http://www.infradead.org/openconnect/changelog.html :
OpenConnect v8.20 (PGP signature) — 2022-02-20

    When the queue length (-Q option) is 16 or more, try using vhost-net to accelerate tun device access.
    Use epoll() where available.
    Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. (#249)
    Make tncc-emulate.py work with Python 3.7+. (#152, !120)
    Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 (!131)
    Support Juniper login forms containing both password and 2FA token (!121)
    Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto (!114)
    Add obsolete-server-crypto test (!114)
    Allow protocols to delay tunnel setup and shutdown (!117)
    Support for GlobalProtect IPv6 (!155 and !188; previous work in d6db0ec)
    SIGUSR1 causes OpenConnect to log detailed connection information and statistics (!154)
    Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint (!162, #25)
    Add insecure debugging build mode for developers (!112)
    Demangle default routes sent as split routes by GlobalProtect (!118)
    Improve GlobalProtect login argument decoding (!143)
    Add detection of authentication expiration date, intended to allow front-ends to cache and reuse authentication cookies/sessions (!156)
    Small bug fixes and clarification of many logging messages.
    Support more Juniper login forms, including some SSO forms (!171)
    Automatically build Windows installers for OpenConnect command-line interface (!176)
    Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header (#101, !175)
    Add support for PPP-based protocols, currently over TLS only (!165).
    Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet (!169).
    Add experimental support for Wintun Layer 3 TUN driver under Windows (#231, !178).
    Clean up and improve Windows routing/DNS configuration script (vpnc-scripts!26, vpnc-scripts!41, vpnc-scripts!44).
    On Windows, reclaim needed IP addresses from down network interfaces so that configuration script can succeed (!178).
    Fix output redirection under Windows (#229)
    More gracefully handle idle timeouts and other fatal errors for Juniper and Pulse (!187)
    Ignore failures to fetch the Juniper/oNCP landing page if the authentication was successful (3e779436).
    Add support for Array Networks SSL VPN (#102)
    Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. (ed80bfac...ee1cd782)
    Add openconnect_get_connect_url() to simplify passing correct server information to the connecting openconnect process. (NetworkManager-openconnect #46, #53)
    Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. (RH#1960763).
    Pass "portal cookie" fields from GlobalProtect portal to gateway to avoid repetition of password- or SAML-based login (!199)
    With --user, enter username supplied via command-line into all authentication forms, not just the first. (#267, !220).
    Fix a subtle bug which has prevented ESP rekey and ESP-to-TLS fallback from working reliably with the Juniper/oNCP protocol since v8.04. (#322, !293).
    Fix a bug in csd-wrapper.sh which has prevented it from correctly downloading compressed Trojan binaries since at least v8.00. (!305)
    Make Windows socketpair emulation more robust in the face of Windows's ability to break its localhost routes. (#228, #361, !320)
    Perform proper disconnect and routes cleanup on Windows when receiving Ctrl+C or Ctrl+Break. (#362, !323)
    Improve logging in routing/DNS configuration scripts. (!328, vpnc-scripts!45)
    Support modified configuration packet from Pulse 9.1R14 servers (#379, !331)