Hello,
Please find attached a diff on the packaging including upstream patch.
For the record, upstream patch is currently living in a non-merged
branch and several hunks had to be applied manually against 9.12.
Adam.
diff -Nru openconnect-9.12/debian/changelog openconnect-9.12/debian/changelog
--- openconnect-9.12/debian/changelog 2026-01-06 13:23:13.000000000 +0100
+++ openconnect-9.12/debian/changelog 2026-07-05 14:43:33.000000000 +0200
@@ -1,3 +1,10 @@
+openconnect (9.12-3.4) unstable; urgency=medium
+
+ * Merge upstream 77e061a2 to support PaloAlto PAN-OS 11.1.13+
+ (Closes: #1141490).
+
+ -- Adam Cecile <[email protected]> Sun, 05 Jul 2026 14:43:33 +0200
+
openconnect (9.12-3.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru openconnect-9.12/debian/patches/series
openconnect-9.12/debian/patches/series
--- openconnect-9.12/debian/patches/series 2026-01-06 13:21:48.000000000
+0100
+++ openconnect-9.12/debian/patches/series 2026-07-05 14:43:33.000000000
+0200
@@ -1,3 +1,4 @@
dont-default-form-action.patch
use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
+upstream-77e061a2-fixing-panos-cookie-tracking
diff -Nru
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking
---
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking
1970-01-01 01:00:00.000000000 +0100
+++
openconnect-9.12/debian/patches/upstream-77e061a2-fixing-panos-cookie-tracking
2026-07-05 14:43:33.000000000 +0200
@@ -0,0 +1,225 @@
+Description: globalprotect: Add --host-id option for portal cookie tracking
+ PAN-OS 11.1.13+ (patched for CVE-2026-0257) requires a host-id field
+ in the portal config request body before it will issue a
+ portal-userauthcookie. Without it, users must authenticate separately
+ to both portal and gateway.
+ .
+ Add openconnect_set_host_id() to the library API and --host-id to the
+ CLI. By default, auto-detect the machine identifier from:
+ - Windows: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
+ - macOS: IOPlatformUUID
+ - Linux/BSD: /etc/machine-id or /var/lib/dbus/machine-id
+ .
+ The value can be overridden with --host-id for testing or when the
+ auto-detection is not suitable.
+Author: David Woodhouse <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout https://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: upstream, commit:77e061a2f15f32cdbacbc308f66f84a508569744
+Bug: https://gitlab.com/openconnect/openconnect/-/work_items/847
+Bug-Debian: https://bugs.debian.org/1141490
+Forwarded: not-needed
+Applied-Upstream: commit:77e061a2f15f32cdbacbc308f66f84a508569744
+Last-Update: 2026-07-05
+
+--- openconnect-9.12.orig/auth-globalprotect.c
++++ openconnect-9.12/auth-globalprotect.c
+@@ -688,6 +688,8 @@ static int gpst_login(struct openconnect
+ append_opt(request_body, "os-version", vpninfo->platname);
+ append_opt(request_body, "server", vpninfo->hostname);
+ append_opt(request_body, "computer", vpninfo->localname);
++ if (vpninfo->host_id)
++ append_opt(request_body, "host-id", vpninfo->host_id);
+ if (ctx->portal_userauthcookie)
+ append_opt(request_body, "portal-userauthcookie",
ctx->portal_userauthcookie);
+ if (ctx->portal_prelogonuserauthcookie)
+--- openconnect-9.12.orig/libopenconnect.map.in
++++ openconnect-9.12/libopenconnect.map.in
+@@ -132,6 +132,11 @@ OPENCONNECT_5_9 {
+ openconnect_set_sni;
+ } OPENCONNECT_5_8;
+
++OPENCONNECT_5_10 {
++ global:
++ openconnect_set_host_id;
++} OPENCONNECT_5_9;
++
+ OPENCONNECT_PRIVATE {
+ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@
@SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
+ openconnect_get_tls_library_version;
+--- openconnect-9.12.orig/library.c
++++ openconnect-9.12/library.c
+@@ -43,6 +43,61 @@
+ #include <stdlib.h>
+ #include <ctype.h>
+
++static char *openconnect_get_machine_id(void)
++{
++#ifdef _WIN32
++ /* Windows: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid */
++ HKEY key;
++ char guid[64];
++ DWORD size = sizeof(guid);
++
++ if (RegOpenKeyExA(HKEY_LOCAL_MACHINE,
++ "SOFTWARE\\Microsoft\\Cryptography",
++ 0, KEY_READ, &key) == ERROR_SUCCESS) {
++ if (RegQueryValueExA(key, "MachineGuid", NULL, NULL,
++ (LPBYTE)guid, &size) == ERROR_SUCCESS) {
++ RegCloseKey(key);
++ return strdup(guid);
++ }
++ RegCloseKey(key);
++ }
++#elif defined(__APPLE__)
++ /* macOS: IOPlatformUUID via ioreg, or fall through to /etc/machine-id
*/
++ FILE *f = popen("ioreg -rd1 -c IOPlatformExpertDevice 2>/dev/null | "
++ "awk -F'\"' '/IOPlatformUUID/{print $4}'", "r");
++ if (f) {
++ char buf[64] = {0};
++ if (fgets(buf, sizeof(buf), f) && buf[0]) {
++ pclose(f);
++ buf[strcspn(buf, "\n")] = 0;
++ return strdup(buf);
++ }
++ pclose(f);
++ }
++#endif
++ /* Linux/BSD: /etc/machine-id or /var/lib/dbus/machine-id */
++ {
++ static const char *paths[] = {
++ "/etc/machine-id",
++ "/var/lib/dbus/machine-id",
++ NULL
++ };
++ for (int i = 0; paths[i]; i++) {
++ FILE *f = fopen(paths[i], "r");
++ if (f) {
++ char buf[64] = {0};
++ if (fgets(buf, sizeof(buf), f) && buf[0]) {
++ fclose(f);
++ buf[strcspn(buf, "\n")] = 0;
++ return strdup(buf);
++ }
++ fclose(f);
++ }
++ }
++ }
++ return NULL;
++}
++
+ struct openconnect_info *openconnect_vpninfo_new(const char *useragent,
+
openconnect_validate_peer_cert_vfn validate_peer_cert,
+
openconnect_write_new_config_vfn write_new_config,
+@@ -108,6 +163,8 @@ struct openconnect_info *openconnect_vpn
+ if (!vpninfo->localname || !vpninfo->useragent)
+ goto err;
+
++ vpninfo->host_id = openconnect_get_machine_id();
++
+ #ifdef ENABLE_NLS
+ bindtextdomain("openconnect", LOCALEDIR);
+ #endif
+@@ -743,6 +800,7 @@ void openconnect_vpninfo_free(struct ope
+ }
+
+ free(vpninfo->localname);
++ free(vpninfo->host_id);
+ free(vpninfo->useragent);
+ free(vpninfo->authgroup);
+ #ifdef HAVE_LIBSTOKEN
+@@ -976,6 +1034,12 @@ void openconnect_set_trojan_interval(str
+ vpninfo->trojan_interval = seconds;
+ }
+
++void openconnect_set_host_id(struct openconnect_info *vpninfo, const char
*host_id)
++{
++ free(vpninfo->host_id);
++ vpninfo->host_id = host_id ? strdup(host_id) : NULL;
++}
++
+ int openconnect_get_idle_timeout(struct openconnect_info *vpninfo)
+ {
+ return vpninfo->idle_timeout;
+--- openconnect-9.12.orig/main.c
++++ openconnect-9.12/main.c
+@@ -185,6 +185,7 @@ enum {
+ OPT_FORCE_TROJAN,
+ OPT_GNUTLS_DEBUG,
+ OPT_JUNIPER,
++ OPT_HOST_ID,
+ OPT_KEY_PASSWORD_FROM_FSID,
+ OPT_LIBPROXY,
+ OPT_NO_CERT_CHECK,
+@@ -302,6 +303,7 @@ static const struct option long_options[
+ OPTION("no-cert-check", 0, OPT_NO_CERT_CHECK),
+ OPTION("force-dpd", 1, OPT_FORCE_DPD),
+ OPTION("force-trojan", 1, OPT_FORCE_TROJAN),
++ OPTION("host-id", 1, OPT_HOST_ID),
+ OPTION("non-inter", 0, OPT_NON_INTER),
+ OPTION("dtls-local-port", 1, OPT_DTLS_LOCAL_PORT),
+ OPTION("token-mode", 1, OPT_TOKEN_MODE),
+@@ -1028,6 +1030,7 @@ static void usage(void)
+ printf(" --no-dtls %s\n", _("Disable DTLS and
ESP"));
+ printf(" --dtls-ciphers=LIST %s\n", _("OpenSSL ciphers to
support for DTLS"));
+ printf(" -Q, --queue-len=LEN %s\n", _("Set packet queue
limit to LEN pkts"));
++ printf(" --host-id=ID %s\n", _("Set host identifier
for cookie tracking"));
+
+ printf("\n%s:\n", _("Local system information"));
+ printf(" --useragent=STRING %s\n", _("HTTP header
User-Agent: field"));
+@@ -2123,6 +2126,9 @@ int main(int argc, char **argv)
+ assert_nonnull_config_arg("force-trojan", config_arg);
+ openconnect_set_trojan_interval(vpninfo,
atoi(config_arg));
+ break;
++ case OPT_HOST_ID:
++ openconnect_set_host_id(vpninfo, config_arg);
++ break;
+ case OPT_DTLS_LOCAL_PORT:
+ assert_nonnull_config_arg("dtls-local-port",
config_arg);
+ vpninfo->dtls_local_port = atoi(config_arg);
+--- openconnect-9.12.orig/openconnect-internal.h
++++ openconnect-9.12/openconnect-internal.h
+@@ -526,6 +526,7 @@ struct openconnect_info {
+ time_t last_trojan;
+ int no_http_keepalive;
+ int dump_http_traffic;
++ char *host_id;
+
+ int token_mode;
+ int token_bypassed;
+--- openconnect-9.12.orig/openconnect.h
++++ openconnect-9.12/openconnect.h
+@@ -36,6 +36,9 @@ extern "C" {
+ #define OPENCONNECT_API_VERSION_MINOR 9
+
+ /*
++ * API version 5.10:
++ * - Add openconnect_set_host_id()
++ *
+ * API version 5.9 (v9.12; 2023-05-20):
+ * - Add openconnect_set_sni()
+ *
+@@ -652,6 +655,7 @@ const char *openconnect_get_ifname(struc
+ void openconnect_set_reqmtu(struct openconnect_info *, int reqmtu);
+ void openconnect_set_dpd(struct openconnect_info *, int min_seconds);
+ void openconnect_set_trojan_interval(struct openconnect_info *, int seconds);
++void openconnect_set_host_id(struct openconnect_info *, const char *host_id);
+ int openconnect_get_idle_timeout(struct openconnect_info *);
+ time_t openconnect_get_auth_expiration(struct openconnect_info *);
+
+--- openconnect-9.12.orig/www/changelog.xml
++++ openconnect-9.12/www/changelog.xml
+@@ -16,7 +16,8 @@
+ <li><b>OpenConnect HEAD</b>
+ <ul>
+ <li>Use the full URI (including "usergroup" or path) as specified in
<tt>--server</tt> for all requests during authentication instead of only the
first one (<a
href="https://gitlab.com/openconnect/openconnect/-/merge_requests/560">!560</a>).</li>
+- </ul><br/>
++ <li>Add <tt>--host-id</tt> option and send host identifier in
GlobalProtect portal requests (<a
href="https://gitlab.com/openconnect/openconnect/-/issues/847">#847</a>).</li>
++ </ul><br/>
+ </li>
+ <li><b><a
href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz">OpenConnect
v9.12</a></b>
+ <i>(<a
href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz.asc">PGP
signature</a>)</i> — 2023-05-20