From 93c5b928dc0f79a2f148fe056e703b9acb03f70c922a38501fcb792a32deb78d Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Thu, 27 Mar 2025 19:53:04 +0000 Subject: [PATCH 01/25] - update to 1.82.0: * DERP functionality within the client supports certificate pinning for self-signed IP address certificates for those unable to use Let's Encrypt or WebPKI certificates. * Go is updated to version 1.24.1 * NAT traversal code uses the DERP connection that a packet arrived on as an ultimate fallback route if no other information is available * Captive portal detection reliability is improved on some in-flight Wi-Fi networks * Port mapping success rate is improved * Helsinki is added as a DERP region. OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=73 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale.changes | 492 ++++++++++++++++++++++++++ tailscale.spec | 144 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 27 files changed, 1614 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..7902d74 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.82.0 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..ad2bb7e --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,492 @@ +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..3190b4a --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,144 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.82.0 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +Patch2: fix-CVE-2025-22869.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..71d2c40 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f214fdde577c0f4a06f2d03817d35509aca71bead67f9ab43ee37074ad908538 +size 20189143 -- 2.51.1 From 2d570b44dcda09fd3c7ff430862c313d719b7464b4ca8276068389a88af107a3 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 18 Apr 2025 07:42:58 +0000 Subject: [PATCH 02/25] - update to 1.82.5: * A panic issue related to CUBIC congestion control in userspace mode is resolved. OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=75 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale-1.82.5.tar.gz | 3 + tailscale.changes | 498 ++++++++++++++++++++++++++ tailscale.spec | 144 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 28 files changed, 1623 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale-1.82.5.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..2a00e18 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.82.5 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale-1.82.5.tar.gz b/tailscale-1.82.5.tar.gz new file mode 100644 index 0000000..f986dd6 --- /dev/null +++ b/tailscale-1.82.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1114843fb881e27ab377e2f3420f50b76c12783dc1daa7fcf7bb8b76416e3370 +size 67640448 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..5c7a336 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,498 @@ +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..ea5b76d --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,144 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.82.5 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +Patch2: fix-CVE-2025-22869.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..19cdde4 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52c10fc0f46a7139e94565c194246bb61161c0cadcc9b51eeaf699b34d2b8475 +size 20185562 -- 2.51.1 From f05ff0fb440929e771542e2777eb5f2fedf5cd45d2dd3016e77205fa22dd46b0 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Thu, 22 May 2025 12:04:31 +0000 Subject: [PATCH 03/25] - update to 1.84.0: * The --reason flag is added to the tailscale down command * ReconnectAfter policy setting, which configures the maximum period of time between a user disconnecting Tailscale and the client automatically reconnecting * Tailscale CLI commands throw an error if multiple of the same flag are detected * Network connectivity issues when creating a new profile or switching profiles while using an exit node * DNS-over-TCP fallback works correctly with upstream servers reachable only via the tailnet - remove fix-CVE-2025-22869.patch, as upstream updated their dependencies OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=77 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale-1.82.5.tar.gz | 3 + tailscale-1.84.0.tar.gz | 3 + tailscale.changes | 513 +++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 29 files changed, 1640 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale-1.82.5.tar.gz create mode 100644 tailscale-1.84.0.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..130bb00 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.84.0 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale-1.82.5.tar.gz b/tailscale-1.82.5.tar.gz new file mode 100644 index 0000000..f986dd6 --- /dev/null +++ b/tailscale-1.82.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1114843fb881e27ab377e2f3420f50b76c12783dc1daa7fcf7bb8b76416e3370 +size 67640448 diff --git a/tailscale-1.84.0.tar.gz b/tailscale-1.84.0.tar.gz new file mode 100644 index 0000000..547e2ef --- /dev/null +++ b/tailscale-1.84.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:631530456a8795233447b0e42de4384fc47864cd57006983a388a2c37858a5d8 +size 68903813 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..32e9e54 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,513 @@ +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..1c6ec92 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.84.0 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..221aef5 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1e1812c09065b1b70a98302142e9f9d59b81cd17f8f9102c65d8521ba507264d +size 19641578 -- 2.51.1 From 93386dca722c505a998e3930e4f239e335d92033944c7a833cacab0664c57d95 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 30 May 2025 06:50:23 +0000 Subject: [PATCH 04/25] - update to 1.84.1: * net/dns: cache dns.Config for reuse when compileConfig fails OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=79 --- _service | 2 +- tailscale-1.84.0.tar.gz | 3 --- tailscale-1.84.1.tar.gz | 3 +++ tailscale.changes | 6 ++++++ tailscale.spec | 2 +- vendor.tar.gz | 4 ++-- 6 files changed, 13 insertions(+), 7 deletions(-) delete mode 100644 tailscale-1.84.0.tar.gz create mode 100644 tailscale-1.84.1.tar.gz diff --git a/_service b/_service index 130bb00..4be5e52 100644 --- a/_service +++ b/_service @@ -3,7 +3,7 @@ https://github.com/tailscale/tailscale.git git yes - refs/tags/v1.84.0 + refs/tags/v1.84.1 @PARENT_TAG@ v(.*) disable diff --git a/tailscale-1.84.0.tar.gz b/tailscale-1.84.0.tar.gz deleted file mode 100644 index 547e2ef..0000000 --- a/tailscale-1.84.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:631530456a8795233447b0e42de4384fc47864cd57006983a388a2c37858a5d8 -size 68903813 diff --git a/tailscale-1.84.1.tar.gz b/tailscale-1.84.1.tar.gz new file mode 100644 index 0000000..393eb56 --- /dev/null +++ b/tailscale-1.84.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2931c68f0ec823d6f05c3b75fc1876263dfd9438a8ae7a506c8d8fc9c2df90f +size 69401229 diff --git a/tailscale.changes b/tailscale.changes index 32e9e54..6cffcae 100644 --- a/tailscale.changes +++ b/tailscale.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + ------------------------------------------------------------------- Thu May 22 08:27:09 UTC 2025 - Richard Rahl diff --git a/tailscale.spec b/tailscale.spec index 1c6ec92..2570716 100644 --- a/tailscale.spec +++ b/tailscale.spec @@ -17,7 +17,7 @@ Name: tailscale -Version: 1.84.0 +Version: 1.84.1 Release: 0 Summary: The easiest, most secure way to use WireGuard and 2FA License: BSD-3-Clause diff --git a/vendor.tar.gz b/vendor.tar.gz index 221aef5..11c8c8c 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1e1812c09065b1b70a98302142e9f9d59b81cd17f8f9102c65d8521ba507264d -size 19641578 +oid sha256:e5a7594a09283af086d2d35ebfdd318ede5a695ab25312979df21b709d1cf486 +size 19642603 -- 2.51.1 From 422d112069adac1e8585b54dbdee7de41bf5024dd6ec3b1d7d7eea008700ca0c Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Tue, 10 Jun 2025 15:45:21 +0000 Subject: [PATCH 05/25] =?UTF-8?q?-=20update=20to=201.84.2:=20=20=20*=20Re-?= =?UTF-8?q?enable=20setting=20=E2=80=94accept-dns=20by=20using=20TS=5FEXTR?= =?UTF-8?q?A=5FARGS.=20This=20issue=20resulted=20=20=20=20=20from=20strict?= =?UTF-8?q?er=20CLI=20arguments=20parsing=20introduced=20in=20Tailscale=20?= =?UTF-8?q?v1.84.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=81 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale-1.82.5.tar.gz | 3 + tailscale-1.84.1.tar.gz | 3 + tailscale-1.84.2.tar.gz | 3 + tailscale.changes | 526 +++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 30 files changed, 1656 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale-1.82.5.tar.gz create mode 100644 tailscale-1.84.1.tar.gz create mode 100644 tailscale-1.84.2.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..5be0003 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.84.2 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale-1.82.5.tar.gz b/tailscale-1.82.5.tar.gz new file mode 100644 index 0000000..f986dd6 --- /dev/null +++ b/tailscale-1.82.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1114843fb881e27ab377e2f3420f50b76c12783dc1daa7fcf7bb8b76416e3370 +size 67640448 diff --git a/tailscale-1.84.1.tar.gz b/tailscale-1.84.1.tar.gz new file mode 100644 index 0000000..393eb56 --- /dev/null +++ b/tailscale-1.84.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2931c68f0ec823d6f05c3b75fc1876263dfd9438a8ae7a506c8d8fc9c2df90f +size 69401229 diff --git a/tailscale-1.84.2.tar.gz b/tailscale-1.84.2.tar.gz new file mode 100644 index 0000000..358ee1e --- /dev/null +++ b/tailscale-1.84.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a60ae898526ef200e178620e784af282513c723ff36b2763999ac79a7dfcc285 +size 70391896 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..3e22733 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,526 @@ +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..e4e3933 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.84.2 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..34d65a0 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f5e8ca5dd053f2e8113bc756dae5c9ff4888ab918452a06bccc2bc9ed601f0f0 +size 19642550 -- 2.51.1 From e3e3aab1be4eafcc6b509010baeec997d296f2d4c620d429fbf61e9a068a44af Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Thu, 26 Jun 2025 17:44:30 +0000 Subject: [PATCH 06/25] - update to 1.84.3: * ipn/ipnlocal: Update hostinfo to control on service config change OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=83 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale-1.82.5.tar.gz | 3 + tailscale-1.84.1.tar.gz | 3 + tailscale-1.84.2.tar.gz | 3 + tailscale-1.84.3.tar.gz | 3 + tailscale.changes | 532 ++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 31 files changed, 1665 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale-1.82.5.tar.gz create mode 100644 tailscale-1.84.1.tar.gz create mode 100644 tailscale-1.84.2.tar.gz create mode 100644 tailscale-1.84.3.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..f4c9cf1 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.84.3 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale-1.82.5.tar.gz b/tailscale-1.82.5.tar.gz new file mode 100644 index 0000000..f986dd6 --- /dev/null +++ b/tailscale-1.82.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1114843fb881e27ab377e2f3420f50b76c12783dc1daa7fcf7bb8b76416e3370 +size 67640448 diff --git a/tailscale-1.84.1.tar.gz b/tailscale-1.84.1.tar.gz new file mode 100644 index 0000000..393eb56 --- /dev/null +++ b/tailscale-1.84.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2931c68f0ec823d6f05c3b75fc1876263dfd9438a8ae7a506c8d8fc9c2df90f +size 69401229 diff --git a/tailscale-1.84.2.tar.gz b/tailscale-1.84.2.tar.gz new file mode 100644 index 0000000..358ee1e --- /dev/null +++ b/tailscale-1.84.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a60ae898526ef200e178620e784af282513c723ff36b2763999ac79a7dfcc285 +size 70391896 diff --git a/tailscale-1.84.3.tar.gz b/tailscale-1.84.3.tar.gz new file mode 100644 index 0000000..1f2fd25 --- /dev/null +++ b/tailscale-1.84.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0700392e77df016436a1591c6caf4e69e7ec42bd1bb6a4d5092af05929508945 +size 71016944 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..e0c0563 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,532 @@ +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..d293f05 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.84.3 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..297d71f --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:28a2ce585e44c1f922a1fe632bc438111aff3fff427f514a3978f4bafcf1d5ad +size 19642328 -- 2.51.1 From 7b1310a217644c3fbd00a3ad13aa6df3d492665e90ccac1cd42750e6732b1113 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Sat, 26 Jul 2025 16:32:16 +0000 Subject: [PATCH 07/25] - update to version 1.86.0: * tsStateEncrypted device posture attribute for checking whether the Tailscale client state is encrypted at rest * Cross-site request forgery (CSRF) issue that may have resulted in a log in error when accessing the web interface * Recommended exit node when the previously recommended exit node is offline * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any CLI commands track the recommended exit node and automatically switches to it when available exit nodes or network conditions change * tailscaled CLI command flag --encrypt-state encrypts the node state file on the disk using trusted platform module (TPM) OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=85 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale-1.82.5.tar.gz | 3 + tailscale-1.84.1.tar.gz | 3 + tailscale-1.84.2.tar.gz | 3 + tailscale-1.84.3.tar.gz | 3 + tailscale-1.86.0.tar.gz | 3 + tailscale.changes | 547 ++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 32 files changed, 1683 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale-1.82.5.tar.gz create mode 100644 tailscale-1.84.1.tar.gz create mode 100644 tailscale-1.84.2.tar.gz create mode 100644 tailscale-1.84.3.tar.gz create mode 100644 tailscale-1.86.0.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..cd5cd07 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.86.0 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale-1.82.5.tar.gz b/tailscale-1.82.5.tar.gz new file mode 100644 index 0000000..f986dd6 --- /dev/null +++ b/tailscale-1.82.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1114843fb881e27ab377e2f3420f50b76c12783dc1daa7fcf7bb8b76416e3370 +size 67640448 diff --git a/tailscale-1.84.1.tar.gz b/tailscale-1.84.1.tar.gz new file mode 100644 index 0000000..393eb56 --- /dev/null +++ b/tailscale-1.84.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2931c68f0ec823d6f05c3b75fc1876263dfd9438a8ae7a506c8d8fc9c2df90f +size 69401229 diff --git a/tailscale-1.84.2.tar.gz b/tailscale-1.84.2.tar.gz new file mode 100644 index 0000000..358ee1e --- /dev/null +++ b/tailscale-1.84.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a60ae898526ef200e178620e784af282513c723ff36b2763999ac79a7dfcc285 +size 70391896 diff --git a/tailscale-1.84.3.tar.gz b/tailscale-1.84.3.tar.gz new file mode 100644 index 0000000..1f2fd25 --- /dev/null +++ b/tailscale-1.84.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0700392e77df016436a1591c6caf4e69e7ec42bd1bb6a4d5092af05929508945 +size 71016944 diff --git a/tailscale-1.86.0.tar.gz b/tailscale-1.86.0.tar.gz new file mode 100644 index 0000000..1c72f42 --- /dev/null +++ b/tailscale-1.86.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1c14de4a50ce9573b7eae7927563b06fbd3fab5062121feac30f1638c2736fe7 +size 72592826 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..24afb06 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,547 @@ +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..f0703be --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.86.0 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..dd37f2c --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29e499c996335ac170f4de639a23d31e2758232dc5a98c891d70ee363d158a82 +size 20170715 -- 2.51.1 From 9967c0490ecce1c5990cb7bccb8fd5d1e7027945aebc611cc62c112effb7e887 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Tue, 29 Jul 2025 21:54:32 +0000 Subject: [PATCH 08/25] - update to version 1.86.2: * A deadlock issue that may have occurred in the client * An occasional crash when establishing a new port mapping with a gateway or firewall OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=87 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2024-45337.patch | 727 ++++++++++++++++++++++++++++++++++++++ fix-CVE-2025-22869.patch | 80 +++++ tailscale-1.70.0.tar.gz | 3 + tailscale-1.72.1.tar.gz | 3 + tailscale-1.74.0.tar.gz | 3 + tailscale-1.74.1.tar.gz | 3 + tailscale-1.76.1.tar.gz | 3 + tailscale-1.76.3.tar.gz | 3 + tailscale-1.76.6.tar.gz | 3 + tailscale-1.78.1.tar.gz | 3 + tailscale-1.78.3.tar.gz | 3 + tailscale-1.80.0.tar.gz | 3 + tailscale-1.80.1.tar.gz | 3 + tailscale-1.80.2.tar.gz | 3 + tailscale-1.80.3.tar.gz | 3 + tailscale-1.82.0.tar.gz | 3 + tailscale-1.82.5.tar.gz | 3 + tailscale-1.84.1.tar.gz | 3 + tailscale-1.84.2.tar.gz | 3 + tailscale-1.84.3.tar.gz | 3 + tailscale-1.86.0.tar.gz | 3 + tailscale-1.86.2.tar.gz | 3 + tailscale.changes | 555 +++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 33 files changed, 1694 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2024-45337.patch create mode 100644 fix-CVE-2025-22869.patch create mode 100644 tailscale-1.70.0.tar.gz create mode 100644 tailscale-1.72.1.tar.gz create mode 100644 tailscale-1.74.0.tar.gz create mode 100644 tailscale-1.74.1.tar.gz create mode 100644 tailscale-1.76.1.tar.gz create mode 100644 tailscale-1.76.3.tar.gz create mode 100644 tailscale-1.76.6.tar.gz create mode 100644 tailscale-1.78.1.tar.gz create mode 100644 tailscale-1.78.3.tar.gz create mode 100644 tailscale-1.80.0.tar.gz create mode 100644 tailscale-1.80.1.tar.gz create mode 100644 tailscale-1.80.2.tar.gz create mode 100644 tailscale-1.80.3.tar.gz create mode 100644 tailscale-1.82.0.tar.gz create mode 100644 tailscale-1.82.5.tar.gz create mode 100644 tailscale-1.84.1.tar.gz create mode 100644 tailscale-1.84.2.tar.gz create mode 100644 tailscale-1.84.3.tar.gz create mode 100644 tailscale-1.86.0.tar.gz create mode 100644 tailscale-1.86.2.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..26111e9 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.86.2 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2024-45337.patch b/fix-CVE-2024-45337.patch new file mode 100644 index 0000000..1fbec70 --- /dev/null +++ b/fix-CVE-2024-45337.patch @@ -0,0 +1,727 @@ +From 73128e25230fda8c82696ed0ffef991bce68cecc Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Thu, 12 Dec 2024 09:38:07 -0800 +Subject: [PATCH] ssh/tailssh: remove unused public key support + +When we first made Tailscale SSH, we assumed people would want public +key support soon after. Turns out that hasn't been the case; people +love the Tailscale identity authentication and check mode. + +In light of CVE-2024-45337, just remove all our public key code to not +distract people, and to make the code smaller. We can always get it +back from git if needed. + +Updates tailscale/corp#25131 +Updates golang/go#70779 + +Co-authored-by: Percy Wegmann +Change-Id: I87a6e79c2215158766a81942227a18b247333c22 +Signed-off-by: Brad Fitzpatrick +--- + Makefile | 1 - + ssh/tailssh/tailssh.go | 277 ++++-------------------------------- + ssh/tailssh/tailssh_test.go | 88 +----------- + tailcfg/tailcfg.go | 18 ++- + tailcfg/tailcfg_clone.go | 12 +- + tailcfg/tailcfg_view.go | 22 +-- + 6 files changed, 54 insertions(+), 364 deletions(-) + +diff --git a/Makefile b/Makefile +index 960f13885c11c..d3e50af0571b7 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,7 +116,6 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container + GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \ + echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ +- echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ + echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ + echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers + +diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go +index 7cb99c3813104..7f21ccd1182ee 100644 +--- a/ssh/tailssh/tailssh.go ++++ b/ssh/tailssh/tailssh.go +@@ -10,7 +10,6 @@ import ( + "bytes" + "context" + "crypto/rand" +- "encoding/base64" + "encoding/json" + "errors" + "fmt" +@@ -45,7 +44,6 @@ import ( + "tailscale.com/util/clientmetric" + "tailscale.com/util/httpm" + "tailscale.com/util/mak" +- "tailscale.com/util/slicesx" + ) + + var ( +@@ -80,16 +78,14 @@ type server struct { + logf logger.Logf + tailscaledPath string + +- pubKeyHTTPClient *http.Client // or nil for http.DefaultClient +- timeNow func() time.Time // or nil for time.Now ++ timeNow func() time.Time // or nil for time.Now + + sessionWaitGroup sync.WaitGroup + + // mu protects the following +- mu sync.Mutex +- activeConns map[*conn]bool // set; value is always true +- fetchPublicKeysCache map[string]pubKeyCacheEntry // by https URL +- shutdownCalled bool ++ mu sync.Mutex ++ activeConns map[*conn]bool // set; value is always true ++ shutdownCalled bool + } + + func (srv *server) now() time.Time { +@@ -204,7 +200,6 @@ func (srv *server) OnPolicyChange() { + // + // Do the user auth + // - NoClientAuthHandler +-// - PublicKeyHandler (only if NoClientAuthHandler returns errPubKeyRequired) + // + // Once auth is done, the conn can be multiplexed with multiple sessions and + // channels concurrently. At which point any of the following can be called +@@ -234,10 +229,9 @@ type conn struct { + finalAction *tailcfg.SSHAction // set by doPolicyAuth or resolveNextAction + finalActionErr error // set by doPolicyAuth or resolveNextAction + +- info *sshConnInfo // set by setInfo +- localUser *userMeta // set by doPolicyAuth +- userGroupIDs []string // set by doPolicyAuth +- pubKey gossh.PublicKey // set by doPolicyAuth ++ info *sshConnInfo // set by setInfo ++ localUser *userMeta // set by doPolicyAuth ++ userGroupIDs []string // set by doPolicyAuth + acceptEnv []string + + // mu protects the following fields. +@@ -268,9 +262,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + action := c.currentAction + for { + if action.Accept { +- if c.pubKey != nil { +- metricPublicKeyAccepts.Add(1) +- } + return nil + } + if action.Reject || action.HoldAndDelegate == "" { +@@ -293,10 +284,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error { + // policy. + var errDenied = errors.New("ssh: access denied") + +-// errPubKeyRequired is returned by NoClientAuthCallback to make the client +-// resort to public-key auth; not user visible. +-var errPubKeyRequired = errors.New("ssh publickey required") +- + // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by + // the ssh.Server when the client first connects with the "none" + // authentication method. +@@ -305,13 +292,12 @@ var errPubKeyRequired = errors.New("ssh publickey required") + // starting it afresh). It returns an error if the policy evaluation fails, or + // if the decision is "reject" + // +-// It either returns nil (accept) or errPubKeyRequired or errDenied +-// (reject). The errors may be wrapped. ++// It either returns nil (accept) or errDenied (reject). The errors may be wrapped. + func (c *conn) NoClientAuthCallback(ctx ssh.Context) error { + if c.insecureSkipTailscaleAuth { + return nil + } +- if err := c.doPolicyAuth(ctx, nil /* no pub key */); err != nil { ++ if err := c.doPolicyAuth(ctx); err != nil { + return err + } + if err := c.isAuthorized(ctx); err != nil { +@@ -332,8 +318,6 @@ func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) + switch { + case c.anyPasswordIsOkay: + nextMethod = append(nextMethod, "password") +- case slicesx.LastEqual(prevErrors, errPubKeyRequired): +- nextMethod = append(nextMethod, "publickey") + } + + // The fake "tailscale" method is always appended to next so OpenSSH renders +@@ -353,41 +337,20 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool { + return c.anyPasswordIsOkay + } + +-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the +-// ssh.Server when the client presents a public key. +-func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error { +- if err := c.doPolicyAuth(ctx, pubKey); err != nil { +- // TODO(maisem/bradfitz): surface the error here. +- c.logf("rejecting SSH public key %s: %v", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey)), err) +- return err +- } +- if err := c.isAuthorized(ctx); err != nil { +- return err +- } +- c.logf("accepting SSH public key %s", bytes.TrimSpace(gossh.MarshalAuthorizedKey(pubKey))) +- return nil +-} +- +-// doPolicyAuth verifies that conn can proceed with the specified (optional) +-// pubKey. It returns nil if the matching policy action is Accept or +-// HoldAndDelegate. If pubKey is nil, there was no policy match but there is a +-// policy that might match a public key it returns errPubKeyRequired. Otherwise, +-// it returns errDenied. +-func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error { ++// doPolicyAuth verifies that conn can proceed. ++// It returns nil if the matching policy action is Accept or ++// HoldAndDelegate. Otherwise, it returns errDenied. ++func (c *conn) doPolicyAuth(ctx ssh.Context) error { + if err := c.setInfo(ctx); err != nil { + c.logf("failed to get conninfo: %v", err) + return errDenied + } +- a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey) ++ a, localUser, acceptEnv, err := c.evaluatePolicy() + if err != nil { +- if pubKey == nil && c.havePubKeyPolicy() { +- return errPubKeyRequired +- } + return fmt.Errorf("%w: %v", errDenied, err) + } + c.action0 = a + c.currentAction = a +- c.pubKey = pubKey + c.acceptEnv = acceptEnv + if a.Message != "" { + if err := ctx.SendAuthBanner(a.Message); err != nil { +@@ -448,7 +411,6 @@ func (srv *server) newConn() (*conn, error) { + ServerConfigCallback: c.ServerConfig, + + NoClientAuthHandler: c.NoClientAuthCallback, +- PublicKeyHandler: c.PublicKeyHandler, + PasswordHandler: c.fakePasswordHandler, + + Handler: c.handleSessionPostSSHAuth, +@@ -516,34 +478,6 @@ func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, de + return false + } + +-// havePubKeyPolicy reports whether any policy rule may provide access by means +-// of a ssh.PublicKey. +-func (c *conn) havePubKeyPolicy() bool { +- if c.info == nil { +- panic("havePubKeyPolicy called before setInfo") +- } +- // Is there any rule that looks like it'd require a public key for this +- // sshUser? +- pol, ok := c.sshPolicy() +- if !ok { +- return false +- } +- for _, r := range pol.Rules { +- if c.ruleExpired(r) { +- continue +- } +- if mapLocalUser(r.SSHUsers, c.info.sshUser) == "" { +- continue +- } +- for _, p := range r.Principals { +- if len(p.PubKeys) > 0 && c.principalMatchesTailscaleIdentity(p) { +- return true +- } +- } +- } +- return false +-} +- + // sshPolicy returns the SSHPolicy for current node. + // If there is no SSHPolicy in the netmap, it returns a debugPolicy + // if one is defined. +@@ -620,117 +554,19 @@ func (c *conn) setInfo(ctx ssh.Context) error { + } + + // evaluatePolicy returns the SSHAction and localUser after evaluating +-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth. +-func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { ++// the SSHPolicy for this conn. ++func (c *conn) evaluatePolicy() (_ *tailcfg.SSHAction, localUser string, acceptEnv []string, _ error) { + pol, ok := c.sshPolicy() + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no SSH policy") + } +- a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol, pubKey) ++ a, localUser, acceptEnv, ok := c.evalSSHPolicy(pol) + if !ok { + return nil, "", nil, fmt.Errorf("tailssh: rejecting connection; no matching policy") + } + return a, localUser, acceptEnv, nil + } + +-// pubKeyCacheEntry is the cache value for an HTTPS URL of public keys (like +-// "https://github.com/foo.keys") +-type pubKeyCacheEntry struct { +- lines []string +- etag string // if sent by server +- at time.Time +-} +- +-const ( +- pubKeyCacheDuration = time.Minute // how long to cache non-empty public keys +- pubKeyCacheEmptyDuration = 15 * time.Second // how long to cache empty responses +-) +- +-func (srv *server) fetchPublicKeysURLCached(url string) (ce pubKeyCacheEntry, ok bool) { +- srv.mu.Lock() +- defer srv.mu.Unlock() +- // Mostly don't care about the size of this cache. Clean rarely. +- if m := srv.fetchPublicKeysCache; len(m) > 50 { +- tooOld := srv.now().Add(pubKeyCacheDuration * 10) +- for k, ce := range m { +- if ce.at.Before(tooOld) { +- delete(m, k) +- } +- } +- } +- ce, ok = srv.fetchPublicKeysCache[url] +- if !ok { +- return ce, false +- } +- maxAge := pubKeyCacheDuration +- if len(ce.lines) == 0 { +- maxAge = pubKeyCacheEmptyDuration +- } +- return ce, srv.now().Sub(ce.at) < maxAge +-} +- +-func (srv *server) pubKeyClient() *http.Client { +- if srv.pubKeyHTTPClient != nil { +- return srv.pubKeyHTTPClient +- } +- return http.DefaultClient +-} +- +-// fetchPublicKeysURL fetches the public keys from a URL. The strings are in the +-// the typical public key "type base64-string [comment]" format seen at e.g. +-// https://github.com/USER.keys +-func (srv *server) fetchPublicKeysURL(url string) ([]string, error) { +- if !strings.HasPrefix(url, "https://") { +- return nil, errors.New("invalid URL scheme") +- } +- +- ce, ok := srv.fetchPublicKeysURLCached(url) +- if ok { +- return ce.lines, nil +- } +- +- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) +- defer cancel() +- req, err := http.NewRequestWithContext(ctx, "GET", url, nil) +- if err != nil { +- return nil, err +- } +- if ce.etag != "" { +- req.Header.Add("If-None-Match", ce.etag) +- } +- res, err := srv.pubKeyClient().Do(req) +- if err != nil { +- return nil, err +- } +- defer res.Body.Close() +- var lines []string +- var etag string +- switch res.StatusCode { +- default: +- err = fmt.Errorf("unexpected status %v", res.Status) +- srv.logf("fetching public keys from %s: %v", url, err) +- case http.StatusNotModified: +- lines = ce.lines +- etag = ce.etag +- case http.StatusOK: +- var all []byte +- all, err = io.ReadAll(io.LimitReader(res.Body, 4<<10)) +- if s := strings.TrimSpace(string(all)); s != "" { +- lines = strings.Split(s, "\n") +- } +- etag = res.Header.Get("Etag") +- } +- +- srv.mu.Lock() +- defer srv.mu.Unlock() +- mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{ +- at: srv.now(), +- lines: lines, +- etag: etag, +- }) +- return lines, err +-} +- + // handleSessionPostSSHAuth runs an SSH session after the SSH-level authentication, + // but not necessarily before all the Tailscale-level extra verification has + // completed. It also handles SFTP requests. +@@ -832,18 +668,6 @@ func (c *conn) expandDelegateURLLocked(actionURL string) string { + ).Replace(actionURL) + } + +-func (c *conn) expandPublicKeyURL(pubKeyURL string) string { +- if !strings.Contains(pubKeyURL, "$") { +- return pubKeyURL +- } +- loginName := c.info.uprof.LoginName +- localPart, _, _ := strings.Cut(loginName, "@") +- return strings.NewReplacer( +- "$LOGINNAME_EMAIL", loginName, +- "$LOGINNAME_LOCALPART", localPart, +- ).Replace(pubKeyURL) +-} +- + // sshSession is an accepted Tailscale SSH session. + type sshSession struct { + ssh.Session +@@ -894,7 +718,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { + + // isStillValid reports whether the conn is still valid. + func (c *conn) isStillValid() bool { +- a, localUser, _, err := c.evaluatePolicy(c.pubKey) ++ a, localUser, _, err := c.evaluatePolicy() + c.vlogf("stillValid: %+v %v %v", a, localUser, err) + if err != nil { + return false +@@ -1277,9 +1101,9 @@ func (c *conn) ruleExpired(r *tailcfg.SSHRule) bool { + return r.RuleExpires.Before(c.srv.now()) + } + +-func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { ++func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, ok bool) { + for _, r := range pol.Rules { +- if a, localUser, acceptEnv, err := c.matchRule(r, pubKey); err == nil { ++ if a, localUser, acceptEnv, err := c.matchRule(r); err == nil { + return a, localUser, acceptEnv, true + } + } +@@ -1296,7 +1120,7 @@ var ( + errInvalidConn = errors.New("invalid connection state") + ) + +-func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { ++func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() +@@ -1326,9 +1150,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg + return nil, "", nil, errUserMatch + } + } +- if ok, err := c.anyPrincipalMatches(r.Principals, pubKey); err != nil { +- return nil, "", nil, err +- } else if !ok { ++ if !c.anyPrincipalMatches(r.Principals) { + return nil, "", nil, errPrincipalMatch + } + return r.Action, localUser, r.AcceptEnv, nil +@@ -1345,30 +1167,20 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser + return v + } + +-func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { ++func (c *conn) anyPrincipalMatches(ps []*tailcfg.SSHPrincipal) bool { + for _, p := range ps { + if p == nil { + continue + } +- if ok, err := c.principalMatches(p, pubKey); err != nil { +- return false, err +- } else if ok { +- return true, nil ++ if c.principalMatchesTailscaleIdentity(p) { ++ return true + } + } +- return false, nil +-} +- +-func (c *conn) principalMatches(p *tailcfg.SSHPrincipal, pubKey gossh.PublicKey) (bool, error) { +- if !c.principalMatchesTailscaleIdentity(p) { +- return false, nil +- } +- return c.principalMatchesPubKey(p, pubKey) ++ return false + } + + // principalMatchesTailscaleIdentity reports whether one of p's four fields + // that match the Tailscale identity match (Node, NodeIP, UserLogin, Any). +-// This function does not consider PubKeys. + func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + ci := c.info + if p.Any { +@@ -1388,42 +1200,6 @@ func (c *conn) principalMatchesTailscaleIdentity(p *tailcfg.SSHPrincipal) bool { + return false + } + +-func (c *conn) principalMatchesPubKey(p *tailcfg.SSHPrincipal, clientPubKey gossh.PublicKey) (bool, error) { +- if len(p.PubKeys) == 0 { +- return true, nil +- } +- if clientPubKey == nil { +- return false, nil +- } +- knownKeys := p.PubKeys +- if len(knownKeys) == 1 && strings.HasPrefix(knownKeys[0], "https://") { +- var err error +- knownKeys, err = c.srv.fetchPublicKeysURL(c.expandPublicKeyURL(knownKeys[0])) +- if err != nil { +- return false, err +- } +- } +- for _, knownKey := range knownKeys { +- if pubKeyMatchesAuthorizedKey(clientPubKey, knownKey) { +- return true, nil +- } +- } +- return false, nil +-} +- +-func pubKeyMatchesAuthorizedKey(pubKey ssh.PublicKey, wantKey string) bool { +- wantKeyType, rest, ok := strings.Cut(wantKey, " ") +- if !ok { +- return false +- } +- if pubKey.Type() != wantKeyType { +- return false +- } +- wantKeyB64, _, _ := strings.Cut(rest, " ") +- wantKeyData, _ := base64.StdEncoding.DecodeString(wantKeyB64) +- return len(wantKeyData) > 0 && bytes.Equal(pubKey.Marshal(), wantKeyData) +-} +- + func randBytes(n int) []byte { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { +@@ -1749,7 +1525,6 @@ func envEq(a, b string) bool { + var ( + metricActiveSessions = clientmetric.NewGauge("ssh_active_sessions") + metricIncomingConnections = clientmetric.NewCounter("ssh_incoming_connections") +- metricPublicKeyAccepts = clientmetric.NewCounter("ssh_publickey_accepts") // accepted subset of ssh_publickey_connections + metricTerminalAccept = clientmetric.NewCounter("ssh_terminalaction_accept") + metricTerminalReject = clientmetric.NewCounter("ssh_terminalaction_reject") + metricTerminalMalformed = clientmetric.NewCounter("ssh_terminalaction_malformed") +diff --git a/ssh/tailssh/tailssh_test.go b/ssh/tailssh/tailssh_test.go +index ad9cb1e57b53d..9f3616d8ca8ab 100644 +--- a/ssh/tailssh/tailssh_test.go ++++ b/ssh/tailssh/tailssh_test.go +@@ -10,7 +10,6 @@ import ( + "context" + "crypto/ed25519" + "crypto/rand" +- "crypto/sha256" + "encoding/json" + "errors" + "fmt" +@@ -229,7 +228,7 @@ func TestMatchRule(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule, nil) ++ got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule) + if err != tt.wantErr { + t.Errorf("err = %v; want %v", err, tt.wantErr) + } +@@ -348,7 +347,7 @@ func TestEvalSSHPolicy(t *testing.T) { + info: tt.ci, + srv: &server{logf: t.Logf}, + } +- got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy, nil) ++ got, gotUser, gotAcceptEnv, match := c.evalSSHPolicy(tt.policy) + if match != tt.wantMatch { + t.Errorf("match = %v; want %v", match, tt.wantMatch) + } +@@ -1129,89 +1128,6 @@ func parseEnv(out []byte) map[string]string { + return e + } + +-func TestPublicKeyFetching(t *testing.T) { +- var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32 +- ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { +- atomic.AddInt32((&reqsTotal), 1) +- etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path))) +- w.Header().Set("Etag", etag) +- if v := r.Header.Get("If-None-Match"); v != "" { +- if v == etag { +- atomic.AddInt32(&reqsIfNoneMatchHit, 1) +- w.WriteHeader(304) +- return +- } +- atomic.AddInt32(&reqsIfNoneMatchMiss, 1) +- } +- io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n") +- })) +- ts.StartTLS() +- defer ts.Close() +- keys := ts.URL +- +- clock := &tstest.Clock{} +- srv := &server{ +- pubKeyHTTPClient: ts.Client(), +- timeNow: clock.Now, +- } +- for range 2 { +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- clock.Advance(5 * time.Minute) +- got, err := srv.fetchPublicKeysURL(keys + "/alice.keys") +- if err != nil { +- t.Fatal(err) +- } +- if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) { +- t.Errorf("got %q; want %q", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want { +- t.Errorf("got %d requests; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want { +- t.Errorf("got %d etag hits; want %d", got, want) +- } +- if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want { +- t.Errorf("got %d etag misses; want %d", got, want) +- } +- +-} +- +-func TestExpandPublicKeyURL(t *testing.T) { +- c := &conn{ +- info: &sshConnInfo{ +- uprof: tailcfg.UserProfile{ +- LoginName: "bar@baz.tld", +- }, +- }, +- } +- if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want { +- t.Errorf("basic: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want { +- t.Errorf("localpart: got %q; want %q", got, want) +- } +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want { +- t.Errorf("email: got %q; want %q", got, want) +- } +- c.info = new(sshConnInfo) +- if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want { +- t.Errorf("on empty: got %q; want %q", got, want) +- } +-} +- + func TestAcceptEnvPair(t *testing.T) { + tests := []struct { + in string +diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go +index 897e8d27f7f7b..be6c4f0be6b82 100644 +--- a/tailcfg/tailcfg.go ++++ b/tailcfg/tailcfg.go +@@ -152,7 +152,8 @@ type CapabilityVersion int + // - 107: 2024-10-30: add App Connector to conffile (PR #13942) + // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. + // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +-const CurrentCapabilityVersion CapabilityVersion = 109 ++// - 110: 2024-12-12: removed never-before-used Tailscale SSH public key support (#14373) ++const CurrentCapabilityVersion CapabilityVersion = 110 + + type StableID string + +@@ -2525,16 +2526,13 @@ type SSHPrincipal struct { + Any bool `json:"any,omitempty"` // if true, match any connection + // TODO(bradfitz): add StableUserID, once that exists + +- // PubKeys, if non-empty, means that this SSHPrincipal only +- // matches if one of these public keys is presented by the user. ++ // UnusedPubKeys was public key support. It never became an official product ++ // feature and so as of 2024-12-12 is being removed. ++ // This stub exists to remind us not to re-use the JSON field name "pubKeys" ++ // in the future if we bring it back with different semantics. + // +- // As a special case, if len(PubKeys) == 1 and PubKeys[0] starts +- // with "https://", then it's fetched (like https://github.com/username.keys). +- // In that case, the following variable expansions are also supported +- // in the URL: +- // * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github") +- // * $LOGINNAME_LOCALPART (the "foo" from either of the above) +- PubKeys []string `json:"pubKeys,omitempty"` ++ // Deprecated: do not use. It does nothing. ++ UnusedPubKeys []string `json:"pubKeys,omitempty"` + } + + // SSHAction is how to handle an incoming connection. +diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go +index f4f02c01721dc..bf9bac2980df9 100644 +--- a/tailcfg/tailcfg_clone.go ++++ b/tailcfg/tailcfg_clone.go +@@ -556,17 +556,17 @@ func (src *SSHPrincipal) Clone() *SSHPrincipal { + } + dst := new(SSHPrincipal) + *dst = *src +- dst.PubKeys = append(src.PubKeys[:0:0], src.PubKeys...) ++ dst.UnusedPubKeys = append(src.UnusedPubKeys[:0:0], src.UnusedPubKeys...) + return dst + } + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalCloneNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // Clone makes a deep copy of ControlDialPlan. +diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go +index f275a6a9da5f2..6c21e5f450340 100644 +--- a/tailcfg/tailcfg_view.go ++++ b/tailcfg/tailcfg_view.go +@@ -1260,19 +1260,21 @@ func (v *SSHPrincipalView) UnmarshalJSON(b []byte) error { + return nil + } + +-func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } +-func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } +-func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } +-func (v SSHPrincipalView) Any() bool { return v.ж.Any } +-func (v SSHPrincipalView) PubKeys() views.Slice[string] { return views.SliceOf(v.ж.PubKeys) } ++func (v SSHPrincipalView) Node() StableNodeID { return v.ж.Node } ++func (v SSHPrincipalView) NodeIP() string { return v.ж.NodeIP } ++func (v SSHPrincipalView) UserLogin() string { return v.ж.UserLogin } ++func (v SSHPrincipalView) Any() bool { return v.ж.Any } ++func (v SSHPrincipalView) UnusedPubKeys() views.Slice[string] { ++ return views.SliceOf(v.ж.UnusedPubKeys) ++} + + // A compilation failure here means this code must be regenerated, with the command at the top of this file. + var _SSHPrincipalViewNeedsRegeneration = SSHPrincipal(struct { +- Node StableNodeID +- NodeIP string +- UserLogin string +- Any bool +- PubKeys []string ++ Node StableNodeID ++ NodeIP string ++ UserLogin string ++ Any bool ++ UnusedPubKeys []string + }{}) + + // View returns a readonly view of ControlDialPlan. diff --git a/fix-CVE-2025-22869.patch b/fix-CVE-2025-22869.patch new file mode 100644 index 0000000..001df0a --- /dev/null +++ b/fix-CVE-2025-22869.patch @@ -0,0 +1,80 @@ +diff -rub tailscale-1.82.0/go.mod tailscale-1.82.0-patched/go.mod +--- tailscale-1.82.0/go.mod 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.mod 2025-03-26 22:23:51.011357984 +0100 +@@ -94,14 +94,14 @@ + go.uber.org/zap v1.27.0 + go4.org/mem v0.0.0-20240501181205-ae6ca9944745 + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba +- golang.org/x/crypto v0.35.0 ++ golang.org/x/crypto v0.36.0 + golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac + golang.org/x/mod v0.23.0 + golang.org/x/net v0.36.0 + golang.org/x/oauth2 v0.26.0 +- golang.org/x/sync v0.11.0 +- golang.org/x/sys v0.30.0 +- golang.org/x/term v0.29.0 ++ golang.org/x/sync v0.12.0 ++ golang.org/x/sys v0.31.0 ++ golang.org/x/term v0.30.0 + golang.org/x/time v0.10.0 + golang.org/x/tools v0.30.0 + golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 +@@ -382,7 +382,7 @@ + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect + golang.org/x/image v0.24.0 // indirect +- golang.org/x/text v0.22.0 // indirect ++ golang.org/x/text v0.23.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect +diff -rub tailscale-1.82.0/go.sum tailscale-1.82.0-patched/go.sum +--- tailscale-1.82.0/go.sum 2025-03-26 20:26:55.000000000 +0100 ++++ tailscale-1.82.0-patched/go.sum 2025-03-26 22:24:39.260395929 +0100 +@@ -1047,6 +1047,8 @@ + golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= + golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= + golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= ++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= ++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -1160,6 +1162,8 @@ + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= + golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= ++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -1220,6 +1224,8 @@ + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= ++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +@@ -1228,6 +1234,8 @@ + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= + golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= ++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= ++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -1240,6 +1248,8 @@ + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= + golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= ++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= ++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +Only in tailscale-1.82.0-patched: vendor diff --git a/tailscale-1.70.0.tar.gz b/tailscale-1.70.0.tar.gz new file mode 100644 index 0000000..66e7c90 --- /dev/null +++ b/tailscale-1.70.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:294d6df3f4585152bd612eed9b34a6c2062589c8989f86ee25e750c37164fcd5 +size 55014834 diff --git a/tailscale-1.72.1.tar.gz b/tailscale-1.72.1.tar.gz new file mode 100644 index 0000000..ea2e024 --- /dev/null +++ b/tailscale-1.72.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0 +size 11331158 diff --git a/tailscale-1.74.0.tar.gz b/tailscale-1.74.0.tar.gz new file mode 100644 index 0000000..7923deb --- /dev/null +++ b/tailscale-1.74.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65adec42c6b6c42a107d63b5c9eb2c10ae0e87f4d701aa5e35c4e31a81bcd381 +size 11323679 diff --git a/tailscale-1.74.1.tar.gz b/tailscale-1.74.1.tar.gz new file mode 100644 index 0000000..8fc3351 --- /dev/null +++ b/tailscale-1.74.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7357c9fe3b0dabbb35847d8181f8500007299ec93586c23cd1c50af4183ccd19 +size 11462868 diff --git a/tailscale-1.76.1.tar.gz b/tailscale-1.76.1.tar.gz new file mode 100644 index 0000000..1b472c5 --- /dev/null +++ b/tailscale-1.76.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87ebf950ec15274f6e7105acfe3d5565ea39bfc7cdd9762248df26da9874d9fc +size 11842133 diff --git a/tailscale-1.76.3.tar.gz b/tailscale-1.76.3.tar.gz new file mode 100644 index 0000000..2352b3a --- /dev/null +++ b/tailscale-1.76.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab7ef3240df51e7b51238d4239822ac8dec8106282acf1f07208bd699da99b7 +size 12050220 diff --git a/tailscale-1.76.6.tar.gz b/tailscale-1.76.6.tar.gz new file mode 100644 index 0000000..b019ce8 --- /dev/null +++ b/tailscale-1.76.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:627769855263d35d26e3b855efdf79167d42f08a3087f5a678b7aa5298e30a72 +size 12438906 diff --git a/tailscale-1.78.1.tar.gz b/tailscale-1.78.1.tar.gz new file mode 100644 index 0000000..b417f1f --- /dev/null +++ b/tailscale-1.78.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a035f99f9bdc8c0a3de278a538c1e8df1e886d8f2bfe0bd4567a3c2850e31d48 +size 11935577 diff --git a/tailscale-1.78.3.tar.gz b/tailscale-1.78.3.tar.gz new file mode 100644 index 0000000..74d8c18 --- /dev/null +++ b/tailscale-1.78.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b10020e1b94fce5556f7ef67e5bd529fd1a209dcb7694bf13c1edafbce097cd +size 12121603 diff --git a/tailscale-1.80.0.tar.gz b/tailscale-1.80.0.tar.gz new file mode 100644 index 0000000..6d803bb --- /dev/null +++ b/tailscale-1.80.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c7a09a5a96c0c21f70aa4e1a1a934c8d5b1ef3db80e8aab98d53ee664585277 +size 12573438 diff --git a/tailscale-1.80.1.tar.gz b/tailscale-1.80.1.tar.gz new file mode 100644 index 0000000..c2e8626 --- /dev/null +++ b/tailscale-1.80.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d9c077b27685e7ded4bb59d443921a72aa3efdfeff313ad78f361cc8b0a794 +size 13209056 diff --git a/tailscale-1.80.2.tar.gz b/tailscale-1.80.2.tar.gz new file mode 100644 index 0000000..f9501a9 --- /dev/null +++ b/tailscale-1.80.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46af9a3dcb6d7a82af189f6c4d45fce5a98aaab64d7877dcbe8dc9202ab892ae +size 13465507 diff --git a/tailscale-1.80.3.tar.gz b/tailscale-1.80.3.tar.gz new file mode 100644 index 0000000..3f01878 --- /dev/null +++ b/tailscale-1.80.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33 +size 13706235 diff --git a/tailscale-1.82.0.tar.gz b/tailscale-1.82.0.tar.gz new file mode 100644 index 0000000..de88954 --- /dev/null +++ b/tailscale-1.82.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47b58b296b0ff02b4368fbb0040d3b46fa42643389ea3a0171c3ad1850b4b52d +size 13176999 diff --git a/tailscale-1.82.5.tar.gz b/tailscale-1.82.5.tar.gz new file mode 100644 index 0000000..f986dd6 --- /dev/null +++ b/tailscale-1.82.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1114843fb881e27ab377e2f3420f50b76c12783dc1daa7fcf7bb8b76416e3370 +size 67640448 diff --git a/tailscale-1.84.1.tar.gz b/tailscale-1.84.1.tar.gz new file mode 100644 index 0000000..393eb56 --- /dev/null +++ b/tailscale-1.84.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2931c68f0ec823d6f05c3b75fc1876263dfd9438a8ae7a506c8d8fc9c2df90f +size 69401229 diff --git a/tailscale-1.84.2.tar.gz b/tailscale-1.84.2.tar.gz new file mode 100644 index 0000000..358ee1e --- /dev/null +++ b/tailscale-1.84.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a60ae898526ef200e178620e784af282513c723ff36b2763999ac79a7dfcc285 +size 70391896 diff --git a/tailscale-1.84.3.tar.gz b/tailscale-1.84.3.tar.gz new file mode 100644 index 0000000..1f2fd25 --- /dev/null +++ b/tailscale-1.84.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0700392e77df016436a1591c6caf4e69e7ec42bd1bb6a4d5092af05929508945 +size 71016944 diff --git a/tailscale-1.86.0.tar.gz b/tailscale-1.86.0.tar.gz new file mode 100644 index 0000000..1c72f42 --- /dev/null +++ b/tailscale-1.86.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1c14de4a50ce9573b7eae7927563b06fbd3fab5062121feac30f1638c2736fe7 +size 72592826 diff --git a/tailscale-1.86.2.tar.gz b/tailscale-1.86.2.tar.gz new file mode 100644 index 0000000..f772d03 --- /dev/null +++ b/tailscale-1.86.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:157fa956f781a6edd44fbf18928914a7af35bfe87f80f40bcc4d50bbcc9b0d00 +size 72295711 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..4a46c82 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,555 @@ +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..b79c2a7 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.86.2 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..1b8ff10 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51e3763186cfe2b34736104ac85bf713b48cf4f49a14c25209e1e9fff82d539d +size 20170828 -- 2.51.1 From c327f5e3dc6b9ade7077c3af5bbdcfbf963a6229dac2bafd4b5660f818d6828b Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 29 Aug 2025 11:17:32 +0000 Subject: [PATCH 09/25] - update to version 1.86.5: * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode - update to version 1.86.4: * nothing of relevance - update to version 1.86.3: * nothing of relevance OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=89 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ tailscale-1.86.5.tar.gz | 3 + tailscale.changes | 565 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 12 files changed, 840 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..d5ae3c8 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.86.5 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..2acaa11 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,565 @@ +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..9a1f981 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.86.5 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.24 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..1545408 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56b0fc0d1f86ecd28ad0dcba85afe38f6c7b22c55cc63309e84fbc35cbb0fc42 +size 20181020 -- 2.51.1 From c80d751fc014222b291f52a1593b96717eef12528797462008a92f609a916457 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 29 Aug 2025 12:59:17 +0000 Subject: [PATCH 10/25] - add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=90 --- fix-CVE-2025-58058.patch | 28 ++++++++++++++++++++++++++++ tailscale.changes | 5 +++++ tailscale.spec | 1 + vendor.tar.gz | 4 ++-- 4 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 fix-CVE-2025-58058.patch diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale.changes b/tailscale.changes index 2acaa11..446d3d0 100644 --- a/tailscale.changes +++ b/tailscale.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + ------------------------------------------------------------------- Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl diff --git a/tailscale.spec b/tailscale.spec index 9a1f981..cbfa0bc 100644 --- a/tailscale.spec +++ b/tailscale.spec @@ -28,6 +28,7 @@ Source2: %{name}d.service Source3: %{name}d.defaults Patch0: build-verbose.patch Patch1: disable-auto-update.patch +Patch2: fix-CVE-2025-58058.patch BuildRequires: bash-completion BuildRequires: fish BuildRequires: git-core diff --git a/vendor.tar.gz b/vendor.tar.gz index 1545408..5224acd 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:56b0fc0d1f86ecd28ad0dcba85afe38f6c7b22c55cc63309e84fbc35cbb0fc42 -size 20181020 +oid sha256:289a2c01fb77044ea76b6682c13a573b22be17ea4b019976c0774e3907559fd4 +size 21249461 -- 2.51.1 From 566209601a17077187bd4a8a6e8fcf858bf3030e333ef5d498c8e09b75ce70d8 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 12 Sep 2025 12:20:11 +0000 Subject: [PATCH 11/25] - update to version 1.88.1: * Tailscale CLI prompts users to confirm impactful actions * Tailscale SSH works as expected when using an IP address instead of a hostname and MagicDNS is disabled * fixed: Taildrive sharing when su not present * Taildrive files remain consistently accessible * new: Tailscale tray GUI * DERP IPs changed for Singapore and Tokyo - remove patch fix-CVE-2025-58058, fixed upstream OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=92 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale.changes | 583 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 14 files changed, 889 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..bdee74b --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.88.1 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..3239843 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,583 @@ +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove patch fix-CVE-2025-58058, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..e3f40b4 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.88.1 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zsh +BuildRequires: golang(API) >= 1.25 +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..c4d7eb6 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4f45e37369d47908fded9531fc726bcc5e159e2ea668fc1a19215b4744a857f2 +size 20709707 -- 2.51.1 From c6036422eeb7ef962d6b915ab18cad196e9c7a27c7abb8ceac8b72561fe2da56 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Tue, 16 Sep 2025 08:39:20 +0000 Subject: [PATCH 12/25] - remove fix-CVE-2025-58058.patch, fixed upstream OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=93 --- tailscale.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tailscale.changes b/tailscale.changes index 3239843..050999b 100644 --- a/tailscale.changes +++ b/tailscale.changes @@ -9,7 +9,7 @@ Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl * Taildrive files remain consistently accessible * new: Tailscale tray GUI * DERP IPs changed for Singapore and Tokyo -- remove patch fix-CVE-2025-58058, fixed upstream +- remove fix-CVE-2025-58058.patch, fixed upstream ------------------------------------------------------------------- Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl -- 2.51.1 From be10986d82ad73deec17f4f6912246b470c768afa55fee8acaf1c48b93a9cd97 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Wed, 1 Oct 2025 12:22:36 +0000 Subject: [PATCH 13/25] - update to version 1.88.3: * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan * control/controlhttp: simplify, fix race dialing, remove priority concept - update to version 1.88.2: * k8s-operator: reset service status before append - require the minimum go version directly, in comparison to using the golang(API) symbol OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=95 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale.changes | 594 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 +++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 15 files changed, 903 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..58d81e0 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.88.3 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..de3f9e7 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,594 @@ +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..c9aaf3b --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.88.3 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.1 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..72b421f --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83fc15b5f875b681b8d6b2331f52c0075003f16b41ddcbe6d39dac8194316630 +size 20710783 -- 2.51.1 From 1f04778326175e4686efbde09d341b187c48d5879d96136fad6661e663160c1f Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 24 Oct 2025 10:11:41 +0000 Subject: [PATCH 14/25] - Upate to version 1.90.1: * Clients can use configured DNS resolvers for all domains * Node keys will be renewed seamlessly * Unnecessary path discovery packets over DERP servers are suppressed * Node key sealing is GA (generally available) and enabled by default OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=97 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.1.tar.gz | 3 + tailscale.changes | 603 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 +++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 16 files changed, 915 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.1.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..86b823c --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.90.1 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.1.tar.gz b/tailscale-1.90.1.tar.gz new file mode 100644 index 0000000..582fae7 --- /dev/null +++ b/tailscale-1.90.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:509f31d9d1cef5b683198874b7006f9be4bea1b2f024738e4499be550004f55d +size 76474692 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..6b4d141 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,603 @@ +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..0eb37fd --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.90.1 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.3 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: i586 +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..970eeec --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1adc70f0e5f9ca64a9e80bf33b2ffd501dae22b1f21356b91d940b5cdd6dc4d4 +size 20773511 -- 2.51.1 From ce56400c01a64d02c6b64fd6f69b530b4769663ab6d479bb9145a0ed3027b419 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 24 Oct 2025 18:25:48 +0000 Subject: [PATCH 15/25] - Update to version 1.90.2: * util/linuxfw: fix 32-bit arm regression with iptables * health: compare warnable codes to avoid errors on release branch * feature/tpm: check TPM family data for compatibility OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=98 --- _service | 2 +- tailscale-1.90.1.tar.gz | 3 --- tailscale-1.90.2.tar.gz | 3 +++ tailscale.changes | 8 ++++++++ tailscale.spec | 2 +- vendor.tar.gz | 4 ++-- 6 files changed, 15 insertions(+), 7 deletions(-) delete mode 100644 tailscale-1.90.1.tar.gz create mode 100644 tailscale-1.90.2.tar.gz diff --git a/_service b/_service index 86b823c..3e387d2 100644 --- a/_service +++ b/_service @@ -3,7 +3,7 @@ https://github.com/tailscale/tailscale.git git yes - refs/tags/v1.90.1 + refs/tags/v1.90.2 @PARENT_TAG@ v(.*) disable diff --git a/tailscale-1.90.1.tar.gz b/tailscale-1.90.1.tar.gz deleted file mode 100644 index 582fae7..0000000 --- a/tailscale-1.90.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:509f31d9d1cef5b683198874b7006f9be4bea1b2f024738e4499be550004f55d -size 76474692 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale.changes b/tailscale.changes index 6b4d141..b0d4a08 100644 --- a/tailscale.changes +++ b/tailscale.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + ------------------------------------------------------------------- Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl diff --git a/tailscale.spec b/tailscale.spec index 0eb37fd..2dd41b2 100644 --- a/tailscale.spec +++ b/tailscale.spec @@ -17,7 +17,7 @@ Name: tailscale -Version: 1.90.1 +Version: 1.90.2 Release: 0 Summary: The easiest, most secure way to use WireGuard and 2FA License: BSD-3-Clause diff --git a/vendor.tar.gz b/vendor.tar.gz index 970eeec..7c8a7d2 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1adc70f0e5f9ca64a9e80bf33b2ffd501dae22b1f21356b91d940b5cdd6dc4d4 -size 20773511 +oid sha256:f15dd86938ed3032707bf5e0d222f832c79744c6fc93b2d457835de0dfcb923e +size 20773499 -- 2.51.1 From 9909462d9e3a0d21ce637ba3599f45f0d1da6e1850240b5403bdd2e2a689cfd8 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Tue, 28 Oct 2025 11:23:52 +0000 Subject: [PATCH 16/25] - Update to version 1.90.3: * tailscaled shuts down as expected and without panic * tailscaled starts up as expected in a no router configuration environment OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=100 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale.changes | 618 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 +++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 17 files changed, 933 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..01d744f --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.90.3 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..8f8ffd5 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,618 @@ +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..df2642b --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.90.3 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.3 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..fe1326e --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:363d8d61c8d207c7ee0b965c36fdbeb7c743b9bdcc25ff693989a624f4cf6406 +size 20773434 -- 2.51.1 From 9e65c6f447fd3fc09235eeca279d82417ef7d5db3a4c20ca6c5f34dced9d9b91 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Wed, 29 Oct 2025 09:57:27 +0000 Subject: [PATCH 17/25] - Update to version 1.90.4: * deadlock issue no longer occurs in the client when checking for the network to be available * tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=102 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 17 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale.changes | 627 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 +++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 18 files changed, 945 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..1f388ca --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.90.4 + @PARENT_TAG@ + v(.*) + disable + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..dcea170 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,627 @@ +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..ae58d92 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.90.4 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.3 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..9ba562c --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86ef78156c0668a3a9d65604514276e232f42d7843f9843260afbc47e7d1e6e6 +size 20773947 -- 2.51.1 From 6e9945886ee5627ae7e77f33aaabdead79ddbef09305d7eabf8d908e2ab814e0 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Tue, 4 Nov 2025 22:44:16 +0000 Subject: [PATCH 18/25] - Update to version 1.90.6: * Routes no longer stall and fail to apply when updated repeatedly in a short period of time * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This affected tailnets that use Tailscale SSH recording OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=104 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale.changes | 636 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 +++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 +++ vendor.tar.gz | 3 + 19 files changed, 958 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..7e6bdb5 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.90.6 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..e13e128 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,636 @@ +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..5bdac95 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.90.6 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.3 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..16a1587 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:36938824be93cbf4fbcad92e6db821b26dfb08d09de91f73208332fa0e0e5c15 +size 20773444 -- 2.51.1 From d8cbdec28efddee49cf0050401d30e26201ae4860d4f205333fd7b783fe05b19 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Wed, 19 Nov 2025 18:22:06 +0000 Subject: [PATCH 19/25] - Update to version 1.90.8: * tka: move RemoveAll() to CompactableChonk - Update to version 1.90.7: * wgengine/magicsock: validate endpoint.derpAddr * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock * net/udprelay: replace VNI pool with selection algorithm * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap * feature/relayserver: fix Shutdown() deadlock * net/netmon: do not abandon a subscriber when exiting early * tka: don't try to read AUMs which are partway through being written * tka: rename a mutex to mu instead of single-letter l * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=106 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale.changes | 652 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 +++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 20 files changed, 977 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..142a4ec --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.90.8 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..330fc5c --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,652 @@ +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..ade33ad --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.90.8 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.3 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..2d1dac3 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c99ec847a316aacf51402e6f5d4ea7e906dbf10a63328118e56d9dd14efc34ed +size 20773741 -- 2.51.1 From e599b7f0f3e804a832a459447b76df3737947b38150e601a4a6736c1242aacba Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Sat, 6 Dec 2025 11:46:21 +0000 Subject: [PATCH 20/25] - Update to version 1.92.1: * fix LocalBackend deadlock when packet arrives during profile switch * wgengine: fix TSMP/ICMP callback leak - Update to version 1.92.0: * no changelog provided - Update to version 1.90.9: * tailscaled no longer deadlocks during event bursts * The client no longer hangs after wake up OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=108 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 ++ _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale-1.92.1.tar.gz | 3 + tailscale.changes | 664 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 21 files changed, 992 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale-1.92.1.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..0a9f962 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.92.1 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale-1.92.1.tar.gz b/tailscale-1.92.1.tar.gz new file mode 100644 index 0000000..607d760 --- /dev/null +++ b/tailscale-1.92.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0738a6bf43776830a72c870c3ad476882c36ed803d024a1331e0cb82850668d3 +size 79379813 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..3caa320 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,664 @@ +------------------------------------------------------------------- +Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..19a00a5 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.92.1 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.5 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..ed2bb36 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c25daa738a3df23e68672e9de32e9fd07a24f574e62f0e3e7435bbc26a610b7f +size 20885496 -- 2.51.1 From fce1b2083b7b02a57cb464f9eed6262bcb188562a063ce8489b3491d2e552c3b Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 12 Dec 2025 14:29:49 +0000 Subject: [PATCH 21/25] - Update to version 1.92.2: * cmd/derper: add GCP Certificate Manager support OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=110 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale-1.92.1.tar.gz | 3 + tailscale-1.92.2.tar.gz | 3 + tailscale.changes | 670 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 22 files changed, 1001 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale-1.92.1.tar.gz create mode 100644 tailscale-1.92.2.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..f711228 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.92.2 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale-1.92.1.tar.gz b/tailscale-1.92.1.tar.gz new file mode 100644 index 0000000..607d760 --- /dev/null +++ b/tailscale-1.92.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0738a6bf43776830a72c870c3ad476882c36ed803d024a1331e0cb82850668d3 +size 79379813 diff --git a/tailscale-1.92.2.tar.gz b/tailscale-1.92.2.tar.gz new file mode 100644 index 0000000..b0a40fe --- /dev/null +++ b/tailscale-1.92.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d38ed5236e97266c2dbab26d96981ab99fca2d14ffcb1fc9a62919a81713f082 +size 79762585 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..818324e --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,670 @@ +------------------------------------------------------------------- +Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl + +- Update to version 1.92.2: + * cmd/derper: add GCP Certificate Manager support + +------------------------------------------------------------------- +Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..a2c241c --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.92.2 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.5 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..cdcb028 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70f7e1240a50551fe3da360f5e7b3b8e893a6c6af36ec062ee1533c50f651e53 +size 20885438 -- 2.51.1 From f506379a860aa9906d02a5ae73c115721a69687cae0d722694b46b7c27865532 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Wed, 17 Dec 2025 17:54:35 +0000 Subject: [PATCH 22/25] - Update to version 1.92.3: * WireGuard configuration that occurs automatically in the client, no longer results in a panic OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=112 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale-1.92.1.tar.gz | 3 + tailscale-1.92.2.tar.gz | 3 + tailscale-1.92.3.tar.gz | 3 + tailscale.changes | 677 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 23 files changed, 1011 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale-1.92.1.tar.gz create mode 100644 tailscale-1.92.2.tar.gz create mode 100644 tailscale-1.92.3.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..01e236a --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.92.3 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale-1.92.1.tar.gz b/tailscale-1.92.1.tar.gz new file mode 100644 index 0000000..607d760 --- /dev/null +++ b/tailscale-1.92.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0738a6bf43776830a72c870c3ad476882c36ed803d024a1331e0cb82850668d3 +size 79379813 diff --git a/tailscale-1.92.2.tar.gz b/tailscale-1.92.2.tar.gz new file mode 100644 index 0000000..b0a40fe --- /dev/null +++ b/tailscale-1.92.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d38ed5236e97266c2dbab26d96981ab99fca2d14ffcb1fc9a62919a81713f082 +size 79762585 diff --git a/tailscale-1.92.3.tar.gz b/tailscale-1.92.3.tar.gz new file mode 100644 index 0000000..8e64e22 --- /dev/null +++ b/tailscale-1.92.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5669b0365fc27d42338a3af65ff84ddcc4f131af6252ad7fa297371fd4d3d09 +size 16444103 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..d77a719 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,677 @@ +------------------------------------------------------------------- +Wed Dec 17 13:24:06 UTC 2025 - Richard Rahl + +- Update to version 1.92.3: + * WireGuard configuration that occurs automatically in the client, no longer + results in a panic + +------------------------------------------------------------------- +Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl + +- Update to version 1.92.2: + * cmd/derper: add GCP Certificate Manager support + +------------------------------------------------------------------- +Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..d61c2a6 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.92.3 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.5 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..a6b5239 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd9918c43f0c768874f0a0374f0c4d6e5d76fefeb6412b168571d2b3947489dd +size 20885369 -- 2.51.1 From d56842182ebc16de759c5f02e3418b8430ee956978aadca879a8a9424bea2f78 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 9 Jan 2026 00:32:50 +0000 Subject: [PATCH 23/25] - Update to version 1.92.5: * types/persist: omit Persist.AttestationKey based on IsZero * disable hardware attestation for kubernetes * allow opting out of ACME order replace extension - Update to version 1.92.4: * nothing of importance OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=114 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale-1.92.1.tar.gz | 3 + tailscale-1.92.2.tar.gz | 3 + tailscale-1.92.3.tar.gz | 3 + tailscale-1.92.5.tar.gz | 3 + tailscale.changes | 687 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 24 files changed, 1024 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale-1.92.1.tar.gz create mode 100644 tailscale-1.92.2.tar.gz create mode 100644 tailscale-1.92.3.tar.gz create mode 100644 tailscale-1.92.5.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..ab8278f --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.92.5 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale-1.92.1.tar.gz b/tailscale-1.92.1.tar.gz new file mode 100644 index 0000000..607d760 --- /dev/null +++ b/tailscale-1.92.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0738a6bf43776830a72c870c3ad476882c36ed803d024a1331e0cb82850668d3 +size 79379813 diff --git a/tailscale-1.92.2.tar.gz b/tailscale-1.92.2.tar.gz new file mode 100644 index 0000000..b0a40fe --- /dev/null +++ b/tailscale-1.92.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d38ed5236e97266c2dbab26d96981ab99fca2d14ffcb1fc9a62919a81713f082 +size 79762585 diff --git a/tailscale-1.92.3.tar.gz b/tailscale-1.92.3.tar.gz new file mode 100644 index 0000000..8e64e22 --- /dev/null +++ b/tailscale-1.92.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5669b0365fc27d42338a3af65ff84ddcc4f131af6252ad7fa297371fd4d3d09 +size 16444103 diff --git a/tailscale-1.92.5.tar.gz b/tailscale-1.92.5.tar.gz new file mode 100644 index 0000000..c99decb --- /dev/null +++ b/tailscale-1.92.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0352f78e7a5b7d80ba0ebda7fb5aa3c3deda001259b96518b30a1d4bfbfd7ee0 +size 79610116 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..119159a --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,687 @@ +------------------------------------------------------------------- +Fri Jan 9 00:06:05 UTC 2026 - Richard Rahl + +- Update to version 1.92.5: + * types/persist: omit Persist.AttestationKey based on IsZero + * disable hardware attestation for kubernetes + * allow opting out of ACME order replace extension +- Update to version 1.92.4: + * nothing of importance + +------------------------------------------------------------------- +Wed Dec 17 13:24:06 UTC 2025 - Richard Rahl + +- Update to version 1.92.3: + * WireGuard configuration that occurs automatically in the client, no longer + results in a panic + +------------------------------------------------------------------- +Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl + +- Update to version 1.92.2: + * cmd/derper: add GCP Certificate Manager support + +------------------------------------------------------------------- +Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..79728e5 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2026 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.92.5 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.5 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..d1e2058 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:deb7d6bbaa80fd49ecf76c207c81c8dad40db792c7340333007b0ac0e499cf01 +size 20891884 -- 2.51.1 From 9ec15b6ebabac07ebb942de66714d3b1a8a8e5257804a1461f29e466b6134f91 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Wed, 21 Jan 2026 01:34:11 +0000 Subject: [PATCH 24/25] - Update to version 1.94.0: * derp/derpserver: add a unique sender cardinality estimate * syncs: add means of declare locking assumptions for debug mode * cmd/k8s-operator: add support for taiscale.com/http-redirect * cmd/k8s-operator fix populateTLSSecret on tests * feature/posture: log method and full URL for posture identity requests * k8s-operator: Fix typos in egress-pod-readiness.go * cmd/tailscale,ipn: add Unix socket support for serve * client/systray: change systray to start after graphical.target * cmd/k8s-operator: warn if users attempt to expose a headless Service * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles * tsnet: ensure funnel listener cleans up after itself when closed * ipn/store/kubestore: don't load write replica certs in memory * tsnet: allow for automatic ID token generation OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=116 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale-1.92.1.tar.gz | 3 + tailscale-1.92.2.tar.gz | 3 + tailscale-1.92.3.tar.gz | 3 + tailscale-1.92.5.tar.gz | 3 + tailscale-1.94.0.tar.gz | 3 + tailscale.changes | 705 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 25 files changed, 1045 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale-1.92.1.tar.gz create mode 100644 tailscale-1.92.2.tar.gz create mode 100644 tailscale-1.92.3.tar.gz create mode 100644 tailscale-1.92.5.tar.gz create mode 100644 tailscale-1.94.0.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..9a375a9 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.94.0 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale-1.92.1.tar.gz b/tailscale-1.92.1.tar.gz new file mode 100644 index 0000000..607d760 --- /dev/null +++ b/tailscale-1.92.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0738a6bf43776830a72c870c3ad476882c36ed803d024a1331e0cb82850668d3 +size 79379813 diff --git a/tailscale-1.92.2.tar.gz b/tailscale-1.92.2.tar.gz new file mode 100644 index 0000000..b0a40fe --- /dev/null +++ b/tailscale-1.92.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d38ed5236e97266c2dbab26d96981ab99fca2d14ffcb1fc9a62919a81713f082 +size 79762585 diff --git a/tailscale-1.92.3.tar.gz b/tailscale-1.92.3.tar.gz new file mode 100644 index 0000000..8e64e22 --- /dev/null +++ b/tailscale-1.92.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5669b0365fc27d42338a3af65ff84ddcc4f131af6252ad7fa297371fd4d3d09 +size 16444103 diff --git a/tailscale-1.92.5.tar.gz b/tailscale-1.92.5.tar.gz new file mode 100644 index 0000000..c99decb --- /dev/null +++ b/tailscale-1.92.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0352f78e7a5b7d80ba0ebda7fb5aa3c3deda001259b96518b30a1d4bfbfd7ee0 +size 79610116 diff --git a/tailscale-1.94.0.tar.gz b/tailscale-1.94.0.tar.gz new file mode 100644 index 0000000..d65cfe6 --- /dev/null +++ b/tailscale-1.94.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b0b48d5ea0a7b8f533819284bceacbf966a3966c6abf26cf6dd68a963d33be0 +size 80564091 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..80ef525 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,705 @@ +------------------------------------------------------------------- +Wed Jan 21 01:30:13 UTC 2026 - Richard Rahl + +- Update to version 1.94.0: + * derp/derpserver: add a unique sender cardinality estimate + * syncs: add means of declare locking assumptions for debug mode + * cmd/k8s-operator: add support for taiscale.com/http-redirect + * cmd/k8s-operator fix populateTLSSecret on tests + * feature/posture: log method and full URL for posture identity requests + * k8s-operator: Fix typos in egress-pod-readiness.go + * cmd/tailscale,ipn: add Unix socket support for serve + * client/systray: change systray to start after graphical.target + * cmd/k8s-operator: warn if users attempt to expose a headless Service + * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles + * tsnet: ensure funnel listener cleans up after itself when closed + * ipn/store/kubestore: don't load write replica certs in memory + * tsnet: allow for automatic ID token generation + +------------------------------------------------------------------- +Fri Jan 9 00:06:05 UTC 2026 - Richard Rahl + +- Update to version 1.92.5: + * types/persist: omit Persist.AttestationKey based on IsZero + * disable hardware attestation for kubernetes + * allow opting out of ACME order replace extension +- Update to version 1.92.4: + * nothing of importance + +------------------------------------------------------------------- +Wed Dec 17 13:24:06 UTC 2025 - Richard Rahl + +- Update to version 1.92.3: + * WireGuard configuration that occurs automatically in the client, no longer + results in a panic + +------------------------------------------------------------------- +Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl + +- Update to version 1.92.2: + * cmd/derper: add GCP Certificate Manager support + +------------------------------------------------------------------- +Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..e43aaa8 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2026 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.94.0 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.5 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..a60d024 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff518db161492c7c2269f3a8f107b92ccae8ef3b8ba81484982ed1f221bd0dff +size 24014815 -- 2.51.1 From e83940d85b9797a358fe35016c68ce1b2401cc032df5180f803d44c99462f835 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 30 Jan 2026 12:03:53 +0000 Subject: [PATCH 25/25] - Update to version 1.94.0: * IS SET and NOT SET have been added as device posture operators * India DERP Region City Name updated * Custom DERP servers support GCP Certificate Manager * Tailscale SSH authentication, when successful, results in LOGIN audit messages being sent to the kernel audit subsystem * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket option is supported on multi-core systems * Tailscale Peer Relay server handshake transmission is guarded against routing loops over Tailscale * MagicDNS always resolves when using resolv.conf without a DNS manager * tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total client metrics are available for Tailscale Peer Relays * Identity tokens are automatically generated for workload identities * --audience flag added to tailscale up command to support auto generation of ID tokens for workload identity * tsnet nodes can host Tailscale Services * The tailscale lock status -json command returns tailnet key authority (TKA) data in a stable format * Tailscale Peer Relays deliver improved throughput through monotonic time comparison optimizations and reduced lock contention * Tailscale Services virtual IPs are now automatically accepted by clients across all platforms regardless of the status of the --accept-routes feature OBS-URL: https://build.opensuse.org/package/show/network:vpn/tailscale?expand=0&rev=118 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 18 + _servicedata | 4 + build-verbose.patch | 13 + disable-auto-update.patch | 25 ++ fix-CVE-2025-58058.patch | 28 ++ tailscale-1.86.5.tar.gz | 3 + tailscale-1.88.1.tar.gz | 3 + tailscale-1.88.3.tar.gz | 3 + tailscale-1.90.2.tar.gz | 3 + tailscale-1.90.3.tar.gz | 3 + tailscale-1.90.4.tar.gz | 3 + tailscale-1.90.6.tar.gz | 3 + tailscale-1.90.8.tar.gz | 3 + tailscale-1.92.1.tar.gz | 3 + tailscale-1.92.2.tar.gz | 3 + tailscale-1.92.3.tar.gz | 3 + tailscale-1.92.5.tar.gz | 3 + tailscale-1.94.0.tar.gz | 3 + tailscale-1.94.1.tar.gz | 3 + tailscale.changes | 734 ++++++++++++++++++++++++++++++++++++++ tailscale.spec | 143 ++++++++ tailscaled.defaults | 8 + tailscaled.service | 35 ++ vendor.tar.gz | 3 + 26 files changed, 1077 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 build-verbose.patch create mode 100644 disable-auto-update.patch create mode 100644 fix-CVE-2025-58058.patch create mode 100644 tailscale-1.86.5.tar.gz create mode 100644 tailscale-1.88.1.tar.gz create mode 100644 tailscale-1.88.3.tar.gz create mode 100644 tailscale-1.90.2.tar.gz create mode 100644 tailscale-1.90.3.tar.gz create mode 100644 tailscale-1.90.4.tar.gz create mode 100644 tailscale-1.90.6.tar.gz create mode 100644 tailscale-1.90.8.tar.gz create mode 100644 tailscale-1.92.1.tar.gz create mode 100644 tailscale-1.92.2.tar.gz create mode 100644 tailscale-1.92.3.tar.gz create mode 100644 tailscale-1.92.5.tar.gz create mode 100644 tailscale-1.94.0.tar.gz create mode 100644 tailscale-1.94.1.tar.gz create mode 100644 tailscale.changes create mode 100644 tailscale.spec create mode 100644 tailscaled.defaults create mode 100644 tailscaled.service create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..c8ed1ee --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + https://github.com/tailscale/tailscale.git + git + yes + refs/tags/v1.94.1 + @PARENT_TAG@ + v(.*) + disable + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..d4fed67 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/tailscale/tailscale.git + aa448d5a9985378af04966c6d7aec8d9f4a166ca \ No newline at end of file diff --git a/build-verbose.patch b/build-verbose.patch new file mode 100644 index 0000000..5da7533 --- /dev/null +++ b/build-verbose.patch @@ -0,0 +1,13 @@ +diff --git a/build_dist.sh b/build_dist.sh +index 0c757c26..9639d596 100755 +--- a/build_dist.sh ++++ b/build_dist.sh +@@ -9,7 +9,7 @@ + # this script, or executing equivalent commands in your + # distro-specific build system. + +-set -eu ++set -eux + + go="go" + if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then diff --git a/disable-auto-update.patch b/disable-auto-update.patch new file mode 100644 index 0000000..c7d8a30 --- /dev/null +++ b/disable-auto-update.patch @@ -0,0 +1,25 @@ +diff -rub tailscale/clientupdate/clientupdate.go tailscale-patched/clientupdate/clientupdate.go +--- tailscale/clientupdate/clientupdate.go 2024-06-16 15:26:31.323022871 +0200 ++++ tailscale-patched/clientupdate/clientupdate.go 2024-06-16 15:57:08.732315446 +0200 +@@ -205,6 +205,8 @@ + // The distro.Debian switch case above should catch most apt-based + // systems, but add this fallback just in case. + return up.updateDebLike, true ++ case haveExecutable("zypper"): ++ return up.updateSUSE, false + case haveExecutable("dnf"): + return up.updateFedoraLike("dnf"), true + case haveExecutable("yum"): +@@ -526,6 +528,12 @@ + you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`) + } + ++func (up *Updater) updateSUSE() error { ++ // SUSE-based distros should update manually. ++ // The package can come from official Tailscale repos or not and the system can be transactional or not. ++ return errors.New(`Use Zypper or transactional-update (on applicable systems) to update Tailscale on openSUSE or SUSE Linux Enterprise installations.`) ++} ++ + func (up *Updater) updateNixos() error { + // NixOS package updates are managed on a system level and not individually. + // Direct users to update their nix channel or nixpkgs flake input to diff --git a/fix-CVE-2025-58058.patch b/fix-CVE-2025-58058.patch new file mode 100644 index 0000000..867ec16 --- /dev/null +++ b/fix-CVE-2025-58058.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index 3d7514158..837fc8c44 100644 +--- a/go.mod ++++ b/go.mod +@@ -382,7 +382,7 @@ require ( + github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect +- github.com/ulikunitz/xz v0.5.11 // indirect ++ github.com/ulikunitz/xz v0.5.15 // indirect + github.com/ultraware/funlen v0.1.0 // indirect + github.com/ultraware/whitespace v0.1.0 // indirect + github.com/uudashr/gocognit v1.1.2 // indirect +diff --git a/go.sum b/go.sum +index 995b93010..715cd6dea 100644 +--- a/go.sum ++++ b/go.sum +@@ -1010,8 +1010,8 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg= + github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= + github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA= +-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= ++github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= ++github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= + github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= + github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= + github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw= diff --git a/tailscale-1.86.5.tar.gz b/tailscale-1.86.5.tar.gz new file mode 100644 index 0000000..c896ccb --- /dev/null +++ b/tailscale-1.86.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41d7a8318ae624bd7f8315d4f4d929025f403837b97d505e142064273dde7b6d +size 73557568 diff --git a/tailscale-1.88.1.tar.gz b/tailscale-1.88.1.tar.gz new file mode 100644 index 0000000..ca210fd --- /dev/null +++ b/tailscale-1.88.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8bf6ec31b921f822867977bee5a57bcd79e1ac721fc1498dc99f8b4e028942c4 +size 74267799 diff --git a/tailscale-1.88.3.tar.gz b/tailscale-1.88.3.tar.gz new file mode 100644 index 0000000..26c7e7d --- /dev/null +++ b/tailscale-1.88.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf8b2625ffe57b92ad34af619e0e78202fd9c3d219295c18781d3682411efce1 +size 75520912 diff --git a/tailscale-1.90.2.tar.gz b/tailscale-1.90.2.tar.gz new file mode 100644 index 0000000..553ddcf --- /dev/null +++ b/tailscale-1.90.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb89e930b62365aeda0fd8fd1af5ab640fd47340c60286ee4102bf2738c26267 +size 75912665 diff --git a/tailscale-1.90.3.tar.gz b/tailscale-1.90.3.tar.gz new file mode 100644 index 0000000..d5bfa94 --- /dev/null +++ b/tailscale-1.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94e98597379c95acc11ec3adee926f868baf0a32986ceea91e7ad90817863a00 +size 75995057 diff --git a/tailscale-1.90.4.tar.gz b/tailscale-1.90.4.tar.gz new file mode 100644 index 0000000..aa03a50 --- /dev/null +++ b/tailscale-1.90.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540310a3c9f29866e13356b4d04d8553a582a99a3032f342ff51deed29998a97 +size 76927017 diff --git a/tailscale-1.90.6.tar.gz b/tailscale-1.90.6.tar.gz new file mode 100644 index 0000000..33e1a1e --- /dev/null +++ b/tailscale-1.90.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb862094a7709cfe8e21b006fdd6fb20c14fbd8a840a6d1fe8eabfdaa2f5b063 +size 77877013 diff --git a/tailscale-1.90.8.tar.gz b/tailscale-1.90.8.tar.gz new file mode 100644 index 0000000..56e8d0f --- /dev/null +++ b/tailscale-1.90.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c163ace41d1c35beb7a9d87da20a102a108ca9c4d128a29ff9764344e5c5406d +size 78844949 diff --git a/tailscale-1.92.1.tar.gz b/tailscale-1.92.1.tar.gz new file mode 100644 index 0000000..607d760 --- /dev/null +++ b/tailscale-1.92.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0738a6bf43776830a72c870c3ad476882c36ed803d024a1331e0cb82850668d3 +size 79379813 diff --git a/tailscale-1.92.2.tar.gz b/tailscale-1.92.2.tar.gz new file mode 100644 index 0000000..b0a40fe --- /dev/null +++ b/tailscale-1.92.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d38ed5236e97266c2dbab26d96981ab99fca2d14ffcb1fc9a62919a81713f082 +size 79762585 diff --git a/tailscale-1.92.3.tar.gz b/tailscale-1.92.3.tar.gz new file mode 100644 index 0000000..8e64e22 --- /dev/null +++ b/tailscale-1.92.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5669b0365fc27d42338a3af65ff84ddcc4f131af6252ad7fa297371fd4d3d09 +size 16444103 diff --git a/tailscale-1.92.5.tar.gz b/tailscale-1.92.5.tar.gz new file mode 100644 index 0000000..c99decb --- /dev/null +++ b/tailscale-1.92.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0352f78e7a5b7d80ba0ebda7fb5aa3c3deda001259b96518b30a1d4bfbfd7ee0 +size 79610116 diff --git a/tailscale-1.94.0.tar.gz b/tailscale-1.94.0.tar.gz new file mode 100644 index 0000000..d65cfe6 --- /dev/null +++ b/tailscale-1.94.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b0b48d5ea0a7b8f533819284bceacbf966a3966c6abf26cf6dd68a963d33be0 +size 80564091 diff --git a/tailscale-1.94.1.tar.gz b/tailscale-1.94.1.tar.gz new file mode 100644 index 0000000..e2d9614 --- /dev/null +++ b/tailscale-1.94.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e3483445965f144c8fa31cf59cbd45bd0fd3f08b42a9bf821cdd30f7497f07ff +size 20149545 diff --git a/tailscale.changes b/tailscale.changes new file mode 100644 index 0000000..d778c37 --- /dev/null +++ b/tailscale.changes @@ -0,0 +1,734 @@ +------------------------------------------------------------------- +Fri Jan 30 11:52:12 UTC 2026 - Richard Rahl + +- Update to version 1.94.0: + * IS SET and NOT SET have been added as device posture operators + * India DERP Region City Name updated + * Custom DERP servers support GCP Certificate Manager + * Tailscale SSH authentication, when successful, results in LOGIN audit + messages being sent to the kernel audit subsystem + * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket + option is supported on multi-core systems + * Tailscale Peer Relay server handshake transmission is guarded against + routing loops over Tailscale + * MagicDNS always resolves when using resolv.conf without a DNS manager + * tailscaled_peer_relay_forwarded_packets_total and + tailscaled_peer_relay_forwarded_bytes_total client metrics are available for + Tailscale Peer Relays + * Identity tokens are automatically generated for workload identities + * --audience flag added to tailscale up command to support auto generation of + ID tokens for workload identity + * tsnet nodes can host Tailscale Services + * The tailscale lock status -json command returns tailnet key authority (TKA) + data in a stable format + * Tailscale Peer Relays deliver improved throughput through monotonic time + comparison optimizations and reduced lock contention + * Tailscale Services virtual IPs are now automatically accepted by clients + across all platforms regardless of the status of the --accept-routes + feature + +------------------------------------------------------------------- +Wed Jan 21 01:30:13 UTC 2026 - Richard Rahl + +- Update to version 1.94.0: + * derp/derpserver: add a unique sender cardinality estimate + * syncs: add means of declare locking assumptions for debug mode + * cmd/k8s-operator: add support for taiscale.com/http-redirect + * cmd/k8s-operator fix populateTLSSecret on tests + * feature/posture: log method and full URL for posture identity requests + * k8s-operator: Fix typos in egress-pod-readiness.go + * cmd/tailscale,ipn: add Unix socket support for serve + * client/systray: change systray to start after graphical.target + * cmd/k8s-operator: warn if users attempt to expose a headless Service + * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles + * tsnet: ensure funnel listener cleans up after itself when closed + * ipn/store/kubestore: don't load write replica certs in memory + * tsnet: allow for automatic ID token generation + +------------------------------------------------------------------- +Fri Jan 9 00:06:05 UTC 2026 - Richard Rahl + +- Update to version 1.92.5: + * types/persist: omit Persist.AttestationKey based on IsZero + * disable hardware attestation for kubernetes + * allow opting out of ACME order replace extension +- Update to version 1.92.4: + * nothing of importance + +------------------------------------------------------------------- +Wed Dec 17 13:24:06 UTC 2025 - Richard Rahl + +- Update to version 1.92.3: + * WireGuard configuration that occurs automatically in the client, no longer + results in a panic + +------------------------------------------------------------------- +Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl + +- Update to version 1.92.2: + * cmd/derper: add GCP Certificate Manager support + +------------------------------------------------------------------- +Sat Dec 6 11:39:58 UTC 2025 - Richard Rahl + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +------------------------------------------------------------------- +Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +------------------------------------------------------------------- +Sun Nov 2 11:43:31 UTC 2025 - Richard Rahl + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +------------------------------------------------------------------- +Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +------------------------------------------------------------------- +Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +------------------------------------------------------------------- +Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +------------------------------------------------------------------- +Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +------------------------------------------------------------------- +Wed Oct 1 11:55:52 UTC 2025 - Richard Rahl + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +------------------------------------------------------------------- +Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- remove fix-CVE-2025-58058.patch, fixed upstream + +------------------------------------------------------------------- +Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920 + +------------------------------------------------------------------- +Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +------------------------------------------------------------------- +Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +------------------------------------------------------------------- +Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +------------------------------------------------------------------- +Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +------------------------------------------------------------------- +Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +------------------------------------------------------------------- +Fri May 30 06:23:15 UTC 2025 - Richard Rahl + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +------------------------------------------------------------------- +Thu May 22 08:27:09 UTC 2025 - Richard Rahl + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet +- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies + +------------------------------------------------------------------- +Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +------------------------------------------------------------------- +Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + +------------------------------------------------------------------- +Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl + +- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 + +------------------------------------------------------------------- +Tue Mar 4 13:42:34 UTC 2025 - Richard Rahl + +- update to 1.80.3: + * appc: fix a deadlock in route advertisements + * client/web: fix CSRF handler order in web UI + +------------------------------------------------------------------- +Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl + +- update to 1.80.2: + * Use ip:country as a geolocation device posture attribute (generally available). + +------------------------------------------------------------------- +Thu Feb 6 19:52:22 UTC 2025 - Richard Rahl + +- update to 1.80.1: + * net/netmon: add extra panic guard around ParseRIB + +------------------------------------------------------------------- +Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl + +- update to 1.80.0: + * Hostname system policy is added for overriding the device hostname + configured by the operating system, using an MDM solution. + * Web interface displays a Login button instead of the Reauthenticate button + when adding a new device to your tailnet. + * Tailscale Funnel configuration on devices displays errors when incoming + connections are not permitted and connections are disallowed. + * Connections to a custom coordination server that does not support HTTPS + will no longer fail when a custom port number is specified. + * TLS certificate requests from Let’s Encrypt include the device's DNS name + in the CSR’s SAN extension and set the Common Name field. + * Tailscale Funnel disabled on a device no longer displays enabled in the + admin console. + * GitHub username change automatically updates tailnet name + * 4via6 subnet routers GA + * Auto approvers GA + * Node attributes GA + * Download invoices GA + * Fast user switching GA + * Configuration log streaming integration with S3 buckets GA + * Network flow log streaming integration with S3 buckets GA + * NextDNS profiles per device GA + * GitHub secret scanning +- remove fix-CVE-2024-45337.patch, as it's now included + +------------------------------------------------------------------- +Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl + +- add patch fix-CVE-2024-45337.patch, to circumevent a possibility + of exploiting the golang-x-crypto security hole. (fix #1234506) + +------------------------------------------------------------------- +Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl + +- update to 1.78.3: + * cmd/containerboot: fix nil pointer exception + * hostinfo: fix testing in container + +------------------------------------------------------------------- +Fri Dec 6 01:22:05 UTC 2024 - Richard Rahl + +- update to 1.78.1: + * health: fix TestHealthMetric + +------------------------------------------------------------------- +Thu Dec 5 22:10:32 UTC 2024 - Richard Rahl + +- update to 1.78.0: + * Client metrics have been added, to provide insights into Tailscale client + behavior, health, and performance. + * tailscale metrics command has been added, to expose and collect client + metrics for use with third-party monitoring systems. + * tailscale syspolicy command has been added, to list system policies, reload + system policies, or view errors related to the system policies configured + on the device. + * Tailscale system policies are applied immediately when pushed via mobile + device management (MDM) or Group Policy, without requiring a client restart. + * Tailscale SSH session recording detects the disappearance of the recorder + node sooner. This fix addresses a security vulnerability described + in TS-2024-013. + * New scopes for OAuth clients have been added with more granular permissions. + Existing OAuth clients using the previous set of scopes, and keys generated + using these clients, are still valid. + +------------------------------------------------------------------- +Fri Nov 8 03:46:50 UTC 2024 - Richard Rahl + +- update to 1.76.6: + * Logging for when clients move home DERP regions is improved. + * Tailscale clients no longer move their home DERP server prematurely in + response to unusual latency at very specific times. + +------------------------------------------------------------------- +Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl + +- update to 1.76.3: + * no relevant changelog +- update to 1.76.2: + * no relevant changelog +- switch over to the new %{default_fw_backend} macro +- create old init file only for < leap 16 + +------------------------------------------------------------------- +Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl + +- update to 1.76.1: + * tailscale netcheck CLI command no longer crashes when performing diagnostics + on networks lacking UDP connectivity. + * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node. + * dbus login sessions no longer fail on systems where /bin/login is missing. + +------------------------------------------------------------------- +Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi + +- Require a firewall backend (boo#1228829) +- Add simple test check to ensure binaries are working + +------------------------------------------------------------------- +Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl + +- update to 1.76.0: + * Clients lacking UDP connectivity no longer skip performing fallback latency + measurements with DERP servers. + * Warnings no longer display unnecessarily. + * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails. + * Service-related processes no longer run unnecessarily when services are disabled on the tailnet. + * Error messages include explanations in addition to the HTTP status code. + * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify + permitted environment variables using the acceptEnv field. + * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when + resizing the application window. + +------------------------------------------------------------------- +Sat Sep 21 05:28:42 UTC 2024 - Eric Torres + +- Change path of zsh completion file to make zsh properly recognize completions + * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale + +------------------------------------------------------------------- +Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl + +- update to 1.74.1: + * wgengine/magicsock: disable raw disco by default; add envknob to enable + +------------------------------------------------------------------- +Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl + +- update to 1.74.0 + * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution. + * tailscale dns CLI command is added for accessing Tailscale DNS settings and status. + * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth. + * Log In option in the client works as expected. + * TCP generic receive offload (GRO) support is added for improved userspace mode throughput. + * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput. + This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1. + * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers. + When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses. + +------------------------------------------------------------------- +Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl + +- update to 1.72.1: + * DNS over TCP failures when querying the Tailscale-internal resolver are fixed. + +------------------------------------------------------------------- +Wed Aug 21 16:05:02 UTC 2024 - rrahl0@opensuse.org + +- Update to version 1.72.0: + * posture: deduplicate MAC addresses before returning them + * health/dns: reduce severity of DNS unavailable warning + * safeweb: add Server.Close method + * go.mod.sri: update SRI hash for go.mod changes + * go.{mod,sum}: migrate from nhooyr.io/websocket to github.com/coder/websocket + * cmd/viewer: add support for map-like container types +- update golang(API) to 1.23 +- export version variables, to circumvent a bug + +------------------------------------------------------------------- +Thu Jul 18 06:31:58 UTC 2024 - Richard Rahl + +- update to 1.70.0: + * New: Restrict recommended and automatically selected exit nodes using the + new AllowedSuggestedExitNodes system policy. Applies only to platforms that + support system policies. + * Changed: Improved NAT traversal for some uncommon scenarios. + * Changed: Optimized sending firewall rules to clients more efficiently. + * Fixed: Exit node suggestion CLI command now prints the hostname. + * Fixed: Taildrive share paths configured through the CLI resolve relative + to where you run the tailscale command. + +------------------------------------------------------------------- +Tue Jul 2 20:35:35 UTC 2024 - Richard Rahl + +- update to 1.68.2: + * Fixed: Tailnet lock validation of rotation signatures now permits multiple nodes + signed by the same pre-signed reusable auth key. + +------------------------------------------------------------------- +Sun Jun 16 13:30:20 UTC 2024 - Richard Rahl + +- update to 1.68.1: + * Fixed: 4via6 subnet router advertisement works as expected. + * Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected. +- update to 1.68.0: + * New: Auto-updates are allowed in containers, but ignore the tailnet-wide default + * New: Apply auto-updates even if the node is down or disconnected from the coordination server. + * New: tailscale lock status now prints the node's signature. + +------------------------------------------------------------------- +Wed May 22 08:36:37 UTC 2024 - Richard Rahl + +- update to 1.66.4: + * Fixed: Restored UDP connectivity through Mullvad exit nodes + * Stateful filtering is now off by default + +- update to 1.66.3: + * Login URLs did not always appear in the console when running tailscale up + * Starting with v1.66, the Kubernetes operator must always run the same or later version + as the proxies it manages. + * Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services + * Expose tailnet services that use Tailscale HTTPS to cluster workloads + * Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names + * Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD + * Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD + * Configure labels for the Kubernetes operator Pods with Helm chart values + * Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass + * Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems + that don't have IPv6 module loaded + * Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is + pre-created for the tailscaled state + * Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right + permissions to perform actions against the tailscaled state Secret + +------------------------------------------------------------------- +Fri May 10 15:16:33 UTC 2024 - Richard Rahl + +- update to 1.66.1: + * Resolved issues with nftables rules for stateful filtering, + introduced in v1.66.0. + * tailscale set command flags --netfilter-mode, --snat-subnet-routes, + and --stateful-filtering are added. + +- update to 1.66.0: + * Implemented client-side quarantining for shared-in exit nodes, + as a mitigation for a security vulnerability described in TS-2024-005. + * Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for + subnet routers and exit nodes, as a mitigation for a security vulnerability described + in TS-2024-005. + * Added tab completions + * Use the tailscale exit-node suggest command to automatically pick an available exit node + that is likely to perform best. + * Site-to-site networking now also requires --stateful-filtering=false in addition to + --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false + will default to --stateful-filtering=false. + +- update to 1.64.2: + * nothing relevant for linux + +- update to 1.64.1: + * nothing relevant for linux + +- update to 1.64.0: + * New: tailscale configure kubeconfig now respects KUBECONFIG environment variable. + * Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig. + * Fixed: MSS clamping for Kubernetes operator proxies using nftables. + * Fixed: Containers on hosts with partial support for ip6tables no longer crash. + +- turn of changelog generation +- add completions for bash + +------------------------------------------------------------------- +Sat Mar 30 08:28:56 UTC 2024 - Richard Rahl + +- update to 1.62.1: + * Send load balancing hint HTTP request header + * Fixed: Kubernetes operator proxies should not accept subnet routes + +------------------------------------------------------------------- +Thu Mar 14 03:13:54 UTC 2024 - rrahl0@proton.me + +- update to 1.62.0: + * IPv6 support detection in a container environment is improved + * New: Web interface now uses ACL grants to manage access on tagged devices + * Tailscale SSH connections now disable unnecessary hostname canonicalization + * tailscale bugreport command for generating diagnostic logs now contain ethtool information + * Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers + * DNS over HTTP requests now contain a timeout + * TCP forwarding attempts in userspace mode now have a per-client limit + * Endpoints with link-local IPv6 addresses is preferred over private addresses + * WireGuard logs are less verbose + * Go min. version 1.22.1 + * DERP server region no longer changes if connectivity to the new DERP region is degraded + +- update to 1.60.1: + * Exposing port 8080 to other devices on your tailnet works as expected + +------------------------------------------------------------------- +Tue Feb 20 22:10:41 UTC 2024 - Alexandre Vicenzi + +- Add disable-auto-update.patch to prevent auto updates and instead + ask users to use Zypper to update manually + +------------------------------------------------------------------- +Tue Feb 20 14:52:46 UTC 2024 - Richard Rahl + +- change to the non deprecated manualrun + +------------------------------------------------------------------- +Fri Feb 16 14:38:14 UTC 2024 - alexandre.vicenzi@suse.com + +- Spec cleanup + * Use tar_scm to avoid commit hashes in the spec + * Use tailscale build scripts + * Drop ProtectClock fix for Leap, DeviceAllow fixes it +- Add build-verbose.patch to get go flags into build log +- Enable PrivateDevices but allow access to /dev/net/tun in tailscaled.service + +------------------------------------------------------------------- +Fri Feb 16 00:50:26 UTC 2024 - Richard Rahl + +- update to 1.60.0: + * minimum go version 1.22 + * authentication: present users with a valid login page when + attempting to login even after leaving device unattended for several days + * networking: mute noisy peer mtu discovery errors + * networking: expose gVisor metrics in debug mode + * port mapper: support legacy "urn:dslforum-org" port mapping services + * port mapper: fix crash when no support mapping services found + * ssh: log warning when unable to find SSH host keys + * serve: improve error message when running as non-root + * Detect when Tailscale is running on Digital Ocean and automatically + use Digital Ocean's DNS resolvers + * enable app connectors to install routes for domains that resolve to CNAME + records + * support pre-configured routes from control server + * add new read-only mode + * tailscale status command: fix output formatting Tailnet + includes location-based exit nodes + * a new ProxyClass custom resource that allows to provide custom + configuration for cluster resources that the operator creates + * ACL tags for the operator can now be configured via Helm chart values + * routing to Ingress backends that require an exact path without a slash + +------------------------------------------------------------------- +Wed Feb 7 14:52:53 UTC 2024 - Richard Rahl + +- make rpm not overwrite /etc/default/taiscaled +- defattr everything to root + +------------------------------------------------------------------- +Sat Feb 3 11:18:05 UTC 2024 - Richard Rahl + +- no stripping of binaries +- add commitID to binaries for upstream +- add directory for saved configs + +------------------------------------------------------------------- +Tue Jan 23 23:54:36 UTC 2024 - Richard Rahl + +- switch services to manual +- update to version 1.58.2: + * Fixed: [App connectors][app-connectors] have improved scheduling + and merging of route changes under some conditions + * Fixed: Crash when performing UPnP portmapping on older routers + with no supported portmapping services + +------------------------------------------------------------------- +Fri Jan 19 08:06:27 UTC 2024 - Richard Rahl + +- update to version 1.58.0: + * portmap: check the epoch from NAT-PMP & PCP, establish new portmapping if it changes + * portmap: better handle multiple interfaces + * portmap: handle multiple UPnP discovery responses + * increase the number of 4via6 site IDs from 256 to 65,536 + * taildrop: allow category Z unicode characters + * increased binary size with 1.56 is resolved in 1.58 + * Reduce home DERP flapping when there's still an active connection + * device web ui: fixed issue when accessing shared devices + * device web ui: fixed login issue when accessed over https + +------------------------------------------------------------------- +Wed Jan 10 02:17:57 UTC 2024 - Richard Rahl + +- fix an issue with Leap, where ProtectClock prevents to connect to + /dev/net/tun + +------------------------------------------------------------------- +Fri Dec 15 21:22:39 UTC 2023 - Richard Rahl + +- update to version 1.56.1: + * Fixed: Web interface redirects to the correct self IP known by source peer + * Fixed: Usage of slices.Compact from app connector domains list + +------------------------------------------------------------------- +Fri Dec 15 13:48:28 UTC 2023 - Richard Rahl + +- fix version output to what upstream expects + +------------------------------------------------------------------- +Wed Dec 13 22:08:30 UTC 2023 - rrahl0@proton.me + +- Update to version 1.56.0: + * improve responsiveness under load, especially with bidirectional traffic + * improve UPnP portmapping + * add tailscale whois subcommand to observe metadata associated with a Tailscale IP + * include tailnet name and profile ID in tailscale switch --list to disambiguate + profiles with common login names + * improve tailscale web interface for configuring some device settings such as exit nodes, + subnet routers, and Tailscale SSH + * improve containerboot to symlink its socket file if possible, + making the tailscale CLI work without --socket=/tmp/tailscale.sock + * add support in Kubernetes operator cluster egress for referring to a tailnet service + by its MagicDNS name + + +- Update to version 1.54.1: + * no relevant updates to the linux version + +------------------------------------------------------------------- +Fri Nov 24 21:59:11 UTC 2023 - Richard Rahl + +- tailscale couldn't connect to /dev/net/tun + +------------------------------------------------------------------- +Thu Nov 23 06:51:24 UTC 2023 - rrahl0@proton.me + +- Update to version 1.54.0: + * improve throughput substantially for UDP packets over TUN device with recent Linux kernels + + +- Update to version 1.52.1: + * no linux improvements + +- Update to version 1.52.0: + * tailscale set command flag --auto-update is added to opt in to automatic client updates + * tailscale serve and tailscale funnel commands are updated for improved usability + * tailscale update command for manual updates is now in beta + * Taildrop file transfer displays a progress meter + * nftables auto-detection is improved when TS_DEBUG_FIREWALL_MODE=auto is used + * DNS detection of NetworkManager with configured but absent systemd-resolved + * Taildrop now resumes file transfers after partial transfers are interrupted + * tailscale up command displays a message about client updates when newer versions are available + * tailscale status command displays a message about client updates when newer versions are available + * tailscale cert command renews in the background. The current certificate only displays if it has expired. + +------------------------------------------------------------------- +Mon Oct 02 23:51:03 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.1: + * fix bug where serve config could get wiped + * Funnel support for tsnet apps + * fix potential crash with UPnP + +------------------------------------------------------------------- +Sat Sep 30 19:38:50 UTC 2023 - rrahl0@proton.me + +- Update to version 1.50.0: + * Update tailscale{,d} licenses + * Update Quad9 addresses and references + * Adds support for Wikimedia DNS using DNS-over-HTTPS + +- Update to version 1.48.1: + * no relevant updates + +- Update to version 1.48.2: + * Improvements to Mullvad exit nodes + +------------------------------------------------------------------- +Fri Aug 18 15:56:24 UTC 2023 - Richard Rahl + +- Initial revision diff --git a/tailscale.spec b/tailscale.spec new file mode 100644 index 0000000..1680978 --- /dev/null +++ b/tailscale.spec @@ -0,0 +1,143 @@ +# +# spec file for package tailscale +# +# Copyright (c) 2026 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: tailscale +Version: 1.94.1 +Release: 0 +Summary: The easiest, most secure way to use WireGuard and 2FA +License: BSD-3-Clause +URL: https://github.com/tailscale/tailscale +Source: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}d.service +Source3: %{name}d.defaults +Patch0: build-verbose.patch +Patch1: disable-auto-update.patch +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: git-core +BuildRequires: go1.25 >= 1.25.5 +BuildRequires: golang-packaging +BuildRequires: zsh +Requires: %{default_firewall_backend} +ExcludeArch: %{ix86} +%{?systemd_requires} + +%description +Tailscale is a modern VPN built on top of Wireguard. It works like an overlay +network between the computers of your networks using NAT traversal. + +%package bash-completion +Summary: Tailscale bash completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +bash completions for %{name} + +%package zsh-completion +Summary: Tailsacle zsh completion +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +zsh completion for %{name} + +%package fish-completion +Summary: Tailscale fish completion +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +fish completion for %{name} + +%prep +%autosetup -a1 -p1 + +%build +%ifnarch ppc64 +export GOFLAGS="-buildmode=pie" +%endif +export VERSION_SHORT=%{version} +export VERSION_LONG=%{version} +export VERSION_GIT_HASH='$(git rev-parse v%{version})' +./build_dist.sh ./cmd/%{name} +./build_dist.sh ./cmd/%{name}d + +#generate completions +./%{name} completion bash > ./%{name}.bash +./%{name} completion zsh > ./%{name}.zsh +./%{name} completion fish > ./%{name}.fish + +%check +./%{name} version +./%{name}d -version + +%install +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} +install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d + +# service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d +%endif + +# defaults +install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d + +install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name} +install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name} +install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name} + +%pre +%service_add_pre %{name}d.service + +%post +%service_add_post %{name}d.service + +%preun +%service_del_preun %{name}d.service + +%postun +%service_del_postun %{name}d.service + +%files +%license LICENSE PATENTS +%doc README.md SECURITY.md +%config(noreplace) %{_sysconfdir}/default/%{name}d +%dir %{_sharedstatedir}/%{name} +%{_bindir}/%{name} +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%if 0%{?suse_version} < 1600 +%{_sbindir}/rc%{name}d +%endif + +%files bash-completion +%{_datadir}/bash-completion/completions/%{name} + +%files zsh-completion +%{_datadir}/zsh/site-functions/_%{name} + +%files fish-completion +%{_datadir}/fish/vendor_completions.d/%{name} + +%changelog diff --git a/tailscaled.defaults b/tailscaled.defaults new file mode 100644 index 0000000..75f1c3e --- /dev/null +++ b/tailscaled.defaults @@ -0,0 +1,8 @@ +# Set the port to listen on for incoming VPN packets. +# Remote nodes will automatically be informed about the new port number, +# but you might want to configure this in order to set external firewall +# settings. +PORT="41641" + +# Extra flags you might want to pass to tailscaled. +FLAGS="" diff --git a/tailscaled.service b/tailscaled.service new file mode 100644 index 0000000..b67b94d --- /dev/null +++ b/tailscaled.service @@ -0,0 +1,35 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/tailscaled +ExecStartPre=/usr/sbin/tailscaled --cleanup +ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS +ExecStopPost=/usr/sbin/tailscaled --cleanup +Restart=on-failure +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..7d3e0e2 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b47b6bb0e4b7feee25f4d6f1cb0626e24201972fbc343e0db5dc8a868a74077 +size 23982942 -- 2.51.1