Version in base suite: 9.12-3

Base version: openconnect_9.12-3
Target version: openconnect_9.12-3+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openconnect/openconnect_9.12-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openconnect/openconnect_9.12-3+deb13u2.dsc

 changelog                                                          |   21 +
 copyright                                                          |    2 
 gbp.conf                                                           |    1 
 patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch |  110 ++++++++++
 patches/dont-default-form-action.patch                             |   46 ++++
 patches/series                                                     |    3 
 patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch |   27 ++
 7 files changed, 209 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5o09blyh/openconnect_9.12-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5o09blyh/openconnect_9.12-3+deb13u2.dsc: no acceptable signature found
diff -Nru openconnect-9.12/debian/changelog openconnect-9.12/debian/changelog
--- openconnect-9.12/debian/changelog	2024-08-04 12:24:52.000000000 +0000
+++ openconnect-9.12/debian/changelog	2026-01-02 09:12:05.000000000 +0000
@@ -1,3 +1,24 @@
+openconnect (9.12-3+deb13u2) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * use the unsigned printf qualifier for size_t : fixes MinGW{32,64} build
+  * Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with TLSv1.3
+    (Closes: #1099497)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 02 Jan 2026 10:12:05 +0100
+
+openconnect (9.12-3+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  [ Luca Boccassi ]
+  * d/copyright: update Upstream-Contact to mailing list
+
+  [ Lee Garrett ]
+  * Patch: Respect path in AnyConnect/OpenConnect XML form handling (Closes: #1119239)
+  * Update debian/gbp.conf to match debian/trixie branch
+
+ -- Lee Garrett <debian@rocketjump.eu>  Tue, 28 Oct 2025 21:47:04 +0100
+
 openconnect (9.12-3) unstable; urgency=medium
 
   * Disable autopkgtest and remove test build dependencies (Closes:
diff -Nru openconnect-9.12/debian/copyright openconnect-9.12/debian/copyright
--- openconnect-9.12/debian/copyright	2024-03-28 11:59:35.000000000 +0000
+++ openconnect-9.12/debian/copyright	2025-11-17 11:49:36.000000000 +0000
@@ -1,6 +1,6 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: OpenConnect
-Upstream-Contact: David Woodhouse <David.Woodhouse@intel.com>
+Upstream-Contact: openconnect-devel@lists.infradead.org
 Source: ftp://ftp.infradead.org/pub/openconnect/
 
 Files: *
diff -Nru openconnect-9.12/debian/gbp.conf openconnect-9.12/debian/gbp.conf
--- openconnect-9.12/debian/gbp.conf	2024-03-28 11:59:35.000000000 +0000
+++ openconnect-9.12/debian/gbp.conf	2026-01-02 09:10:21.000000000 +0000
@@ -1,4 +1,5 @@
 [DEFAULT]
+debian-branch = debian/trixie
 pristine-tar = True
 sign-tags = True
 
diff -Nru openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
--- openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch	1970-01-01 00:00:00.000000000 +0000
+++ openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch	2026-01-02 09:11:49.000000000 +0000
@@ -0,0 +1,110 @@
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Fri, 15 Nov 2024 15:46:05 +0000
+Subject: Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with
+ TLSv1.3
+Origin: https://gitlab.com/openconnect/openconnect/-/commit/94e0b16c011b7b88708b8a8505fac6bfbe2e3cca
+Bug-Debian: https://bugs.debian.org/1099497
+Bug: https://gitlab.com/openconnect/openconnect/-/issues/659
+
+Fixes #659
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+---
+ gnutls.c               | 20 +++++++++++++++++++-
+ openconnect-internal.h |  5 +++++
+ openssl.c              | 30 +++++++++++++++++++++++-------
+ www/changelog.xml      |  1 +
+ 4 files changed, 48 insertions(+), 8 deletions(-)
+
+diff --git a/gnutls.c b/gnutls.c
+index 9fc010b984b7..6c2e3aec29c1 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -3176,7 +3176,25 @@ void append_strap_verify(struct openconnect_info *vpninfo,
+ 
+ 	/* Concatenate our Finished message with our pubkey to be signed */
+ 	struct oc_text_buf *nonce = buf_alloc();
+-	buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len);
++	if (gnutls_protocol_get_version(vpninfo->https_sess) <= GNUTLS_TLS1_2) {
++		/* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel binding */
++		buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len);
++	} else {
++		/* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */
++		char channel_binding_buf[TLS_EXPORTER_KEY_SIZE];
++		err = gnutls_prf(vpninfo->https_sess, TLS_EXPORTER_LABEL_SIZE, TLS_EXPORTER_LABEL,
++				 0, 0, 0, TLS_EXPORTER_KEY_SIZE, channel_binding_buf);
++		if (err) {
++			vpn_progress(vpninfo, PRG_ERR,
++				     _("Failed to generate channel bindings for STRAP key: %s\n"),
++				     gnutls_strerror(err));
++			if (!buf_error(buf))
++				buf->error = -EIO;
++			buf_free(nonce);
++			return;
++		}
++		buf_append_bytes(nonce, channel_binding_buf, TLS_EXPORTER_KEY_SIZE);
++	}
+ 
+ 	if (rekey) {
+ 		/* We have a copy and we don't want it freed just yet */
+diff --git a/openconnect-internal.h b/openconnect-internal.h
+index 5abfe98d79c5..600b43b31ec8 100644
+--- a/openconnect-internal.h
++++ b/openconnect-internal.h
+@@ -1060,6 +1060,11 @@ static inline void __monitor_fd_new(struct openconnect_info *vpninfo,
+ #define PSK_LABEL_SIZE (sizeof(PSK_LABEL) - 1)
+ #define PSK_KEY_SIZE 32
+ 
++/* Key material for RFC9266 tls-exporter channel binding */
++#define TLS_EXPORTER_LABEL "EXPORTER-Channel-Binding"
++#define TLS_EXPORTER_LABEL_SIZE (sizeof(TLS_EXPORTER_LABEL) - 1)
++#define TLS_EXPORTER_KEY_SIZE 32
++
+ /* Packet types */
+ 
+ #define AC_PKT_DATA		0	/* Uncompressed data */
+diff --git a/openssl.c b/openssl.c
+index 3f204d0f19af..b354cf7466e6 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -2518,14 +2518,30 @@ void append_strap_verify(struct openconnect_info *vpninfo,
+ 			 struct oc_text_buf *buf, int rekey)
+ {
+ 	unsigned char finished[64];
+-	size_t flen = SSL_get_finished(vpninfo->https_ssl, finished, sizeof(finished));
++	size_t flen;
+ 
+-	if (flen > sizeof(finished)) {
+-		vpn_progress(vpninfo, PRG_ERR,
+-			     _("SSL Finished message too large (%zu bytes)\n"), flen);
+-		if (!buf_error(buf))
+-			buf->error = -EIO;
+-		return;
++	if (SSL_SESSION_get_protocol_version(SSL_get_session(vpninfo->https_ssl)) <= TLS1_2_VERSION) {
++		/* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel binding */
++		flen = SSL_get_finished(vpninfo->https_ssl, finished, sizeof(finished));
++		if (flen > sizeof(finished)) {
++			vpn_progress(vpninfo, PRG_ERR,
++				     _("SSL Finished message too large (%zu bytes)\n"), flen);
++			if (!buf_error(buf))
++				buf->error = -EIO;
++			return;
++		}
++	} else {
++		/* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */
++		if (!SSL_export_keying_material(vpninfo->https_ssl,
++						finished, TLS_EXPORTER_KEY_SIZE,
++						TLS_EXPORTER_LABEL, TLS_EXPORTER_LABEL_SIZE,
++						NULL, 0, 0)) {
++			vpn_progress(vpninfo, PRG_ERR,
++				     _("Failed to generate channel bindings for STRAP key\n"));
++			openconnect_report_ssl_errors(vpninfo);
++			return;
++		}
++		flen = TLS_EXPORTER_KEY_SIZE;
+ 	}
+ 
+ 	/* If we're rekeying, we need to sign the Verify header with the *old* key. */
+-- 
+2.51.0
+
diff -Nru openconnect-9.12/debian/patches/dont-default-form-action.patch openconnect-9.12/debian/patches/dont-default-form-action.patch
--- openconnect-9.12/debian/patches/dont-default-form-action.patch	1970-01-01 00:00:00.000000000 +0000
+++ openconnect-9.12/debian/patches/dont-default-form-action.patch	2025-11-17 11:49:36.000000000 +0000
@@ -0,0 +1,46 @@
+Description: Fix URI patch on subsequent requests
+ Use the full URI (including "usergroup" or path) as specified in --server for
+ all requests during authentication instead of only the first one
+Author: Stefan Bühler <source@stbuehler.de>
+Origin: upstream, https://gitlab.com/openconnect/openconnect/-/merge_requests/560
+Bug: https://gitlab.com/openconnect/openconnect/-/issues/737
+Reviewed-by: Lee Garrett <debian@rocketjump.eu>
+Last-Update: 2025-10-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/auth.c b/auth.c
+index 317fc21..e245b48 100644
+--- a/auth.c
++++ b/auth.c
+@@ -455,13 +455,15 @@ static int parse_auth_node(struct openconnect_info *vpninfo, xmlNode *xml_node,
+ 
+ 			/* defaults for new XML POST */
+ 			form->method = strdup("POST");
+-			form->action = strdup("/");
+ 
+ 			xmlnode_get_prop(xml_node, "method", &form->method);
+ 			xmlnode_get_prop(xml_node, "action", &form->action);
+ 
+-			if (!form->method || !form->action ||
+-			    strcasecmp(form->method, "POST") || !form->action[0]) {
++			/* - expect unset action (reuse current URL) or non-empty action="..."
++			 * - expect unset method (defaults to "POST") or explicit method="POST"
++			 */
++			if ((form->action && !form->action[0]) ||
++			    !form->method || strcasecmp(form->method, "POST")) {
+ 				vpn_progress(vpninfo, PRG_ERR,
+ 					     _("Cannot handle form method='%s', action='%s'\n"),
+ 					     form->method, form->action);
+diff --git a/www/changelog.xml b/www/changelog.xml
+index 49a50b3..1ba207f 100644
+--- a/www/changelog.xml
++++ b/www/changelog.xml
+@@ -15,7 +15,7 @@
+ <ul>
+    <li><b>OpenConnect HEAD</b>
+      <ul>
+-       <li><i>No changelog entries yet</i></li>
++       <li>Use the full URI (including "usergroup" or path) as specified in <tt>--server</tt> for all requests during authentication instead of only the first one (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/560">!560</a>).</li>
+      </ul><br/>
+   </li>
+   <li><b><a href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz">OpenConnect v9.12</a></b>
diff -Nru openconnect-9.12/debian/patches/series openconnect-9.12/debian/patches/series
--- openconnect-9.12/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ openconnect-9.12/debian/patches/series	2026-01-02 09:11:49.000000000 +0000
@@ -0,0 +1,3 @@
+dont-default-form-action.patch
+use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
+Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
diff -Nru openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
--- openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch	1970-01-01 00:00:00.000000000 +0000
+++ openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch	2026-01-02 09:10:42.000000000 +0000
@@ -0,0 +1,27 @@
+From: Timothee 'TTimo' Besset <ttimo@ttimo.net>
+Date: Sun, 26 Nov 2023 10:13:05 -0600
+Subject: use the unsigned printf qualifier for size_t : fixes MinGW{32,64}
+ build
+Origin: https://gitlab.com/openconnect/openconnect/-/commit/958a59aed57df84a8ff0c86e1d0c6a4542edf5b2
+
+Signed-off-by: Timothee Besset <ttimo@ttimo.net>
+---
+ openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/openssl.c b/openssl.c
+index f8e0b1e9dd7b..dd4d761d971a 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -2522,7 +2522,7 @@ void append_strap_verify(struct openconnect_info *vpninfo,
+ 
+ 	if (flen > sizeof(finished)) {
+ 		vpn_progress(vpninfo, PRG_ERR,
+-			     _("SSL Finished message too large (%zd bytes)\n"), flen);
++			     _("SSL Finished message too large (%zu bytes)\n"), flen);
+ 		if (!buf_error(buf))
+ 			buf->error = -EIO;
+ 		return;
+-- 
+2.51.0
+