Package: tracker.debian.org Hello,
While viewing the tracker page for package asterisk, I saw that there are open security issues for bookworm and trixie in the tracker action needed panel, but all links in the action item list lead to security-tracker.debian.org pages which do not mention either codename. These security issues were addressed in bug #1032092 and bug #1059303, so my expectation is that these action items are removed. When I feed the current UpdateSecurityIssuesTask.DISTRIBUTIONS_URL json and the UpdateSecurityIssuesTask.CVE_DATA_URL (trimmed down to asterisk only) into a modified UpdateSecurityIssuesTaskTests module it produces summary of all zeroes. This leads me to believe it's an ActionItem caching issue. After some investigation, I think ActionItems can get stuck / stale. Here's my theory for the bookworm action items: 2023-01-16: Package in bookworm 2023-02-27: #1032092 opens (3 CVEs) ----------: 3 ActionItems added "debian-security-issue-in-bookworm" 2023-03-28: Package removed from bookworm 2023-12-19: #1032092 is closed ----------: 3 ActionItems is not cleaned up I'm not sure how the trixie action item got there, but I believe it is also stale. Bug #1059303 was open from 2023-12-22 to 2024-06-07 and had 2 CVEs. Asterisk was in only unstable for all that time as far as I can tell. The action item was created on 2023-10-22 and was last updated the same day. Thanks, Martin
