7 changed files with 267 additions and 91 deletions
--- a/3
+++ b/3
@@ -3,11 +3,12 @@
    <param name="url">https://github.com/tailscale/tailscale.git</param>
    <param name="scm">git</param>
    <param name="package-meta">yes</param>
-    <param name="revision">refs/tags/v1.80.3</param>
+    <param name="revision">refs/tags/v1.94.1</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="changesgenerate">disable</param>
  </service>
+  <service name="set_version" mode="manual" />
  <service name="recompress" mode="manual">
    <param name="file">*.tar</param>
    <param name="compression">gz</param>
--- a/fix-CVE-2025-22869.patch
+++ b/fix-CVE-2025-22869.patch
@@ -1,80 +0,0 @@
-diff -rub tailscale-1.80.3/go.mod tailscale-1.80.3-patched/go.mod
--- tailscale-1.80.3/go.mod	2025-03-03 21:05:20.000000000 +0100
-+++ tailscale-1.80.3-patched/go.mod	2025-03-12 10:00:39.364237325 +0100
-@@ -94,14 +94,14 @@
- 	go.uber.org/zap v1.27.0
- 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745
- 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.33.0
-+	golang.org/x/crypto v0.36.0
- 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
- 	golang.org/x/mod v0.22.0
- 	golang.org/x/net v0.35.0
- 	golang.org/x/oauth2 v0.25.0
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0
-	golang.org/x/term v0.29.0
-+	golang.org/x/sync v0.12.0
-+	golang.org/x/sys v0.31.0
-+	golang.org/x/term v0.30.0
- 	golang.org/x/time v0.9.0
- 	golang.org/x/tools v0.29.0
- 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
-@@ -385,7 +385,7 @@
- 	go.uber.org/multierr v1.11.0 // indirect
- 	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
- 	golang.org/x/image v0.23.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
-+	golang.org/x/text v0.23.0 // indirect
- 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
- 	google.golang.org/protobuf v1.35.1 // indirect
- 	gopkg.in/inf.v0 v0.9.1 // indirect
-diff -rub tailscale-1.80.3/go.sum tailscale-1.80.3-patched/go.sum
--- tailscale-1.80.3/go.sum	2025-03-03 21:05:20.000000000 +0100
-+++ tailscale-1.80.3-patched/go.sum	2025-03-12 10:01:30.149309580 +0100
-@@ -1060,6 +1060,8 @@
- golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
- golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
- golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
- golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
- golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
- golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-@@ -1173,6 +1175,8 @@
- golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
- golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
- golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
- golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
- golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
- golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-@@ -1233,6 +1237,8 @@
- golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
- golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
- golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
- golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
- golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
- golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-@@ -1241,6 +1247,8 @@
- golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
- golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
- golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
-+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
- golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
- golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
- golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-@@ -1253,6 +1261,8 @@
- golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
- golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
- golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
- golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
- golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
- golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-Only in tailscale-1.80.3-patched: vendor
--- a/tailscale-1.80.3.tar.gz
+++ b/tailscale-1.80.3.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33
-size 13706235
--- a/tailscale-1.94.1.tar.gz
+++ b/tailscale-1.94.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e3483445965f144c8fa31cf59cbd45bd0fd3f08b42a9bf821cdd30f7497f07ff
+size 20149545
--- a/tailscale.changes
+++ b/tailscale.changes
@@ -1,3 +1,259 @@
+-------------------------------------------------------------------
+Fri Jan 30 11:52:12 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.94.0:
+  * IS SET and NOT SET have been added as device posture operators
+  * India DERP Region City Name updated
+  * Custom DERP servers support GCP Certificate Manager
+  * Tailscale SSH authentication, when successful, results in LOGIN audit
+    messages being sent to the kernel audit subsystem
+  * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
+    option is supported on multi-core systems
+  * Tailscale Peer Relay server handshake transmission is guarded against
+    routing loops over Tailscale
+  * MagicDNS always resolves when using resolv.conf without a DNS manager
+  * tailscaled_peer_relay_forwarded_packets_total and
+    tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
+    Tailscale Peer Relays
+  * Identity tokens are automatically generated for workload identities
+  * --audience flag added to tailscale up command to support auto generation of
+    ID tokens for workload identity
+  * tsnet nodes can host Tailscale Services
+  * The tailscale lock status -json command returns tailnet key authority (TKA)
+    data in a stable format
+  * Tailscale Peer Relays deliver improved throughput through monotonic time
+    comparison optimizations and reduced lock contention
+  * Tailscale Services virtual IPs are now automatically accepted by clients
+    across all platforms regardless of the status of the --accept-routes
+    feature
+
+-------------------------------------------------------------------
+Wed Jan 21 01:30:13 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.94.0:
+  * derp/derpserver: add a unique sender cardinality estimate
+  * syncs: add means of declare locking assumptions for debug mode
+  * cmd/k8s-operator: add support for taiscale.com/http-redirect
+  * cmd/k8s-operator fix populateTLSSecret on tests
+  * feature/posture: log method and full URL for posture identity requests
+  * k8s-operator: Fix typos in egress-pod-readiness.go
+  * cmd/tailscale,ipn: add Unix socket support for serve
+  * client/systray: change systray to start after graphical.target
+  * cmd/k8s-operator: warn if users attempt to expose a headless Service
+  * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
+  * tsnet: ensure funnel listener cleans up after itself when closed
+  * ipn/store/kubestore: don't load write replica certs in memory
+  * tsnet: allow for automatic ID token generation
+
+-------------------------------------------------------------------
+Fri Jan  9 00:06:05 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.92.5:
+  * types/persist: omit Persist.AttestationKey based on IsZero
+  * disable hardware attestation for kubernetes
+  * allow opting out of ACME order replace extension
+- Update to version 1.92.4:
+  * nothing of importance
+
+-------------------------------------------------------------------
+Wed Dec 17 13:24:06 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.92.3:
+  * WireGuard configuration that occurs automatically in the client, no longer
+    results in a panic
+
+-------------------------------------------------------------------
+Fri Dec 12 14:21:14 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.92.2:
+  * cmd/derper: add GCP Certificate Manager support
+
+-------------------------------------------------------------------
+Sat Dec  6 11:39:58 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.92.1:
+  * fix LocalBackend deadlock when packet arrives during profile switch
+  * wgengine: fix TSMP/ICMP callback leak
+- Update to version 1.92.0:
+  * no changelog provided
+- Update to version 1.90.9:
+  * tailscaled no longer deadlocks during event bursts
+  * The client no longer hangs after wake up
+
+-------------------------------------------------------------------
+Wed Nov 19 16:23:06 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.90.8:
+  * tka: move RemoveAll() to CompactableChonk
+- Update to version 1.90.7:
+  * wgengine/magicsock: validate endpoint.derpAddr
+  * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
+  * net/udprelay: replace VNI pool with selection algorithm
+  * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
+  * feature/relayserver: fix Shutdown() deadlock
+  * net/netmon: do not abandon a subscriber when exiting early
+  * tka: don't try to read AUMs which are partway through being written
+  * tka: rename a mutex to mu instead of single-letter l
+  * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable
+
+-------------------------------------------------------------------
+Sun Nov  2 11:43:31 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.90.6:
+  * Routes no longer stall and fail to apply when updated repeatedly in a short
+    period of time
+  * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
+    affected tailnets that use Tailscale SSH recording
+
+-------------------------------------------------------------------
+Wed Oct 29 09:50:22 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.90.4:
+  * deadlock issue no longer occurs in the client when checking
+    for the network to be available
+  * tailscaled no longer sporadically panics when a
+    Trusted Platform Module (TPM) device is present
+
+-------------------------------------------------------------------
+Tue Oct 28 11:12:50 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.90.3:
+  * tailscaled shuts down as expected and without panic
+  * tailscaled starts up as expected in a no router configuration environment
+
+-------------------------------------------------------------------
+Fri Oct 24 18:11:11 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Update to version 1.90.2:
+  * util/linuxfw: fix 32-bit arm regression with iptables
+  * health: compare warnable codes to avoid errors on release branch
+  * feature/tpm: check TPM family data for compatibility
+
+-------------------------------------------------------------------
+Fri Oct 24 10:08:31 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- Upate to version 1.90.1:
+  * Clients can use configured DNS resolvers for all domains
+  * Node keys will be renewed seamlessly
+  * Unnecessary path discovery packets over DERP servers are suppressed
+  * Node key sealing is GA (generally available) and enabled by default
+
+-------------------------------------------------------------------
+Wed Oct  1 11:55:52 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to version 1.88.3:
+  * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan
+  * control/controlhttp: simplify, fix race dialing, remove priority concept
+- update to version 1.88.2:
+  * k8s-operator: reset service status before append
+- require the minimum go version directly, in comparison to using the golang(API)
+  symbol
+
+-------------------------------------------------------------------
+Fri Sep 12 11:11:48 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to version 1.88.1:
+  * Tailscale CLI prompts users to confirm impactful actions
+  * Tailscale SSH works as expected when using an IP address instead of a
+    hostname and MagicDNS is disabled
+  * fixed: Taildrive sharing when su not present
+  * Taildrive files remain consistently accessible
+  * new: Tailscale tray GUI
+  * DERP IPs changed for Singapore and Tokyo
+- remove fix-CVE-2025-58058.patch, fixed upstream
+
+-------------------------------------------------------------------
+Fri Aug 29 12:57:59 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- add patch fix-CVE-2025-58058.patch, fixing bsc#1248920
+
+-------------------------------------------------------------------
+Fri Aug 29 11:10:29 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to version 1.86.5:
+  * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode
+- update to version 1.86.4:
+  * nothing of relevance
+- update to version 1.86.3:
+  * nothing of relevance
+
+-------------------------------------------------------------------
+Tue Jul 29 21:20:47 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to version 1.86.2:
+  * A deadlock issue that may have occurred in the client
+  * An occasional crash when establishing a new port mapping with a gateway or
+    firewall
+
+-------------------------------------------------------------------
+Sat Jul 26 16:23:38 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to version 1.86.0:
+  * tsStateEncrypted device posture attribute for checking whether the
+    Tailscale client state is encrypted at rest
+  * Cross-site request forgery (CSRF) issue that may have resulted in a log in
+    error when accessing the web interface
+  * Recommended exit node when the previously recommended exit node is offline
+  * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any
+    CLI commands track the recommended exit node and automatically switches to
+    it when available exit nodes or network conditions change
+  * tailscaled CLI command flag --encrypt-state encrypts the node state file on
+    the disk using trusted platform module (TPM)
+
+-------------------------------------------------------------------
+Thu Jun 26 17:29:44 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.84.3:
+  * ipn/ipnlocal: Update hostinfo to control on service config change
+
+-------------------------------------------------------------------
+Tue Jun 10 15:36:55 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.84.2:
+  * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted
+    from stricter CLI arguments parsing introduced in Tailscale v1.84.0
+
+-------------------------------------------------------------------
+Fri May 30 06:23:15 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.84.1:
+  * net/dns: cache dns.Config for reuse when compileConfig fails
+
+-------------------------------------------------------------------
+Thu May 22 08:27:09 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.84.0:
+  * The --reason flag is added to the tailscale down command
+  * ReconnectAfter policy setting, which configures the maximum period of time
+    between a user disconnecting Tailscale and the client automatically
+    reconnecting
+  * Tailscale CLI commands throw an error if multiple of the same flag are detected
+  * Network connectivity issues when creating a new profile or switching
+    profiles while using an exit node
+  * DNS-over-TCP fallback works correctly with upstream servers reachable only
+    via the tailnet
+- remove fix-CVE-2025-22869.patch, as upstream updated their dependencies
+
+-------------------------------------------------------------------
+Fri Apr 18 07:37:15 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.82.5:
+  * A panic issue related to CUBIC congestion control in userspace mode is resolved.
+
+-------------------------------------------------------------------
+Thu Mar 27 19:50:58 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.82.0:
+  * DERP functionality within the client supports certificate pinning for
+    self-signed IP address certificates for those unable to use Let's Encrypt
+    or WebPKI certificates.
+  * Go is updated to version 1.24.1
+  * NAT traversal code uses the DERP connection that a packet arrived on as an
+    ultimate fallback route if no other information is available
+  * Captive portal detection reliability is improved on some in-flight Wi-Fi networks
+  * Port mapping success rate is improved
+  * Helsinki is added as a DERP region.
+
 -------------------------------------------------------------------
 Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>

--- a/tailscale.spec
+++ b/tailscale.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package tailscale
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@


 Name:           tailscale
-Version:        1.80.3
+Version:        1.94.1
 Release:        0
 Summary:        The easiest, most secure way to use WireGuard and 2FA
 License:        BSD-3-Clause
@@ -28,15 +28,14 @@ Source2:        %{name}d.service
 Source3:        %{name}d.defaults
 Patch0:         build-verbose.patch
 Patch1:         disable-auto-update.patch
-Patch2:         fix-CVE-2025-22869.patch
 BuildRequires:  bash-completion
 BuildRequires:  fish
 BuildRequires:  git-core
+BuildRequires:  go1.25 >= 1.25.5
 BuildRequires:  golang-packaging
 BuildRequires:  zsh
-BuildRequires:  golang(API) = 1.23
 Requires:       %{default_firewall_backend}
-ExcludeArch:    i586
+ExcludeArch:    %{ix86}
 %{?systemd_requires}

 %description
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:55812d888060e6b92a0a1612e1f0ab69de3529825842c4327029f0f8a2ee9563
-size 20212560
+oid sha256:0b47b6bb0e4b7feee25f4d6f1cb0626e24201972fbc343e0db5dc8a868a74077
+size 23982942