From df53e25b6e526b3b65223dab8546a640c48985ef1c6d25684b91207df26a115c Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Wed, 4 Feb 2026 16:57:44 +0100 Subject: [PATCH] Update submodules from pool/tailscale#1 and create patchinfo.20260204155545137018.93181000773252/_patchinfo --- .../_patchinfo | 195 ++++++++++++++++++ tailscale | 2 +- 2 files changed, 196 insertions(+), 1 deletion(-) create mode 100644 patchinfo.20260204155545137018.93181000773252/_patchinfo diff --git a/patchinfo.20260204155545137018.93181000773252/_patchinfo b/patchinfo.20260204155545137018.93181000773252/_patchinfo new file mode 100644 index 0000000..39d6930 --- /dev/null +++ b/patchinfo.20260204155545137018.93181000773252/_patchinfo @@ -0,0 +1,195 @@ + + + VUL-0: CVE-2025-58058: tailscale: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory + + rrahl0 + important + security + Security update for tailscale + This update for tailscale fixes the following issues: + +Changes in tailscale: + +- Update to version 1.94.0: + * IS SET and NOT SET have been added as device posture operators + * India DERP Region City Name updated + * Custom DERP servers support GCP Certificate Manager + * Tailscale SSH authentication, when successful, results in LOGIN audit + messages being sent to the kernel audit subsystem + * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket + option is supported on multi-core systems + * Tailscale Peer Relay server handshake transmission is guarded against + routing loops over Tailscale + * MagicDNS always resolves when using resolv.conf without a DNS manager + * tailscaled_peer_relay_forwarded_packets_total and + tailscaled_peer_relay_forwarded_bytes_total client metrics are available for + Tailscale Peer Relays + * Identity tokens are automatically generated for workload identities + * --audience flag added to tailscale up command to support auto generation of + ID tokens for workload identity + * tsnet nodes can host Tailscale Services + * The tailscale lock status -json command returns tailnet key authority (TKA) + data in a stable format + * Tailscale Peer Relays deliver improved throughput through monotonic time + comparison optimizations and reduced lock contention + * Tailscale Services virtual IPs are now automatically accepted by clients + across all platforms regardless of the status of the --accept-routes + feature + +- Update to version 1.94.0: + * derp/derpserver: add a unique sender cardinality estimate + * syncs: add means of declare locking assumptions for debug mode + * cmd/k8s-operator: add support for taiscale.com/http-redirect + * cmd/k8s-operator fix populateTLSSecret on tests + * feature/posture: log method and full URL for posture identity requests + * k8s-operator: Fix typos in egress-pod-readiness.go + * cmd/tailscale,ipn: add Unix socket support for serve + * client/systray: change systray to start after graphical.target + * cmd/k8s-operator: warn if users attempt to expose a headless Service + * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles + * tsnet: ensure funnel listener cleans up after itself when closed + * ipn/store/kubestore: don't load write replica certs in memory + * tsnet: allow for automatic ID token generation + +- Update to version 1.92.5: + * types/persist: omit Persist.AttestationKey based on IsZero + * disable hardware attestation for kubernetes + * allow opting out of ACME order replace extension +- Update to version 1.92.4: + * nothing of importance + +- Update to version 1.92.3: + * WireGuard configuration that occurs automatically in the client, no longer + results in a panic + +- Update to version 1.92.2: + * cmd/derper: add GCP Certificate Manager support + +- Update to version 1.92.1: + * fix LocalBackend deadlock when packet arrives during profile switch + * wgengine: fix TSMP/ICMP callback leak +- Update to version 1.92.0: + * no changelog provided +- Update to version 1.90.9: + * tailscaled no longer deadlocks during event bursts + * The client no longer hangs after wake up + +- Update to version 1.90.8: + * tka: move RemoveAll() to CompactableChonk +- Update to version 1.90.7: + * wgengine/magicsock: validate endpoint.derpAddr + * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock + * net/udprelay: replace VNI pool with selection algorithm + * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap + * feature/relayserver: fix Shutdown() deadlock + * net/netmon: do not abandon a subscriber when exiting early + * tka: don't try to read AUMs which are partway through being written + * tka: rename a mutex to mu instead of single-letter l + * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable + +- Update to version 1.90.6: + * Routes no longer stall and fail to apply when updated repeatedly in a short + period of time + * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This + affected tailnets that use Tailscale SSH recording + +- Update to version 1.90.4: + * deadlock issue no longer occurs in the client when checking + for the network to be available + * tailscaled no longer sporadically panics when a + Trusted Platform Module (TPM) device is present + +- Update to version 1.90.3: + * tailscaled shuts down as expected and without panic + * tailscaled starts up as expected in a no router configuration environment + +- Update to version 1.90.2: + * util/linuxfw: fix 32-bit arm regression with iptables + * health: compare warnable codes to avoid errors on release branch + * feature/tpm: check TPM family data for compatibility + +- Upate to version 1.90.1: + * Clients can use configured DNS resolvers for all domains + * Node keys will be renewed seamlessly + * Unnecessary path discovery packets over DERP servers are suppressed + * Node key sealing is GA (generally available) and enabled by default + +- update to version 1.88.3: + * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan + * control/controlhttp: simplify, fix race dialing, remove priority concept +- update to version 1.88.2: + * k8s-operator: reset service status before append +- require the minimum go version directly, in comparison to using the golang(API) + symbol + +- update to version 1.88.1: + * Tailscale CLI prompts users to confirm impactful actions + * Tailscale SSH works as expected when using an IP address instead of a + hostname and MagicDNS is disabled + * fixed: Taildrive sharing when su not present + * Taildrive files remain consistently accessible + * new: Tailscale tray GUI + * DERP IPs changed for Singapore and Tokyo +- Fixing CVE-2025-58058, bsc#1248920 + +- update to version 1.86.5: + * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode +- update to version 1.86.4: + * nothing of relevance +- update to version 1.86.3: + * nothing of relevance + +- update to version 1.86.2: + * A deadlock issue that may have occurred in the client + * An occasional crash when establishing a new port mapping with a gateway or + firewall + +- update to version 1.86.0: + * tsStateEncrypted device posture attribute for checking whether the + Tailscale client state is encrypted at rest + * Cross-site request forgery (CSRF) issue that may have resulted in a log in + error when accessing the web interface + * Recommended exit node when the previously recommended exit node is offline + * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any + CLI commands track the recommended exit node and automatically switches to + it when available exit nodes or network conditions change + * tailscaled CLI command flag --encrypt-state encrypts the node state file on + the disk using trusted platform module (TPM) + +- update to 1.84.3: + * ipn/ipnlocal: Update hostinfo to control on service config change + +- update to 1.84.2: + * Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted + from stricter CLI arguments parsing introduced in Tailscale v1.84.0 + +- update to 1.84.1: + * net/dns: cache dns.Config for reuse when compileConfig fails + +- update to 1.84.0: + * The --reason flag is added to the tailscale down command + * ReconnectAfter policy setting, which configures the maximum period of time + between a user disconnecting Tailscale and the client automatically + reconnecting + * Tailscale CLI commands throw an error if multiple of the same flag are detected + * Network connectivity issues when creating a new profile or switching + profiles while using an exit node + * DNS-over-TCP fallback works correctly with upstream servers reachable only + via the tailnet + +- update to 1.82.5: + * A panic issue related to CUBIC congestion control in userspace mode is resolved. + +- update to 1.82.0: + * DERP functionality within the client supports certificate pinning for + self-signed IP address certificates for those unable to use Let's Encrypt + or WebPKI certificates. + * Go is updated to version 1.24.1 + * NAT traversal code uses the DERP connection that a packet arrived on as an + ultimate fallback route if no other information is available + * Captive portal detection reliability is improved on some in-flight Wi-Fi networks + * Port mapping success rate is improved + * Helsinki is added as a DERP region. + + tailscale + diff --git a/tailscale b/tailscale index 4fc563b..400f152 160000 --- a/tailscale +++ b/tailscale @@ -1 +1 @@ -Subproject commit 4fc563b7527e79afced52951caab37af8c07cadd8575e75669b707cd2945772b +Subproject commit 400f152deb89aa36ab7eeaa903f0a4b2b8792b9b2b97cc68d8a9e41a4aba6583 -- 2.51.1