Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openconnect for openSUSE:Factory checked in at 2026-06-23 17:35:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openconnect (Old) and /work/SRC/openSUSE:Factory/.openconnect.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openconnect" Tue Jun 23 17:35:28 2026 rev:45 rq:1360706 version:9.21 Changes: -------- --- /work/SRC/openSUSE:Factory/openconnect/openconnect.changes 2024-03-22 15:28:31.102362089 +0100 +++ /work/SRC/openSUSE:Factory/.openconnect.new.1956/openconnect.changes 2026-06-23 17:35:46.143618830 +0200 @@ -1,0 +2,26 @@ +Fri Jun 19 09:27:41 UTC 2026 - Andrea Manzini <[email protected]> + +- Update to release 9.21: + * Fix infinite loop in buf_append() when output exactly fills available buffer space + * Accept base32 token secrets without trailing = padding + * Fix crash on NULL passphrase from TPM2 auth dialog + * Fix use of free_pass() on binary oath_secret. + * Fix COPR builds for Amazon Linux 2023, EPEL 7/10, and MinGW. + * Fix compiler warnings in fortinet.c, tun-win32.c, and compat.c. + * Support both old and new pyOpenSSL API in test infrastructure. + +- Update to release 9.20: + * Fix Cisco AnyConnect STRAP channel bindings with TLSv1.3 + * Change default user-agent string to be compatible with newer Cisco servers + * Support JavaScript redirects from Fortinet 7.4.x. + * Fix GlobalProtect config-parsing bug that misidentified IPv6 + * split-include routes as split-exclude. + * Handle Pulse configuration packets up to 1 MiB + * fix short reads during packet reassembly + * Support otpauth:// URI format for HOTP/TOTP token secrets + * honour non-default TOTP periods from PSKC or otpauth:// + * Fix Cisco DTLS MTU detection + * Handle additional oNCP framing variations + + +------------------------------------------------------------------- Old: ---- openconnect-9.12.tar.gz openconnect-9.12.tar.gz.sig New: ---- openconnect-9.21.tar.gz openconnect-9.21.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openconnect.spec ++++++ --- /var/tmp/diff_new_pack.z9d9Vw/_old 2026-06-23 17:35:48.259692565 +0200 +++ /var/tmp/diff_new_pack.z9d9Vw/_new 2026-06-23 17:35:48.275693122 +0200 @@ -1,7 +1,7 @@ # # spec file for package openconnect # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define libname libopenconnect5 Name: openconnect -Version: 9.12 +Version: 9.21 Release: 0 Summary: Client for Cisco AnyConnect VPN License: LGPL-2.1-or-later ++++++ openconnect-9.12.tar.gz -> openconnect-9.21.tar.gz ++++++ ++++ 281533 lines of diff (skipped) ++++++ vpnc-script ++++++ --- /var/tmp/diff_new_pack.z9d9Vw/_old 2026-06-23 17:35:50.291763373 +0200 +++ /var/tmp/diff_new_pack.z9d9Vw/_new 2026-06-23 17:35:50.311764070 +0200 @@ -2,7 +2,7 @@ # # Originally part of vpnc source code: # © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al. -# © 2009-2012 David Woodhouse <[email protected]> +# © 2009-2022 David Woodhouse <[email protected]>, Daniel Lenski <[email protected]> et al. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -26,6 +26,7 @@ #* VPNPID -- PID of the process controlling the VPN (OpenConnect v9.0+) #* TUNDEV -- tunnel device (always present) #* IDLE_TIMEOUT -- gateway's idle timeout in seconds (OpenConnect v8.06+); unused +#* LOG_LEVEL -- log level; ERROR=0, INFO=1, DEBUG=2, TRACE=3 (OpenConnect v9.0+) #* INTERNAL_IP4_ADDRESS -- address (always present) #* INTERNAL_IP4_MTU -- MTU (often unset) #* INTERNAL_IP4_NETMASK -- netmask (often unset) @@ -96,7 +97,7 @@ # OpenConnect v9.0+ provides VPNPID, so we don't need to determine it. if [ -z "$VPNPID" ]; then VPNPID=$PPID - PCMD=`ps -c -o cmd= -p $PPID` + PCMD=`ps -c -o args= -p $PPID` case "$PCMD" in *sh) VPNPID=`ps -o ppid= -p $PPID` ;; esac @@ -154,23 +155,44 @@ ifconfig_syntax_ptpv6="" fi -grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 && command systemd-resolve --status >/dev/null 2>&1 -if [ $? = 0 ];then - RESOLVEDENABLED=1 -else - RESOLVEDENABLED=0 -fi +detect_resolved_nss_resolve() { + # Detect usage of systemd-resolved via nss-resolve + # https://www.freedesktop.org/software/systemd/man/nss-resolve.html + grep '^hosts' /etc/nsswitch.conf 2>/dev/null | grep resolve >/dev/null 2>&1 +} + +detect_resolved_nss_dns() { + # Detect usage of systemd-resolved via nss-dns + # https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html + grep '^hosts' /etc/nsswitch.conf 2>/dev/null | grep dns >/dev/null 2>&1 && readlink /etc/resolv.conf | grep -e '/run/systemd/resolve/stub-resolv.conf$' -e '/usr/lib/systemd/resolv.conf$' -e '/run/systemd/resolve/resolv.conf$' >/dev/null 2>&1 +} + +detect_resolved_etc_files() { + detect_resolved_nss_resolve || detect_resolved_nss_dns +} + +detect_resolved_manager() { + # For systemd-resolved (version 239 and above) + detect_resolved_etc_files && /usr/bin/resolvectl status >/dev/null 2>&1 +} + +detect_resolved_manager_old() { + # For systemd-resolved (version 229 and above) + local dest + dest='org.freedesktop.resolve1' + detect_resolved_etc_files && /usr/bin/busctl status "$dest" >/dev/null 2>&1 +} if [ -r /etc/openwrt_release ] && [ -n "$OPENWRT_INTERFACE" ]; then . /etc/functions.sh include /lib/network MODIFYRESOLVCONF=modify_resolvconf_openwrt RESTORERESOLVCONF=restore_resolvconf_openwrt -elif [ -x /usr/bin/resolvectl ] && [ ${RESOLVEDENABLED} = 1 ]; then +elif [ -x /usr/bin/resolvectl ] && detect_resolved_manager; then # For systemd-resolved (version 239 and above) MODIFYRESOLVCONF=modify_resolved_manager RESTORERESOLVCONF=restore_resolved_manager -elif [ -x /usr/bin/busctl ] && [ ${RESOLVEDENABLED} = 1 ]; then +elif [ -x /usr/bin/busctl ] && detect_resolved_manager_old; then # For systemd-resolved (version 229 and above) MODIFYRESOLVCONF=modify_resolved_manager_old RESTORERESOLVCONF=restore_resolved_manager_old @@ -240,7 +262,7 @@ fi if [ -n "$INTERNAL_IP4_NETMASK" ]; then - set_network_route "$INTERNAL_IP4_NETADDR" "$INTERNAL_IP4_NETMASK" "$INTERNAL_IP4_NETMASKLEN" "$TUNDEV" + set_ipv4_network_route "$INTERNAL_IP4_NETADDR" "$INTERNAL_IP4_NETMASK" "$INTERNAL_IP4_NETMASKLEN" "$TUNDEV" fi # If the netmask is provided, it contains the address _and_ netmask @@ -292,21 +314,26 @@ # after dead-peer detection, but no change in the underlying network devices). $IPROUTE $FAMILY route add `echo "$VPNGATEWAY $LINE" | fix_ip_get_output` 2>/dev/null done - $IPROUTE $FAMILY route flush cache 2>/dev/null + if [ $FAMILY != -4 ]; then + $IPROUTE $FAMILY route flush cache 2>/dev/null + fi } del_vpngateway_route() { + echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 || FAMILY=-4 + $IPROUTE route $route_syntax_del "$VPNGATEWAY" - $IPROUTE route flush cache 2>/dev/null + if [ $FAMILY != -4 ]; then + $IPROUTE $FAMILY route flush cache 2>/dev/null + fi } - set_default_route() { + set_ipv4_default_route() { $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE" $IPROUTE route replace default dev "$TUNDEV" - $IPROUTE route flush cache 2>/dev/null } - set_network_route() { + set_ipv4_network_route() { NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" @@ -317,50 +344,42 @@ else $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" fi - $IPROUTE route flush cache 2>/dev/null } - set_exclude_route() { + set_ipv4_exclude_route() { # add explicit route to keep current routing for this target # (keep traffic separate from VPN tunnel) NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" - - echo "$1" | grep -q : && FAMILY=-6 || FAMILY=-4 - list_non_loopback_routes "$NETWORK/$NETMASKLEN" | while read LINE ; do - $IPROUTE $FAMILY route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null + $IPROUTE route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null done - $IPROUTE $FAMILY route flush cache 2>/dev/null } - del_exclude_route() { + del_ipv4_exclude_route() { # FIXME: In theory, this could delete existing routes which are # identical to split-exclude routes specified by VPNGATEWAY NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" - $IPROUTE route flush cache 2>/dev/null } - reset_default_route() { + reset_ipv4_default_route() { if [ -s "$DEFAULT_ROUTE_FILE" ]; then $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` - $IPROUTE route flush cache 2>/dev/null rm -f -- "$DEFAULT_ROUTE_FILE" fi } - del_network_route() { + del_ipv4_network_route() { NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" NETDEV="$4" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV" - $IPROUTE route flush cache 2>/dev/null } set_ipv6_default_route() { @@ -385,7 +404,7 @@ set_ipv6_exclude_route() { NETWORK="$1" NETMASKLEN="$2" - set_exclude_route "$NETWORK" nomask "$NETMASKLEN" + set_ipv4_exclude_route "$NETWORK" nomask "$NETMASKLEN" } reset_ipv6_default_route() { @@ -416,7 +435,7 @@ # - remove lines containing IPv6 addresses (':') # - remove lines for link-local routes (https://superuser.com/a/1067742) # - remove lines containing $TUNDEV (we don't want loopback) - netstat -r -n | awk '/:/ { next; } /link#/ { next; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; }' + netstat -r -n | awk '/:/ { next; } /link#/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; }' } set_vpngateway_route() { @@ -436,14 +455,14 @@ esac } - set_default_route() { + set_ipv4_default_route() { DEFAULTGW="`get_default_gw`" echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE" route $route_syntax_del default $route_syntax_gw "$DEFAULTGW" route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface } - set_network_route() { + set_ipv4_network_route() { NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" @@ -455,7 +474,7 @@ route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW" $route_syntax_interface } - set_exclude_route() { + set_ipv4_exclude_route() { NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" @@ -470,7 +489,7 @@ route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$DEFAULTGW" $route_syntax_interface } - del_exclude_route() { + del_ipv4_exclude_route() { # FIXME: This can delete existing routes in case they're # identical to split-exclude routes specified by VPNGATEWAY NETWORK="$1" @@ -479,15 +498,15 @@ route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" } - reset_default_route() { + reset_ipv4_default_route() { if [ -s "$DEFAULT_ROUTE_FILE" ]; then - route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface + route $route_syntax_del default $route_syntax_gw `get_default_gw` $route_syntax_interface route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"` rm -f -- "$DEFAULT_ROUTE_FILE" fi } - del_network_route() { + del_ipv4_network_route() { NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" @@ -687,6 +706,10 @@ close EOF fi + # For newer MacOS versions it is needed to set DNS + ACTIVE_INTERFACE=`route -n get default | grep interface | awk '{print $2}'` + ACTIVE_NETWORK_SERVICE=`networksetup -listnetworkserviceorder | grep -B 1 "$ACTIVE_INTERFACE" | head -n 1 | awk '/\([0-9]+\)/{ print }'|cut -d " " -f2-` + networksetup -setdnsservers "$ACTIVE_NETWORK_SERVICE" $INTERNAL_IP4_DNS ;; esac fi @@ -716,17 +739,22 @@ # to list of used DNS servers if [ -n "$CISCO_SPLIT_INC" ]; then SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'` - SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs` - if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then + SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}'` + FILTERED_SERVICE_DNS=`echo "$SERVICE_DNS" | grep -Fv "$(echo $INTERNAL_IP4_DNS | tr ' ' '\n')" | xargs` + if [ -n "$FILTERED_SERVICE_DNS" ]; then scutil >/dev/null 2>&1 <<-EOF open get State:/Network/Service/$SERVICE/DNS - d.add ServerAddresses * ${SERVICE_DNS##$INTERNAL_IP4_DNS} + d.add ServerAddresses * ${FILTERED_SERVICE_DNS} set State:/Network/Service/$SERVICE/DNS close EOF fi fi + # For newer MacOS versions it is needed to unset DNS + ACTIVE_INTERFACE=`route -n get default | grep interface | awk '{print $2}'` + ACTIVE_NETWORK_SERVICE=`networksetup -listnetworkserviceorder | grep -B 1 "$ACTIVE_INTERFACE" | head -n 1 | awk '/\([0-9]+\)/{ print }'|cut -d " " -f2-` + networksetup -setdnsservers "$ACTIVE_NETWORK_SERVICE" Empty ;; esac fi @@ -780,6 +808,7 @@ restore_resolvconf_openwrt() { remove_dns $OPENWRT_INTERFACE } + # === resolv.conf handling via /sbin/resolvconf (Debian, Ubuntu, Gentoo)) ========= modify_resolvconf_manager() { @@ -799,6 +828,8 @@ /sbin/resolvconf -d $TUNDEV } +# === resolv.conf handling via systemd-resolved ========= + AF_INET=2 get_if_index() { @@ -811,7 +842,7 @@ local dest node dest=org.freedesktop.resolve1 node=/org/freedesktop/resolve1 - busctl call "$dest" "${node}" "${dest}.Manager" "$@" + /usr/bin/busctl call "$dest" "$node" "${dest}.Manager" "$@" } busctl_set_nameservers() { @@ -892,6 +923,11 @@ /usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS} /usr/sbin/unbound-control flush_requestlist /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN} + # flush infra cache + for i in $INTERNAL_IP4_DNS ; do + /usr/sbin/unbound-control flush_infra "$i" + done + fi } @@ -903,7 +939,7 @@ fi } -# === resolv.conf handling via resolvd ========= +# === resolv.conf handling via resolvd (OpenBSD) ========= modify_resolvconf_resolvd() { /sbin/route nameserver $TUNDEV $INTERNAL_IP4_DNS $INTERNAL_IP6_DNS @@ -975,7 +1011,7 @@ eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}" case "$NETWORK" in 0.*|127.*|169.254.*) echo "ignoring non-forwardable exclude route $NETWORK/$NETMASKLEN" >&2 ;; - *) set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; + *) set_ipv4_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; esac i=`expr $i + 1` done @@ -997,18 +1033,14 @@ eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}" eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}" if [ "$NETWORK" != "0.0.0.0" ]; then - set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV" + set_ipv4_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV" else - set_default_route + set_ipv4_default_route fi i=`expr $i + 1` done - for i in $INTERNAL_IP4_DNS ; do - echo "$i" | grep : >/dev/null || \ - set_network_route "$i" "255.255.255.255" "32" "$TUNDEV" - done elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then - set_default_route + set_ipv4_default_route fi if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then i=0 @@ -1022,11 +1054,6 @@ fi i=`expr $i + 1` done - for i in $INTERNAL_IP4_DNS ; do - if echo "$i" | grep : >/dev/null; then - set_ipv6_network_route "$i" "128" "$TUNDEV" - fi - done elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then set_ipv6_default_route fi @@ -1046,17 +1073,14 @@ if [ "$NETWORK" != "0.0.0.0" ]; then # FIXME: This doesn't restore previously overwritten # routes. - del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV" + del_ipv4_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV" else - reset_default_route + reset_ipv4_default_route fi i=`expr $i + 1` done - for i in $INTERNAL_IP4_DNS ; do - del_network_route "$i" "255.255.255.255" "32" "$TUNDEV" - done else - reset_default_route + reset_ipv4_default_route fi if [ -n "$CISCO_SPLIT_EXC" ]; then i=0 @@ -1066,7 +1090,7 @@ eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}" case "$NETWORK" in 0.*|127.*|169.254.*) ;; # ignoring non-forwardable exclude route - *) del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; + *) del_ipv4_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; esac i=`expr $i + 1` done @@ -1093,9 +1117,6 @@ fi i=`expr $i + 1` done - for i in $INTERNAL_IP6_DNS ; do - del_ipv6_network_route "$i" "128" "$TUNDEV" - done elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then reset_ipv6_default_route fi
