diff --git a/_service b/_service
index 89b07ab..c8ed1ee 100644
--- a/_service
+++ b/_service
@@ -3,11 +3,12 @@
https://github.com/tailscale/tailscale.git
git
yes
- refs/tags/v1.80.3
+ refs/tags/v1.94.1
@PARENT_TAG@
v(.*)
disable
+
*.tar
gz
diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch
deleted file mode 100644
index 466aae9..0000000
--- a/fix-CVE-2025-22869.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-diff -rub tailscale-1.80.3/go.mod tailscale-1.80.3-patched/go.mod
---- tailscale-1.80.3/go.mod 2025-03-03 21:05:20.000000000 +0100
-+++ tailscale-1.80.3-patched/go.mod 2025-03-12 10:00:39.364237325 +0100
-@@ -94,14 +94,14 @@
- go.uber.org/zap v1.27.0
- go4.org/mem v0.0.0-20240501181205-ae6ca9944745
- go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-- golang.org/x/crypto v0.33.0
-+ golang.org/x/crypto v0.36.0
- golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
- golang.org/x/mod v0.22.0
- golang.org/x/net v0.35.0
- golang.org/x/oauth2 v0.25.0
-- golang.org/x/sync v0.11.0
-- golang.org/x/sys v0.30.0
-- golang.org/x/term v0.29.0
-+ golang.org/x/sync v0.12.0
-+ golang.org/x/sys v0.31.0
-+ golang.org/x/term v0.30.0
- golang.org/x/time v0.9.0
- golang.org/x/tools v0.29.0
- golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
-@@ -385,7 +385,7 @@
- go.uber.org/multierr v1.11.0 // indirect
- golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
- golang.org/x/image v0.23.0 // indirect
-- golang.org/x/text v0.22.0 // indirect
-+ golang.org/x/text v0.23.0 // indirect
- gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
- google.golang.org/protobuf v1.35.1 // indirect
- gopkg.in/inf.v0 v0.9.1 // indirect
-diff -rub tailscale-1.80.3/go.sum tailscale-1.80.3-patched/go.sum
---- tailscale-1.80.3/go.sum 2025-03-03 21:05:20.000000000 +0100
-+++ tailscale-1.80.3-patched/go.sum 2025-03-12 10:01:30.149309580 +0100
-@@ -1060,6 +1060,8 @@
- golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
- golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
- golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
- golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
- golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
- golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-@@ -1173,6 +1175,8 @@
- golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
- golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
- golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
- golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
- golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
- golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-@@ -1233,6 +1237,8 @@
- golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
- golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
- golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
- golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
- golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
- golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-@@ -1241,6 +1247,8 @@
- golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
- golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
- golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
-+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
- golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
- golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
- golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-@@ -1253,6 +1261,8 @@
- golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
- golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
- golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
- golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
- golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
- golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-Only in tailscale-1.80.3-patched: vendor
diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz
deleted file mode 100644
index 3f01878..0000000
--- a/tailscale-1.80.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33
-size 13706235
diff --git a/tailscale-1.94.1.tar.gz b/tailscale-1.94.1.tar.gz
new file mode 100644
index 0000000..e2d9614
--- /dev/null
+++ b/tailscale-1.94.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e3483445965f144c8fa31cf59cbd45bd0fd3f08b42a9bf821cdd30f7497f07ff
+size 20149545
diff --git a/tailscale.changes b/tailscale.changes
index f698340..d778c37 100644
--- a/tailscale.changes
+++ b/tailscale.changes
@@ -1,3 +1,259 @@
+-------------------------------------------------------------------
+Fri Jan 30 11:52:12 UTC 2026 - Richard Rahl
+
+- Update to version 1.94.0:
+ * IS SET and NOT SET have been added as device posture operators
+ * India DERP Region City Name updated
+ * Custom DERP servers support GCP Certificate Manager
+ * Tailscale SSH authentication, when successful, results in LOGIN audit
+ messages being sent to the kernel audit subsystem
+ * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
+ option is supported on multi-core systems
+ * Tailscale Peer Relay server handshake transmission is guarded against
+ routing loops over Tailscale
+ * MagicDNS always resolves when using resolv.conf without a DNS manager
+ * tailscaled_peer_relay_forwarded_packets_total and
+ tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
+ Tailscale Peer Relays
+ * Identity tokens are automatically generated for workload identities
+ * --audience flag added to tailscale up command to support auto generation of
+ ID tokens for workload identity
+ * tsnet nodes can host Tailscale Services
+ * The tailscale lock status -json command returns tailnet key authority (TKA)
+ data in a stable format
+ * Tailscale Peer Relays deliver improved throughput through monotonic time
+ comparison optimizations and reduced lock contention
+ * Tailscale Services virtual IPs are now automatically accepted by clients
+ across all platforms regardless of the status of the --accept-routes
+ feature
+
+-------------------------------------------------------------------
+Wed Jan 21 01:30:13 UTC 2026 - Richard Rahl
+
+- Update to version 1.94.0:
+ * derp/derpserver: add a unique sender cardinality estimate
+ * syncs: add means of declare locking assumptions for debug mode
+ * cmd/k8s-operator: add support for taiscale.com/http-redirect
+ * cmd/k8s-operator fix populateTLSSecret on tests
+ * feature/posture: log method and full URL for posture identity requests
+ * k8s-operator: Fix typos in egress-pod-readiness.go
+ * cmd/tailscale,ipn: add Unix socket support for serve
+ * client/systray: change systray to start after graphical.target
+ * cmd/k8s-operator: warn if users attempt to expose a headless Service
+ * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
+ * tsnet: ensure funnel listener cleans up after itself when closed
+ * ipn/store/kubestore: don't load write replica certs in memory
+ * tsnet: allow for automatic ID token generation
+
+-------------------------------------------------------------------
+Fri Jan 9 00:06:05 UTC 2026 - Richard Rahl
+
+- Update to version 1.92.5:
+ * types/persist: omit Persist.AttestationKey based on IsZero
+ * disable hardware attestation for kubernetes
+ * allow opting out of ACME order replace extension
+- Update to version 1.92.4:
+ * nothing of importance
+
+-------------------------------------------------------------------
+Wed Dec 17 13:24:06 UTC 2025 - Richard Rahl
+
+- Update to version 1.92.3:
+ * WireGuard configuration that occurs automatically in the client, no longer
+ results in a panic
+
+-------------------------------------------------------------------
+Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl
+
+- Update to version 1.92.2:
+ * cmd/derper: add GCP Certificate Manager support
+
+-------------------------------------------------------------------
+Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl
+
+- Update to version 1.92.1:
+ * fix LocalBackend deadlock when packet arrives during profile switch
+ * wgengine: fix TSMP/ICMP callback leak
+- Update to version 1.92.0:
+ * no changelog provided
+- Update to version 1.90.9:
+ * tailscaled no longer deadlocks during event bursts
+ * The client no longer hangs after wake up
+
+-------------------------------------------------------------------
+Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl
+
+- Update to version 1.90.8:
+ * tka: move RemoveAll() to CompactableChonk
+- Update to version 1.90.7:
+ * wgengine/magicsock: validate endpoint.derpAddr
+ * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
+ * net/udprelay: replace VNI pool with selection algorithm
+ * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
+ * feature/relayserver: fix Shutdown() deadlock
+ * net/netmon: do not abandon a subscriber when exiting early
+ * tka: don't try to read AUMs which are partway through being written
+ * tka: rename a mutex to mu instead of single-letter l
+ * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable
+
+-------------------------------------------------------------------
+Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl
+
+- Update to version 1.90.6:
+ * Routes no longer stall and fail to apply when updated repeatedly in a short
+ period of time
+ * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
+ affected tailnets that use Tailscale SSH recording
+
+-------------------------------------------------------------------
+Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl
+
+- Update to version 1.90.4:
+ * deadlock issue no longer occurs in the client when checking
+ for the network to be available
+ * tailscaled no longer sporadically panics when a
+ Trusted Platform Module (TPM) device is present
+
+-------------------------------------------------------------------
+Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl
+
+- Update to version 1.90.3:
+ * tailscaled shuts down as expected and without panic
+ * tailscaled starts up as expected in a no router configuration environment
+
+-------------------------------------------------------------------
+Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl
+
+- Update to version 1.90.2:
+ * util/linuxfw: fix 32-bit arm regression with iptables
+ * health: compare warnable codes to avoid errors on release branch
+ * feature/tpm: check TPM family data for compatibility
+
+-------------------------------------------------------------------
+Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl
+
+- Upate to version 1.90.1:
+ * Clients can use configured DNS resolvers for all domains
+ * Node keys will be renewed seamlessly
+ * Unnecessary path discovery packets over DERP servers are suppressed
+ * Node key sealing is GA (generally available) and enabled by default
+
+-------------------------------------------------------------------
+Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl
+
+- update to version 1.88.3:
+ * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan
+ * control/controlhttp: simplify, fix race dialing, remove priority concept
+- update to version 1.88.2:
+ * k8s-operator: reset service status before append
+- require the minimum go version directly, in comparison to using the golang(API)
+ symbol
+
+-------------------------------------------------------------------
+Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl
+
+- update to version 1.88.1:
+ * Tailscale CLI prompts users to confirm impactful actions
+ * Tailscale SSH works as expected when using an IP address instead of a
+ hostname and MagicDNS is disabled
+ * fixed: Taildrive sharing when su not present
+ * Taildrive files remain consistently accessible
+ * new: Tailscale tray GUI
+ * DERP IPs changed for Singapore and Tokyo
+- remove fix-CVE-2025-58058.patch, fixed upstream
+
+-------------------------------------------------------------------
+Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl
+
+- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920
+
+-------------------------------------------------------------------
+Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl
+
+- update to version 1.86.5:
+ * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode
+- update to version 1.86.4:
+ * nothing of relevance
+- update to version 1.86.3:
+ * nothing of relevance
+
+-------------------------------------------------------------------
+Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl
+
+- update to version 1.86.2:
+ * A deadlock issue that may have occurred in the client
+ * An occasional crash when establishing a new port mapping with a gateway or
+ firewall
+
+-------------------------------------------------------------------
+Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl
+
+- update to version 1.86.0:
+ * tsStateEncrypted device posture attribute for checking whether the
+ Tailscale client state is encrypted at rest
+ * Cross-site request forgery (CSRF) issue that may have resulted in a log in
+ error when accessing the web interface
+ * Recommended exit node when the previously recommended exit node is offline
+ * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any
+ CLI commands track the recommended exit node and automatically switches to
+ it when available exit nodes or network conditions change
+ * tailscaled CLI command flag --encrypt-state encrypts the node state file on
+ the disk using trusted platform module (TPM)
+
+-------------------------------------------------------------------
+Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl
+
+- update to 1.84.3:
+ * ipn/ipnlocal: Update hostinfo to control on service config change
+
+-------------------------------------------------------------------
+Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl
+
+- update to 1.84.2:
+ * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted
+ from stricter CLI arguments parsing introduced in Tailscale v1.84.0
+
+-------------------------------------------------------------------
+Fri May 30 06:23:15 UTC 2025 - Richard Rahl
+
+- update to 1.84.1:
+ * net/dns: cache dns.Config for reuse when compileConfig fails
+
+-------------------------------------------------------------------
+Thu May 22 08:27:09 UTC 2025 - Richard Rahl
+
+- update to 1.84.0:
+ * The --reason flag is added to the tailscale down command
+ * ReconnectAfter policy setting, which configures the maximum period of time
+ between a user disconnecting Tailscale and the client automatically
+ reconnecting
+ * Tailscale CLI commands throw an error if multiple of the same flag are detected
+ * Network connectivity issues when creating a new profile or switching
+ profiles while using an exit node
+ * DNS-over-TCP fallback works correctly with upstream servers reachable only
+ via the tailnet
+- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies
+
+-------------------------------------------------------------------
+Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl
+
+- update to 1.82.5:
+ * A panic issue related to CUBIC congestion control in userspace mode is resolved.
+
+-------------------------------------------------------------------
+Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl
+
+- update to 1.82.0:
+ * DERP functionality within the client supports certificate pinning for
+ self-signed IP address certificates for those unable to use Let's Encrypt
+ or WebPKI certificates.
+ * Go is updated to version 1.24.1
+ * NAT traversal code uses the DERP connection that a packet arrived on as an
+ ultimate fallback route if no other information is available
+ * Captive portal detection reliability is improved on some in-flight Wi-Fi networks
+ * Port mapping success rate is improved
+ * Helsinki is added as a DERP region.
+
-------------------------------------------------------------------
Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl
diff --git a/tailscale.spec b/tailscale.spec
index 9b8a419..1680978 100644
--- a/tailscale.spec
+++ b/tailscale.spec
@@ -1,7 +1,7 @@
#
# spec file for package tailscale
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: tailscale
-Version: 1.80.3
+Version: 1.94.1
Release: 0
Summary: The easiest, most secure way to use WireGuard and 2FA
License: BSD-3-Clause
@@ -28,15 +28,14 @@ Source2: %{name}d.service
Source3: %{name}d.defaults
Patch0: build-verbose.patch
Patch1: disable-auto-update.patch
-Patch2: fix-CVE-2025-22869.patch
BuildRequires: bash-completion
BuildRequires: fish
BuildRequires: git-core
+BuildRequires: go1.25 >= 1.25.5
BuildRequires: golang-packaging
BuildRequires: zsh
-BuildRequires: golang(API) = 1.23
Requires: %{default_firewall_backend}
-ExcludeArch: i586
+ExcludeArch: %{ix86}
%{?systemd_requires}
%description
diff --git a/vendor.tar.gz b/vendor.tar.gz
index dfd847d..7d3e0e2 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:55812d888060e6b92a0a1612e1f0ab69de3529825842c4327029f0f8a2ee9563
-size 20212560
+oid sha256:0b47b6bb0e4b7feee25f4d6f1cb0626e24201972fbc343e0db5dc8a868a74077
+size 23982942