Control: severity -1 important Hi,
On Mon, Nov 17, 2025 at 01:41:01PM +0100, Salvatore Bonaccorso wrote: > Control: tags -1 + patch > > Hi Luca, hi all following this bug, > > As I believe this issue affects quite some users in institutions I'm > aware of -- after having got updates on the Cisco ASA side -- with VPN > clients resulting in not able to connect (think of not going dong to > the openconnect cli, but using via NetworkManager), I have prepared a > MR for this issue. > > It is at https://salsa.debian.org/debian/openconnect/-/merge_requests/8 > > I'm open to propose it as NMU, and then work with the SRM to get the > same as well accepted at least for trixie in a next point release (I > know htere is one other yet open, and which was not accepted for the > 13.2 point release yet). > > I'm not sure yet if it is possible to backport the same to bookworm > for oldstable via the next point release, but would like to work on it > first top-down. > > I'm not attaching a proposed debdiff, as the changes as for the > unstable version (modulo the NMU changelog entry) are in the merge > request !8. > > Please reconsider the severity of wishlist, I think important would > be more appropriate here, as the issue renders some functional issues > for users. In some cases apparently down to the CLI using > --gnutls-priority argumetns as needed or --no-external-auth might > work, but that does not help users which use NetworkManager to > configure the VPN connection. > > Thanks for your work on this package! Since the closure of https://salsa.debian.org/debian/openconnect/-/merge_requests/8 I was pondering now for a while to reply to it, there are issues which affect users and remain unresolved, so I'm following up now on this. First thanks Luca for the taking time to review the merge request. While you are true that `openconnect` is a security-sensitive program, if we argue this way then we can stop doing both security updates in Debian and - for less severe or minor issues - batch bugfixes in point releases. The commit is *not* a randomly picked one but the targeted fix for an upstream issue reported at https://gitlab.com/openconnect/openconnect/-/issues/659 . You can follow further discussion in https://gitlab.com/openconnect/openconnect/-/issues/659#note_2213113048 and following . The commit is applied by the original author of openconnect upstream and active contributor. The patch was exposed for various months without regression or problem report upstream (If I missed one, please point me to it). Additionally we have real reports from people affected after a Cisco ASA update, where this patch in the MR would fix their problem. Why should those users all build their own packages from an upstream branch in development or use packages from a build service outside of Debian (building patches from head)? Should then the package not be shipped in Debian if we are not willing to support it and try to fix reported bugs? I would like to see this on top of #1119300 fixed in trixie (at least), but for that the fix needs to go first into unstable. So far we have neither heard back from Mike Miller as well. How can we move forward? Maybe someone is willing to peer review the proposed changes? Regards, Salvatore
