[Bug 1969734] [NEW] [Jammy] NetworkManager-openconnect 1.2.6 not compatible with openconnect 8.20

Launchpad Bug Tracker 1969734 at bugs.launchpad.net
Fri Sep 1 18:33:55 UTC 2023 

You have been subscribed to a public bug by Luís Infante da Câmara (luis220413):

This bug only affects the specific combination of network-manager-
openconnect and openconnect that ended up in Jammy.

openconnect 8.20 breaks compatibility with NetworkManager-openconnect
8.20:

"As of openconnect 8.20, INTERNAL_IPx_NETMASK can be set to 0.0.0.0 and
/0 and this causes network manager to fail with a bad IP configuration.
This happens because 0.0.0.0/0 is set as a split route, but rewritten to
be used as netmask instead.
If we detect this we force a /32 or /128 (IPv6) netmask prefix and avoid
setting the CONFIG_NEVER_DEFAULT options."

This commit was reverted because the upstream devs intention is to
always be backwards compatible. Later the feature was implemented again
in another way.

So the best way forward for Jammy is to revert the openconnect commit.

Working on making an SRU from this...

[Impact]
Users with a common GlobalProtect serverside configuration will not be able to connect.

This is caused by an backwards incompatible change in openconnect
between openconnect and network-manager-openconnect, that adds the
ability for NetworkManager to override the server-provided configuration
for split VPN.

The debdiff fixes it by reverting this change.

[Test Plan]
A GlobalProtect server is needed to test it, so perhaps we can collect reports from affected users.

This follows upstream fixes only.

[Where problems could occur]
Other packages in the Ubuntu archive can depend on the feature, potentially causing regressions, or have other regressions due to the change. However, this is extremely unlikely as the feature was introduced in the Ubuntu archive on 21 February 2022, that is only 3 days before Debian Import Freeze for Ubuntu 22.04 (24 February 2022).

It is also possible that third-party software (outside of the Ubuntu
archive) depends on the feature. However, the feature only affects
GlobalProtect VPNs with the common server-side configuration mentioned
above, where NetworkManager-openconnect is unusable due to the feature,
and was reverted shortly thereafter in release 9.01, released on 29
April. Therefore, it is unlikely that such software is using the
feature, even if the software in question is a workaround for this bug.

[Other Info]
There is no Debian release with this combination of versions so we can't import the fix from there.

** Affects: network-manager-openconnect
     Importance: Unknown
         Status: Fix Released

** Affects: network-manager-openconnect (Ubuntu)
     Importance: High
         Status: Fix Released

** Affects: openconnect (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: network-manager-openconnect (Ubuntu Jammy)
     Importance: Undecided
         Status: Confirmed

** Affects: openconnect (Ubuntu Jammy)
     Importance: Undecided
         Status: Confirmed

** Affects: fedora
     Importance: High
         Status: Won't Fix


** Tags: jammy patch
-- 
[Jammy] NetworkManager-openconnect 1.2.6 not compatible with openconnect 8.20
https://bugs.launchpad.net/bugs/1969734
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list