Bug#1119300: trixie-pu: package openconnect/9.12-3+deb13u1
This time with debdiff.
On 28/10/2025 22:02, Lee Garrett wrote:
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: openconnect@packages.debian.org, debian@rocketjump.eu
Control: affects -1 + src:openconnect
User: release.debian.org@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
This is a minimal fix to make openconnect work with Cisco AnyConnect VPN servers
where the admin has configured group endponts.
[ Impact ]
If not approved, user requiring to connect to said endpoints can't, and will
have to use the non-free cisco VPN client which overwrites system files.
[ Tests ]
I manually tested the change and it fixes my issue.
[ Risks ]
The code change is trivial and has been in the upstream repo for years.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* The fix consists of a few lines patch that copies over the path of the URI for
subsequent HTTP requests, which makes authentication work again.
* Lucas has updated the upstream contact
* I also updated debian/gbp.conf to point to the correct branch
[ Other info ]
None
diff -Nru openconnect-9.12/debian/changelog openconnect-9.12/debian/changelog
--- openconnect-9.12/debian/changelog 2024-08-04 14:24:52.000000000 +0200
+++ openconnect-9.12/debian/changelog 2025-10-28 21:47:04.000000000 +0100
@@ -1,3 +1,15 @@
+openconnect (9.12-3+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ [ Luca Boccassi ]
+ * d/copyright: update Upstream-Contact to mailing list
+
+ [ Lee Garrett ]
+ * Patch: Respect path in AnyConnect/OpenConnect XML form handling (Closes: #1119239)
+ * Update debian/gbp.conf to match debian/trixie branch
+
+ -- Lee Garrett <debian@rocketjump.eu> Tue, 28 Oct 2025 21:47:04 +0100
+
openconnect (9.12-3) unstable; urgency=medium
* Disable autopkgtest and remove test build dependencies (Closes:
diff -Nru openconnect-9.12/debian/copyright openconnect-9.12/debian/copyright
--- openconnect-9.12/debian/copyright 2024-03-28 12:59:35.000000000 +0100
+++ openconnect-9.12/debian/copyright 2025-10-28 21:39:41.000000000 +0100
@@ -1,6 +1,6 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: OpenConnect
-Upstream-Contact: David Woodhouse <David.Woodhouse@intel.com>
+Upstream-Contact: openconnect-devel@lists.infradead.org
Source: ftp://ftp.infradead.org/pub/openconnect/
Files: *
diff -Nru openconnect-9.12/debian/gbp.conf openconnect-9.12/debian/gbp.conf
--- openconnect-9.12/debian/gbp.conf 2024-03-28 12:59:35.000000000 +0100
+++ openconnect-9.12/debian/gbp.conf 2025-10-28 21:40:45.000000000 +0100
@@ -1,4 +1,5 @@
[DEFAULT]
+debian-branch = debian/trixie
pristine-tar = True
sign-tags = True
diff -Nru openconnect-9.12/debian/patches/dont-default-form-action.patch openconnect-9.12/debian/patches/dont-default-form-action.patch
--- openconnect-9.12/debian/patches/dont-default-form-action.patch 1970-01-01 01:00:00.000000000 +0100
+++ openconnect-9.12/debian/patches/dont-default-form-action.patch 2025-10-28 21:36:08.000000000 +0100
@@ -0,0 +1,46 @@
+Description: Fix URI patch on subsequent requests
+ Use the full URI (including "usergroup" or path) as specified in --server for
+ all requests during authentication instead of only the first one
+Author: Stefan Bühler <source@stbuehler.de>
+Origin: upstream, https://gitlab.com/openconnect/openconnect/-/merge_requests/560
+Bug: https://gitlab.com/openconnect/openconnect/-/issues/737
+Reviewed-by: Lee Garrett <debian@rocketjump.eu>
+Last-Update: 2025-10-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/auth.c b/auth.c
+index 317fc21..e245b48 100644
+--- a/auth.c
++++ b/auth.c
+@@ -455,13 +455,15 @@ static int parse_auth_node(struct openconnect_info *vpninfo, xmlNode *xml_node,
+
+ /* defaults for new XML POST */
+ form->method = strdup("POST");
+- form->action = strdup("/");
+
+ xmlnode_get_prop(xml_node, "method", &form->method);
+ xmlnode_get_prop(xml_node, "action", &form->action);
+
+- if (!form->method || !form->action ||
+- strcasecmp(form->method, "POST") || !form->action[0]) {
++ /* - expect unset action (reuse current URL) or non-empty action="..."
++ * - expect unset method (defaults to "POST") or explicit method="POST"
++ */
++ if ((form->action && !form->action[0]) ||
++ !form->method || strcasecmp(form->method, "POST")) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Cannot handle form method='%s', action='%s'\n"),
+ form->method, form->action);
+diff --git a/www/changelog.xml b/www/changelog.xml
+index 49a50b3..1ba207f 100644
+--- a/www/changelog.xml
++++ b/www/changelog.xml
+@@ -15,7 +15,7 @@
+ <ul>
+ <li><b>OpenConnect HEAD</b>
+ <ul>
+- <li><i>No changelog entries yet</i></li>
++ <li>Use the full URI (including "usergroup" or path) as specified in <tt>--server</tt> for all requests during authentication instead of only the first one (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/560";>!560</a>).</li>
+ </ul><br/>
+ </li>
+ <li><b><a href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz";>OpenConnect v9.12</a></b>
diff -Nru openconnect-9.12/debian/patches/series openconnect-9.12/debian/patches/series
--- openconnect-9.12/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ openconnect-9.12/debian/patches/series 2025-10-28 21:36:08.000000000 +0100
@@ -0,0 +1 @@
+dont-default-form-action.patch
Reply to: