On Sat, 4 Oct 2025 16:48:49 +0100, Barak A. Pearlmutter wrote: > I'm of two minds about this. > > One the one hand, I'm a DD and tempted to do an NMU with this fix, > since the package is largely useless without it. Everyone I know who > uses openconnect just compiles and runs their own version due to this > issue. > > On the other hand, upstream has not seen fit to do a release with this > fix, and openconnect is a security-sensitive network-facing service, > basically maxed out in terms of potential vulnerability. If upstream > doesn't think this fix (plus others) warrants a new release yet, > perhaps that's because they know what they're doing and there is an > actual issue that needs to be addressed first?
As you said everyone is custom compiling the package and running. It has been 10 months since the fix landed. Even the issue page has recommendation by a user to compile manually and the maintainer has not discouraged it. In fact, the maintainer's domain hosts a link to open-build-srevice link which builds from the repo, which is also posted on the issue page too. So if there is an unfixed undisclosed security issue present in the codebase for more than 10 months, and it is still not fixed while the suggestions to compile own packages and use them have not been discouraged, then that's a problem with upstream process. But that is hopefully not the case. Anyways, the package as-it-is is unusable, so it is best to update. Thanks, Siddh
