Hello,

Please find attached a diff on the packaging including upstream patch.

For the record, upstream patch is currently living in a non-merged branch and several hunks had to be applied manually against 9.12.


Adam.
diff -Nru openconnect-9.12/debian/changelog openconnect-9.12/debian/changelog
--- openconnect-9.12/debian/changelog   2026-01-06 13:23:13.000000000 +0100
+++ openconnect-9.12/debian/changelog   2026-07-05 14:43:33.000000000 +0200
@@ -1,3 +1,10 @@
+openconnect (9.12-3.4) unstable; urgency=medium
+
+  * Merge upstream 77e061a2 to support PaloAlto PAN-OS 11.1.13+
+   (Closes: #1141490).
+
+ -- Adam Cecile <[email protected]>  Sun, 05 Jul 2026 14:43:33 +0200
+
 openconnect (9.12-3.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru openconnect-9.12/debian/patches/series 
openconnect-9.12/debian/patches/series
--- openconnect-9.12/debian/patches/series      2026-01-06 13:21:48.000000000 
+0100
+++ openconnect-9.12/debian/patches/series      2026-07-05 14:43:33.000000000 
+0200
@@ -1,3 +1,4 @@
 dont-default-form-action.patch
 use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
 Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
+upstream-77e061a2-fixing-panos-cookie-tracking
diff -Nru 
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking 
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking
--- 
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking  
    1970-01-01 01:00:00.000000000 +0100
+++ 
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking  
    2026-07-05 14:43:33.000000000 +0200
@@ -0,0 +1,225 @@
+Description: globalprotect: Add --host-id option for portal cookie tracking
+ PAN-OS 11.1.13+ (patched for CVE-2026-0257) requires a host-id field
+ in the portal config request body before it will issue a
+ portal-userauthcookie. Without it, users must authenticate separately
+ to both portal and gateway.
+ .
+ Add openconnect_set_host_id() to the library API and --host-id to the
+ CLI. By default, auto-detect the machine identifier from:
+   - Windows: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
+   - macOS: IOPlatformUUID
+   - Linux/BSD: /etc/machine-id or /var/lib/dbus/machine-id
+ .
+ The value can be overridden with --host-id for testing or when the
+ auto-detection is not suitable.
+Author: David Woodhouse <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout https://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: upstream, commit:77e061a2f15f32cdbacbc308f66f84a508569744
+Bug: https://gitlab.com/openconnect/openconnect/-/work_items/847
+Bug-Debian: https://bugs.debian.org/1141490
+Forwarded: not-needed
+Applied-Upstream: commit:77e061a2f15f32cdbacbc308f66f84a508569744
+Last-Update: 2026-07-05
+
+--- openconnect-9.12.orig/auth-globalprotect.c
++++ openconnect-9.12/auth-globalprotect.c
+@@ -688,6 +688,8 @@ static int gpst_login(struct openconnect
+               append_opt(request_body, "os-version", vpninfo->platname);
+               append_opt(request_body, "server", vpninfo->hostname);
+               append_opt(request_body, "computer", vpninfo->localname);
++              if (vpninfo->host_id)
++                      append_opt(request_body, "host-id", vpninfo->host_id);
+               if (ctx->portal_userauthcookie)
+                       append_opt(request_body, "portal-userauthcookie", 
ctx->portal_userauthcookie);
+               if (ctx->portal_prelogonuserauthcookie)
+--- openconnect-9.12.orig/libopenconnect.map.in
++++ openconnect-9.12/libopenconnect.map.in
+@@ -132,6 +132,11 @@ OPENCONNECT_5_9 {
+       openconnect_set_sni;
+ } OPENCONNECT_5_8;
+ 
++OPENCONNECT_5_10 {
++ global:
++      openconnect_set_host_id;
++} OPENCONNECT_5_9;
++
+ OPENCONNECT_PRIVATE {
+  global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ 
@SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
+       openconnect_get_tls_library_version;
+--- openconnect-9.12.orig/library.c
++++ openconnect-9.12/library.c
+@@ -43,6 +43,61 @@
+ #include <stdlib.h>
+ #include <ctype.h>
+ 
++static char *openconnect_get_machine_id(void)
++{
++#ifdef _WIN32
++      /* Windows: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid */
++      HKEY key;
++      char guid[64];
++      DWORD size = sizeof(guid);
++
++      if (RegOpenKeyExA(HKEY_LOCAL_MACHINE,
++                        "SOFTWARE\\Microsoft\\Cryptography",
++                        0, KEY_READ, &key) == ERROR_SUCCESS) {
++              if (RegQueryValueExA(key, "MachineGuid", NULL, NULL,
++                                   (LPBYTE)guid, &size) == ERROR_SUCCESS) {
++                      RegCloseKey(key);
++                      return strdup(guid);
++              }
++              RegCloseKey(key);
++      }
++#elif defined(__APPLE__)
++      /* macOS: IOPlatformUUID via ioreg, or fall through to /etc/machine-id 
*/
++      FILE *f = popen("ioreg -rd1 -c IOPlatformExpertDevice 2>/dev/null | "
++                      "awk -F'\"' '/IOPlatformUUID/{print $4}'", "r");
++      if (f) {
++              char buf[64] = {0};
++              if (fgets(buf, sizeof(buf), f) && buf[0]) {
++                      pclose(f);
++                      buf[strcspn(buf, "\n")] = 0;
++                      return strdup(buf);
++              }
++              pclose(f);
++      }
++#endif
++      /* Linux/BSD: /etc/machine-id or /var/lib/dbus/machine-id */
++      {
++              static const char *paths[] = {
++                      "/etc/machine-id",
++                      "/var/lib/dbus/machine-id",
++                      NULL
++              };
++              for (int i = 0; paths[i]; i++) {
++                      FILE *f = fopen(paths[i], "r");
++                      if (f) {
++                              char buf[64] = {0};
++                              if (fgets(buf, sizeof(buf), f) && buf[0]) {
++                                      fclose(f);
++                                      buf[strcspn(buf, "\n")] = 0;
++                                      return strdup(buf);
++                              }
++                              fclose(f);
++                      }
++              }
++      }
++      return NULL;
++}
++
+ struct openconnect_info *openconnect_vpninfo_new(const char *useragent,
+                                                
openconnect_validate_peer_cert_vfn validate_peer_cert,
+                                                
openconnect_write_new_config_vfn write_new_config,
+@@ -108,6 +163,8 @@ struct openconnect_info *openconnect_vpn
+       if (!vpninfo->localname || !vpninfo->useragent)
+               goto err;
+ 
++      vpninfo->host_id = openconnect_get_machine_id();
++
+ #ifdef ENABLE_NLS
+       bindtextdomain("openconnect", LOCALEDIR);
+ #endif
+@@ -743,6 +800,7 @@ void openconnect_vpninfo_free(struct ope
+       }
+ 
+       free(vpninfo->localname);
++      free(vpninfo->host_id);
+       free(vpninfo->useragent);
+       free(vpninfo->authgroup);
+ #ifdef HAVE_LIBSTOKEN
+@@ -976,6 +1034,12 @@ void openconnect_set_trojan_interval(str
+       vpninfo->trojan_interval = seconds;
+ }
+ 
++void openconnect_set_host_id(struct openconnect_info *vpninfo, const char 
*host_id)
++{
++      free(vpninfo->host_id);
++      vpninfo->host_id = host_id ? strdup(host_id) : NULL;
++}
++
+ int openconnect_get_idle_timeout(struct openconnect_info *vpninfo)
+ {
+       return vpninfo->idle_timeout;
+--- openconnect-9.12.orig/main.c
++++ openconnect-9.12/main.c
+@@ -185,6 +185,7 @@ enum {
+       OPT_FORCE_TROJAN,
+       OPT_GNUTLS_DEBUG,
+       OPT_JUNIPER,
++      OPT_HOST_ID,
+       OPT_KEY_PASSWORD_FROM_FSID,
+       OPT_LIBPROXY,
+       OPT_NO_CERT_CHECK,
+@@ -302,6 +303,7 @@ static const struct option long_options[
+       OPTION("no-cert-check", 0, OPT_NO_CERT_CHECK),
+       OPTION("force-dpd", 1, OPT_FORCE_DPD),
+       OPTION("force-trojan", 1, OPT_FORCE_TROJAN),
++      OPTION("host-id", 1, OPT_HOST_ID),
+       OPTION("non-inter", 0, OPT_NON_INTER),
+       OPTION("dtls-local-port", 1, OPT_DTLS_LOCAL_PORT),
+       OPTION("token-mode", 1, OPT_TOKEN_MODE),
+@@ -1028,6 +1030,7 @@ static void usage(void)
+       printf("      --no-dtls                   %s\n", _("Disable DTLS and 
ESP"));
+       printf("      --dtls-ciphers=LIST         %s\n", _("OpenSSL ciphers to 
support for DTLS"));
+       printf("  -Q, --queue-len=LEN             %s\n", _("Set packet queue 
limit to LEN pkts"));
++      printf("      --host-id=ID                %s\n", _("Set host identifier 
for cookie tracking"));
+ 
+       printf("\n%s:\n", _("Local system information"));
+       printf("      --useragent=STRING          %s\n", _("HTTP header 
User-Agent: field"));
+@@ -2123,6 +2126,9 @@ int main(int argc, char **argv)
+                       assert_nonnull_config_arg("force-trojan", config_arg);
+                       openconnect_set_trojan_interval(vpninfo, 
atoi(config_arg));
+                       break;
++              case OPT_HOST_ID:
++                      openconnect_set_host_id(vpninfo, config_arg);
++                      break;
+               case OPT_DTLS_LOCAL_PORT:
+                       assert_nonnull_config_arg("dtls-local-port", 
config_arg);
+                       vpninfo->dtls_local_port = atoi(config_arg);
+--- openconnect-9.12.orig/openconnect-internal.h
++++ openconnect-9.12/openconnect-internal.h
+@@ -526,6 +526,7 @@ struct openconnect_info {
+       time_t last_trojan;
+       int no_http_keepalive;
+       int dump_http_traffic;
++      char *host_id;
+ 
+       int token_mode;
+       int token_bypassed;
+--- openconnect-9.12.orig/openconnect.h
++++ openconnect-9.12/openconnect.h
+@@ -36,6 +36,9 @@ extern "C" {
+ #define OPENCONNECT_API_VERSION_MINOR 9
+ 
+ /*
++ * API version 5.10:
++ *  - Add openconnect_set_host_id()
++ *
+  * API version 5.9 (v9.12; 2023-05-20):
+  *  - Add openconnect_set_sni()
+  *
+@@ -652,6 +655,7 @@ const char *openconnect_get_ifname(struc
+ void openconnect_set_reqmtu(struct openconnect_info *, int reqmtu);
+ void openconnect_set_dpd(struct openconnect_info *, int min_seconds);
+ void openconnect_set_trojan_interval(struct openconnect_info *, int seconds);
++void openconnect_set_host_id(struct openconnect_info *, const char *host_id);
+ int openconnect_get_idle_timeout(struct openconnect_info *);
+ time_t openconnect_get_auth_expiration(struct openconnect_info *);
+ 
+--- openconnect-9.12.orig/www/changelog.xml
++++ openconnect-9.12/www/changelog.xml
+@@ -16,7 +16,8 @@
+    <li><b>OpenConnect HEAD</b>
+      <ul>
+        <li>Use the full URI (including "usergroup" or path) as specified in 
<tt>--server</tt> for all requests during authentication instead of only the 
first one (<a 
href="https://gitlab.com/openconnect/openconnect/-/merge_requests/560";>!560</a>).</li>
+-     </ul><br/>
++       <li>Add <tt>--host-id</tt> option and send host identifier in 
GlobalProtect portal requests (<a 
href="https://gitlab.com/openconnect/openconnect/-/issues/847";>#847</a>).</li>
++      </ul><br/>
+   </li>
+   <li><b><a 
href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz";>OpenConnect
 v9.12</a></b>
+      <i>(<a 
href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz.asc";>PGP
 signature</a>)</i> &#8212; 2023-05-20

Reply via email to