[Bug 1969734] Re: [Jammy] NetworkManager-openconnect 1.2.6 not compatible with openconnect 8.20

Tue Sep 5 14:23:45 UTC 2023

I see that the [Where problems could occur] section was updated with a regression analysis.
And I agree with comment #13 about the debdiff being reasonable.

So I'm sponsoring it into the Jammy queue again, so the SRU team can
have another look into it.

PS: I also ran the "update-maintainer" script on the source packge
before uploading. Unsubscribing ~ubuntu-sponsors.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1969734

Title:
  [Jammy] NetworkManager-openconnect 1.2.6 not compatible with
  openconnect 8.20

Status in network-manager-openconnect:
  Fix Released
Status in network-manager-openconnect package in Ubuntu:
  Fix Released
Status in openconnect package in Ubuntu:
  Fix Released
Status in network-manager-openconnect source package in Jammy:
  Confirmed
Status in openconnect source package in Jammy:
  Confirmed
Status in Fedora:
  Won't Fix

Bug description:
  This bug only affects the specific combination of network-manager-
  openconnect and openconnect that ended up in Jammy.

  openconnect 8.20 breaks compatibility with NetworkManager-openconnect
  8.20:

  "As of openconnect 8.20, INTERNAL_IPx_NETMASK can be set to 0.0.0.0 and
  /0 and this causes network manager to fail with a bad IP configuration.
  This happens because 0.0.0.0/0 is set as a split route, but rewritten to
  be used as netmask instead.
  If we detect this we force a /32 or /128 (IPv6) netmask prefix and avoid
  setting the CONFIG_NEVER_DEFAULT options."

  This commit was reverted because the upstream devs intention is to
  always be backwards compatible. Later the feature was implemented
  again in another way.

  So the best way forward for Jammy is to revert the openconnect commit.

  Working on making an SRU from this...

  [Impact]
  Users with a common GlobalProtect serverside configuration will not be able to connect.

  This is caused by an backwards incompatible change in openconnect
  between openconnect and network-manager-openconnect, that adds the
  ability for NetworkManager to override the server-provided
  configuration for split VPN.

  The debdiff fixes it by reverting this change.

  [Test Plan]
  A GlobalProtect server is needed to test it, so perhaps we can collect reports from affected users.

  This follows upstream fixes only.

  [Where problems could occur]
  Other packages in the Ubuntu archive can depend on the feature, potentially causing regressions, or have other regressions due to the change. However, this is extremely unlikely as the feature was introduced in the Ubuntu archive on 21 February 2022, that is only 3 days before Debian Import Freeze for Ubuntu 22.04 (24 February 2022).

  It is also possible that third-party software (outside of the Ubuntu
  archive) depends on the feature. However, the feature only affects
  GlobalProtect VPNs with the common server-side configuration mentioned
  above, where NetworkManager-openconnect is unusable due to the
  feature, and was reverted shortly thereafter in release 9.01, released
  on 29 April. Therefore, it is unlikely that such software is using the
  feature, even if the software in question is a workaround for this
  bug.

  [Other Info]
  There is no Debian release with this combination of versions so we can't import the fix from there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager-openconnect/+bug/1969734/+subscriptions