVE-2011-1596
	NOT-FOR-US: ** REJECT ** (regular bug in gnome-screensaver-dialog)
CVE-2011-1594
	NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-1588
	- thunar <not-affected> (Introduced in 1.2, only in experimental)
CVE-2011-1490
	- rsyslog 5.7.6-1 (low)
CVE-2011-1489
	- rsyslog 5.7.6-1 (low)
CVE-2011-1488
	- rsyslog 5.7.6-1 (low)
CVE-2011-1474
	NOT-FOR-US: PaX hardening patch
CVE-2011-1408 [ikiwiki tty hijacking vulnerability]
	- ikiwiki 3.20110608 (low)
CVE-2011-1151
	NOT-FOR-US: Joomla!
CVE-2011-1150
	NOT-FOR-US: bbPress
CVE-2011-1145 [buffer overflow in unixODBC's SQLDriverConnect()]
	- unixodbc 2.2.14p2-3 (low; bug #617655)
CVE-2011-1086
	NOT-FOR-US: openfiler
CVE-2011-1085
	NOT-FOR-US: smoothwall
CVE-2011-1084
	NOT-FOR-US: smoothwall
CVE-2011-1070
	- v86d 0.1.10-1 (low; bug #619404)
CVE-2011-1069
	NOT-FOR-US: PHPShop
CVE-2011-1028
	- smarty3 3.0.8-1
CVE-2011-1009
	NOT-FOR-US: Vanilla Forums
CVE-2011-1133 [xinha XSS mode param]
	- serendipity <removed> (bug #611661)
CVE-2011-1134 [xinha XSS image manager]
	- serendipity <removed> (bug #611661)
CVE-2011-1135 [xinha multiple vulns]
	- serendipity <removed> (bug #611661)
CVE-2011-1136 [tesseract tempfile]
	- tesseract 2.04-2.1 (low; bug #612032)
CVE-2011-0705 [path traversal in SimpleHTTPServer]
	NOTE: Will be rejected
CVE-2011-0704
	NOT-FOR-US: 389 Directory Server
CVE-2011-0703
	- gksu-polkit <removed> (bug #684489)
CVE-2011-0699
	- linux-2.6 2.6.37-2
CVE-2011-0544
	- phpbb3 3.0.7-PL1-5 (low; bug #612477)
CVE-2011-0529
	- weborf 0.12.5-1
CVE-2011-0528
	- puppet 2.6.2-3
CVE-2011-0525
	NOT-FOR-US: Batavi
CVE-2011-0460
	- kbd <not-affected> (SUSE-specific)
CVE-2011-0428
	- ikiwiki 3.20110122
CVE-2011-0068
	- xulrunner <not-affected> (Only affects Firefox 4.0, not yet in unstable)