I'm of two minds about this. One the one hand, I'm a DD and tempted to do an NMU with this fix, since the package is largely useless without it. Everyone I know who uses openconnect just compiles and runs their own version due to this issue.
On the other hand, upstream has not seen fit to do a release with this fix, and openconnect is a security-sensitive network-facing service, basically maxed out in terms of potential vulnerability. If upstream doesn't think this fix (plus others) warrants a new release yet, perhaps that's because they know what they're doing and there is an actual issue that needs to be addressed first?
