Pull request for security update for tailscale #399
195
patchinfo.20260204155545137018.93181000773252/_patchinfo
Normal file
195
patchinfo.20260204155545137018.93181000773252/_patchinfo
Normal file
@@ -0,0 +1,195 @@
|
||||
<patchinfo>
|
||||
<issue tracker="cve" id="2025-22869"/>
|
||||
<issue tracker="bnc" id="1248920">VUL-0: CVE-2025-58058: tailscale: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
|
||||
<issue tracker="cve" id="2025-58058"/>
|
||||
<packager>rrahl0</packager>
|
||||
<rating>important</rating>
|
||||
<category>security</category>
|
||||
<summary>Security update for tailscale</summary>
|
||||
<description>This update for tailscale fixes the following issues:
|
||||
|
||||
Changes in tailscale:
|
||||
|
||||
- Update to version 1.94.0:
|
||||
* IS SET and NOT SET have been added as device posture operators
|
||||
* India DERP Region City Name updated
|
||||
* Custom DERP servers support GCP Certificate Manager
|
||||
* Tailscale SSH authentication, when successful, results in LOGIN audit
|
||||
messages being sent to the kernel audit subsystem
|
||||
* Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
|
||||
option is supported on multi-core systems
|
||||
* Tailscale Peer Relay server handshake transmission is guarded against
|
||||
routing loops over Tailscale
|
||||
* MagicDNS always resolves when using resolv.conf without a DNS manager
|
||||
* tailscaled_peer_relay_forwarded_packets_total and
|
||||
tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
|
||||
Tailscale Peer Relays
|
||||
* Identity tokens are automatically generated for workload identities
|
||||
* --audience flag added to tailscale up command to support auto generation of
|
||||
ID tokens for workload identity
|
||||
* tsnet nodes can host Tailscale Services
|
||||
* The tailscale lock status -json command returns tailnet key authority (TKA)
|
||||
data in a stable format
|
||||
* Tailscale Peer Relays deliver improved throughput through monotonic time
|
||||
comparison optimizations and reduced lock contention
|
||||
* Tailscale Services virtual IPs are now automatically accepted by clients
|
||||
across all platforms regardless of the status of the --accept-routes
|
||||
feature
|
||||
|
||||
- Update to version 1.94.0:
|
||||
* derp/derpserver: add a unique sender cardinality estimate
|
||||
* syncs: add means of declare locking assumptions for debug mode
|
||||
* cmd/k8s-operator: add support for taiscale.com/http-redirect
|
||||
* cmd/k8s-operator fix populateTLSSecret on tests
|
||||
* feature/posture: log method and full URL for posture identity requests
|
||||
* k8s-operator: Fix typos in egress-pod-readiness.go
|
||||
* cmd/tailscale,ipn: add Unix socket support for serve
|
||||
* client/systray: change systray to start after graphical.target
|
||||
* cmd/k8s-operator: warn if users attempt to expose a headless Service
|
||||
* cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
|
||||
* tsnet: ensure funnel listener cleans up after itself when closed
|
||||
* ipn/store/kubestore: don't load write replica certs in memory
|
||||
* tsnet: allow for automatic ID token generation
|
||||
|
||||
- Update to version 1.92.5:
|
||||
* types/persist: omit Persist.AttestationKey based on IsZero
|
||||
* disable hardware attestation for kubernetes
|
||||
* allow opting out of ACME order replace extension
|
||||
- Update to version 1.92.4:
|
||||
* nothing of importance
|
||||
|
||||
- Update to version 1.92.3:
|
||||
* WireGuard configuration that occurs automatically in the client, no longer
|
||||
results in a panic
|
||||
|
||||
- Update to version 1.92.2:
|
||||
* cmd/derper: add GCP Certificate Manager support
|
||||
|
||||
- Update to version 1.92.1:
|
||||
* fix LocalBackend deadlock when packet arrives during profile switch
|
||||
* wgengine: fix TSMP/ICMP callback leak
|
||||
- Update to version 1.92.0:
|
||||
* no changelog provided
|
||||
- Update to version 1.90.9:
|
||||
* tailscaled no longer deadlocks during event bursts
|
||||
* The client no longer hangs after wake up
|
||||
|
||||
- Update to version 1.90.8:
|
||||
* tka: move RemoveAll() to CompactableChonk
|
||||
- Update to version 1.90.7:
|
||||
* wgengine/magicsock: validate endpoint.derpAddr
|
||||
* wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
|
||||
* net/udprelay: replace VNI pool with selection algorithm
|
||||
* feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
|
||||
* feature/relayserver: fix Shutdown() deadlock
|
||||
* net/netmon: do not abandon a subscriber when exiting early
|
||||
* tka: don't try to read AUMs which are partway through being written
|
||||
* tka: rename a mutex to mu instead of single-letter l
|
||||
* ipn/ipnlocal: use an in-memory TKA store if FS is unavailable
|
||||
|
||||
- Update to version 1.90.6:
|
||||
* Routes no longer stall and fail to apply when updated repeatedly in a short
|
||||
period of time
|
||||
* Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
|
||||
affected tailnets that use Tailscale SSH recording
|
||||
|
||||
- Update to version 1.90.4:
|
||||
* deadlock issue no longer occurs in the client when checking
|
||||
for the network to be available
|
||||
* tailscaled no longer sporadically panics when a
|
||||
Trusted Platform Module (TPM) device is present
|
||||
|
||||
- Update to version 1.90.3:
|
||||
* tailscaled shuts down as expected and without panic
|
||||
* tailscaled starts up as expected in a no router configuration environment
|
||||
|
||||
- Update to version 1.90.2:
|
||||
* util/linuxfw: fix 32-bit arm regression with iptables
|
||||
* health: compare warnable codes to avoid errors on release branch
|
||||
* feature/tpm: check TPM family data for compatibility
|
||||
|
||||
- Upate to version 1.90.1:
|
||||
* Clients can use configured DNS resolvers for all domains
|
||||
* Node keys will be renewed seamlessly
|
||||
* Unnecessary path discovery packets over DERP servers are suppressed
|
||||
* Node key sealing is GA (generally available) and enabled by default
|
||||
|
||||
- update to version 1.88.3:
|
||||
* cmd/tailscale/cli: add ts2021 debug flag to set a dial plan
|
||||
* control/controlhttp: simplify, fix race dialing, remove priority concept
|
||||
- update to version 1.88.2:
|
||||
* k8s-operator: reset service status before append
|
||||
- require the minimum go version directly, in comparison to using the golang(API)
|
||||
symbol
|
||||
|
||||
- update to version 1.88.1:
|
||||
* Tailscale CLI prompts users to confirm impactful actions
|
||||
* Tailscale SSH works as expected when using an IP address instead of a
|
||||
hostname and MagicDNS is disabled
|
||||
* fixed: Taildrive sharing when su not present
|
||||
* Taildrive files remain consistently accessible
|
||||
* new: Tailscale tray GUI
|
||||
* DERP IPs changed for Singapore and Tokyo
|
||||
- Fixing CVE-2025-58058, bsc#1248920
|
||||
|
||||
- update to version 1.86.5:
|
||||
* cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode
|
||||
- update to version 1.86.4:
|
||||
* nothing of relevance
|
||||
- update to version 1.86.3:
|
||||
* nothing of relevance
|
||||
|
||||
- update to version 1.86.2:
|
||||
* A deadlock issue that may have occurred in the client
|
||||
* An occasional crash when establishing a new port mapping with a gateway or
|
||||
firewall
|
||||
|
||||
- update to version 1.86.0:
|
||||
* tsStateEncrypted device posture attribute for checking whether the
|
||||
Tailscale client state is encrypted at rest
|
||||
* Cross-site request forgery (CSRF) issue that may have resulted in a log in
|
||||
error when accessing the web interface
|
||||
* Recommended exit node when the previously recommended exit node is offline
|
||||
* tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any
|
||||
CLI commands track the recommended exit node and automatically switches to
|
||||
it when available exit nodes or network conditions change
|
||||
* tailscaled CLI command flag --encrypt-state encrypts the node state file on
|
||||
the disk using trusted platform module (TPM)
|
||||
|
||||
- update to 1.84.3:
|
||||
* ipn/ipnlocal: Update hostinfo to control on service config change
|
||||
|
||||
- update to 1.84.2:
|
||||
* Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted
|
||||
from stricter CLI arguments parsing introduced in Tailscale v1.84.0
|
||||
|
||||
- update to 1.84.1:
|
||||
* net/dns: cache dns.Config for reuse when compileConfig fails
|
||||
|
||||
- update to 1.84.0:
|
||||
* The --reason flag is added to the tailscale down command
|
||||
* ReconnectAfter policy setting, which configures the maximum period of time
|
||||
between a user disconnecting Tailscale and the client automatically
|
||||
reconnecting
|
||||
* Tailscale CLI commands throw an error if multiple of the same flag are detected
|
||||
* Network connectivity issues when creating a new profile or switching
|
||||
profiles while using an exit node
|
||||
* DNS-over-TCP fallback works correctly with upstream servers reachable only
|
||||
via the tailnet
|
||||
|
||||
- update to 1.82.5:
|
||||
* A panic issue related to CUBIC congestion control in userspace mode is resolved.
|
||||
|
||||
- update to 1.82.0:
|
||||
* DERP functionality within the client supports certificate pinning for
|
||||
self-signed IP address certificates for those unable to use Let's Encrypt
|
||||
or WebPKI certificates.
|
||||
* Go is updated to version 1.24.1
|
||||
* NAT traversal code uses the DERP connection that a packet arrived on as an
|
||||
ultimate fallback route if no other information is available
|
||||
* Captive portal detection reliability is improved on some in-flight Wi-Fi networks
|
||||
* Port mapping success rate is improved
|
||||
* Helsinki is added as a DERP region.
|
||||
</description>
|
||||
<package>tailscale</package>
|
||||
</patchinfo>
|
||||
Submodule tailscale updated: 4fc563b752...400f152deb
Reference in New Issue
Block a user