This update for openconnect fixes the following issues:

- Update to release 9.12:

  * Explicitly reject overly long tun device names.
  * Increase maximum input size from stdin (#579).
  * Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
  * Fix stray (null) in URL path after Pulse authentication (4023bd95).
  * Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).
  * Fix case sensitivity in GPST header matching (!474).

- Update to release 9.10:

  * Fix external browser authentication with KDE plasma-nm < 5.26.
  * Always redirect stdout to stderr when spawning external browser.
  * Increase default queue length to 32 packets.
  * Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.
  * Handle idiosyncratic variation in search domain separators for all protocols
  * Support region selection field for Pulse authentication 
  * Support modified configuration packet from Pulse 9.1R16 servers 
  * Allow hidden form fields to be populated or converted to text fields on the command line
  * Support yet another strange way of encoding challenge-based 2FA for GlobalProtect
  * Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments
  * Parrot a GlobalProtect server's software version, if present, as the client version (!333)
  * Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
  * Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
  * Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
  * Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet .
  * Support "FTM-push" token mode for Fortinet VPNs .
  * Send IPv6-compatible version string in Pulse IF/T session establishment
  * Add --no-external-auth option to not advertise external-browser authentication
  * Many small improvements in server response parsing, and better logging messages and documentation.

- Update to release 9.01:

  * Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) 
  * Add support for AnyConnect "external browser" SSO mode
  * Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
  * Support Cisco's multiple-certificate authentication
  * Revert GlobalProtect default route handling change from v8.20
  * Suppo split-exclude routes for Fortinet
  * Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect

- Update to release 8.20:

  * Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.
  * Emulated a newer version of GlobalProtect official clients,
    5.1.5-8; was 4.0.2-19
  * Support Juniper login forms containing both password and 2FA
    token
  * Explicitly disable 3DES and RC4, unless enabled with
    --allow-insecure-crypto
  * Allow protocols to delay tunnel setup and shutdown (!117)
  * Support for GlobalProtect IPv6
  * SIGUSR1now causes OpenConnect to log detailed connection
    information and statistics
  * Allow --servercert to be specified multiple times in order to
    accept server certificates matching more than one possible
    fingerprint
  * Demangle default routes sent as split routes by GlobalProtect
  * Support more Juniper login forms, including some SSO forms
  * Restore compatibility with newer Cisco servers, by no longer
    sending them the X-AnyConnect-Platform header
  * Add support for PPP-based protocols, currently over TLS only.
  * Add support for two PPP-based protocols, F5 with
    --protocol=f5 and Fortinet with --protocol=fortinet.
  * Add support for Array Networks SSL VPN.
  * Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases
    for swtpm and hardware TPM.

- Import the latest version of the vpnc-script (bsc#1140772)

  * This brings a lot of improvements for non-trivial network setups, IPv6 etc

- Build with --without-gnutls-version-check

- Update to version 8.10:

  * Install bash completion script to
    ${datadir}/bash-completion/completions/openconnect.
  * Improve compatibility of csd-post.sh trojan.
  * Fix potential buffer overflow with GnuTLS describing local
    certs (CVE-2020-12823, bsc#1171862,
    gl#openconnect/openconnect!108).

- Introduce subpackage for bash-completion

- Update to 8.09:

  * Add bash completion support.
  * Give more helpful error in case of Pulse servers asking for
    TNCC.
  * Sanitize non-canonical Legacy IP network addresses.
  * Fix OpenSSL validation for trusted but invalid certificates
    (CVE-2020-12105 bsc#1170452).
  * Convert tncc-wrapper.py to Python 3, and include modernized
    tncc-emulate.py as well. (!91)
  * Disable Nagle's algorithm for TLS sockets, to improve
    interactivity when tunnel runs over TCP rather than UDP.
  * GlobalProtect: more resilient handling of periodic HIP check
    and login arguments, and predictable naming of challenge forms.
  * Work around PKCS#11 tokens which forget to set
    CKF_LOGIN_REQUIRED.

- Update to 8.0.8:

  * Fix check of pin-sha256: public key hashes to be case sensitive
  * Don't give non-functioning stderr to CSD trojan scripts.
  * Fix crash with uninitialised OIDC token.

- Update to 8.0.7:

  * Don't abort Pulse connection when server-provided certificate
    MD5 doesn't match.
  * Fix off-by-one in check for bad GnuTLS versions, and add build
    and run time checks.
  * Don't abort connection if CSD wrapper script returns non-zero
    (for now).
  * Make --passtos work for protocols that use ESP, in addition
    to DTLS.
  * Convert tncc-wrapper.py to Python 3, and include modernized
    tncc-emulate.py as well.

- Remove tncc-wrapper.py script as it is python2 only bsc#1157446

- No need to ship hipreport-android.sh as it is intented for
  android systems only

- Update to 8.0.5:

  * Minor fixes to build on specific platforms
  * Includes fix for a buffer overflow with chunked HTTP handling
    (CVE-2019-16239, bsc#1151178) 

- Use python3 to generate the web data as now it is supported
  by upstream

- Update to 8.0.3:

  * Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
  * Fix recognition of OTP password fields.

- Update to 8.02:

  * Fix GNU/Hurd build.
  * Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
  * Support split-exclude routes for GlobalProtect.
  * Fix GnuTLS builds without libtasn1.
  * Fix DTLS support with OpenSSL 1.1.1+.
  * Add Cisco-compatible DTLSv1.2 support.
  * Invoke script with reason=attempt-reconnect before doing so.
 

- Update to 8.01:

  * Clear form submissions (which may include passwords) before
    freeing (CVE-2018-20319, bsc#1215669).
  * Allow form responses to be provided on command line.
  * Add support for SSL keys stored in TPM2.
  * Fix ESP rekey when replay protection is disabled.
  * Drop support for GnuTLS older than 3.2.10.
  * Fix --passwd-on-stdin for Windows to not forcibly open console.
  * Fix portability of shell scripts in test suite.
  * Add Google Authenticator TOTP support for Juniper.
  * Add RFC7469 key PIN support for cert hashes.
  * Add protocol method to securely log out the Juniper session.
  * Relax requirements for Juniper hostname packet response to support old gateways.
  * Add API functions to query the supported protocols.
  * Verify ESP sequence numbers and warn even if replay protection is disabled.
  * Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
  * Reorganize listing of command-line options, and include information on supported protocols.
  * SIGTERM cleans up the session similarly to SIGINT.
  * Fix memset_s() arguments.
  * Fix OpenBSD build.

- Explicitely enable all the features as needed to stop build if
  something is missing