Accepting request 1252354 from network:vpn

- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353 (forwarded request 1252353 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1252354
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tailscale?expand=0&rev=26

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/tailscale/tailscale.git</param>
     <param name="scm">git</param>
     <param name="package-meta">yes</param>
-    <param name="revision">refs/tags/v1.72.1</param>
+    <param name="revision">refs/tags/v1.80.3</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">disable</param>
@@ -14,5 +14,4 @@
   </service>
   <service name="go_modules" mode="manual">
   </service>
-  <service name="set_version" mode="manual" />
 </services>

fix-CVE-2025-22869.patch

@@ -0,0 +1,80 @@
+diff -rub tailscale-1.80.3/go.mod tailscale-1.80.3-patched/go.mod
+--- tailscale-1.80.3/go.mod	2025-03-03 21:05:20.000000000 +0100
++++ tailscale-1.80.3-patched/go.mod	2025-03-12 10:00:39.364237325 +0100
+@@ -94,14 +94,14 @@
+ 	go.uber.org/zap v1.27.0
+ 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745
+ 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
+-	golang.org/x/crypto v0.33.0
++	golang.org/x/crypto v0.36.0
+ 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
+ 	golang.org/x/mod v0.22.0
+ 	golang.org/x/net v0.35.0
+ 	golang.org/x/oauth2 v0.25.0
+-	golang.org/x/sync v0.11.0
+-	golang.org/x/sys v0.30.0
+-	golang.org/x/term v0.29.0
++	golang.org/x/sync v0.12.0
++	golang.org/x/sys v0.31.0
++	golang.org/x/term v0.30.0
+ 	golang.org/x/time v0.9.0
+ 	golang.org/x/tools v0.29.0
+ 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
+@@ -385,7 +385,7 @@
+ 	go.uber.org/multierr v1.11.0 // indirect
+ 	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
+ 	golang.org/x/image v0.23.0 // indirect
+-	golang.org/x/text v0.22.0 // indirect
++	golang.org/x/text v0.23.0 // indirect
+ 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+ 	google.golang.org/protobuf v1.35.1 // indirect
+ 	gopkg.in/inf.v0 v0.9.1 // indirect
+diff -rub tailscale-1.80.3/go.sum tailscale-1.80.3-patched/go.sum
+--- tailscale-1.80.3/go.sum	2025-03-03 21:05:20.000000000 +0100
++++ tailscale-1.80.3-patched/go.sum	2025-03-12 10:01:30.149309580 +0100
+@@ -1060,6 +1060,8 @@
+ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+ golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+ golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
++golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
++golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+ golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+ golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+ golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+@@ -1173,6 +1175,8 @@
+ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+ golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
++golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
++golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+@@ -1233,6 +1237,8 @@
+ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+ golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+ golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
++golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
++golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+ golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+@@ -1241,6 +1247,8 @@
+ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+ golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+ golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
++golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
++golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+ golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+@@ -1253,6 +1261,8 @@
+ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+ golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+ golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
++golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
++golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+Only in tailscale-1.80.3-patched: vendor

tailscale-1.72.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:03e15ea076362eda1a44712351ba2a19bf746970fee8ddc4013513a07337cbe0
-size 11331158

tailscale-1.80.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8cfab48a1a40bc27445bc1aea0daedc7c1147a1ee61fe3abbf32c1eb8acaca33
+size 13706235

tailscale.changes

@@ -1,3 +1,168 @@
+-------------------------------------------------------------------
+Wed Mar 12 09:07:49 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353
+
+-------------------------------------------------------------------
+Tue Mar  4 13:42:34 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.80.3:
+  * appc: fix a deadlock in route advertisements
+  * client/web: fix CSRF handler order in web UI
+
+-------------------------------------------------------------------
+Thu Feb 13 14:30:28 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.80.2:
+  * Use ip:country as a geolocation device posture attribute (generally available).
+
+-------------------------------------------------------------------
+Thu Feb  6 19:52:22 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.80.1:
+  * net/netmon: add extra panic guard around ParseRIB
+
+-------------------------------------------------------------------
+Fri Jan 31 17:20:29 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.80.0:
+  * Hostname system policy is added for overriding the device hostname
+    configured by the operating system, using an MDM solution.
+  * Web interface displays a Login button instead of the Reauthenticate button
+    when adding a new device to your tailnet.
+  * Tailscale Funnel configuration on devices displays errors when incoming
+    connections are not permitted and connections are disallowed.
+  * Connections to a custom coordination server that does not support HTTPS
+    will no longer fail when a custom port number is specified.
+  * TLS certificate requests from Let’s Encrypt include the device's DNS name
+    in the CSR’s SAN extension and set the Common Name field.
+  * Tailscale Funnel disabled on a device no longer displays enabled in the
+    admin console.
+  * GitHub username change automatically updates tailnet name
+  * 4via6 subnet routers GA
+  * Auto approvers GA
+  * Node attributes GA
+  * Download invoices GA
+  * Fast user switching GA
+  * Configuration log streaming integration with S3 buckets GA
+  * Network flow log streaming integration with S3 buckets GA
+  * NextDNS profiles per device GA
+  * GitHub secret scanning
+- remove fix-CVE-2024-45337.patch, as it's now included
+
+-------------------------------------------------------------------
+Wed Dec 18 17:33:23 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- add patch fix-CVE-2024-45337.patch, to circumevent a possibility
+  of exploiting the golang-x-crypto security hole. (fix #1234506)
+
+-------------------------------------------------------------------
+Fri Dec 13 05:06:26 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.78.3:
+  * cmd/containerboot: fix nil pointer exception
+  * hostinfo: fix testing in container
+
+-------------------------------------------------------------------
+Fri Dec  6 01:22:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.78.1:
+  * health: fix TestHealthMetric
+
+-------------------------------------------------------------------
+Thu Dec  5 22:10:32 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.78.0:
+  * Client metrics have been added, to provide insights into Tailscale client
+    behavior, health, and performance.
+  * tailscale metrics command has been added, to expose and collect client
+    metrics for use with third-party monitoring systems.
+  * tailscale syspolicy command has been added, to list system policies, reload
+    system policies, or view errors related to the system policies configured
+    on the device.
+  * Tailscale system policies are applied immediately when pushed via mobile
+    device management (MDM) or Group Policy, without requiring a client restart.
+  * Tailscale SSH session recording detects the disappearance of the recorder
+    node sooner. This fix addresses a security vulnerability described
+    in TS-2024-013.
+  * New scopes for OAuth clients have been added with more granular permissions.
+    Existing OAuth clients using the previous set of scopes, and keys generated
+    using these clients, are still valid.
+
+-------------------------------------------------------------------
+Fri Nov  8 03:46:50 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.76.6:
+  * Logging for when clients move home DERP regions is improved.
+  * Tailscale clients no longer move their home DERP server prematurely in 
+    response to unusual latency at very specific times.
+
+-------------------------------------------------------------------
+Tue Oct 22 18:34:42 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.76.3:
+  * no relevant changelog
+- update to 1.76.2:
+  * no relevant changelog
+- switch over to the new %{default_fw_backend} macro
+- create old init file only for < leap 16
+
+-------------------------------------------------------------------
+Wed Oct 16 20:40:31 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.76.1:
+  * tailscale netcheck CLI command no longer crashes when performing diagnostics
+    on networks lacking UDP connectivity.
+  * Improperly formatted SERVFAIL responses no longer cause DNS timeouts when using an exit node.
+  * dbus login sessions no longer fail on systems where /bin/login is missing.
+
+-------------------------------------------------------------------
+Mon Oct 14 13:06:13 UTC 2024 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
+
+- Require a firewall backend (boo#1228829)
+- Add simple test check to ensure binaries are working
+
+-------------------------------------------------------------------
+Fri Oct 11 06:07:28 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.76.0:
+  * Clients lacking UDP connectivity no longer skip performing fallback latency
+    measurements with DERP servers.
+  * Warnings no longer display unnecessarily.
+  * Tailscale connectivity on in-flight internet on airplanes (such as Alaska Airlines) no longer fails.
+  * Service-related processes no longer run unnecessarily when services are disabled on the tailnet.
+  * Error messages include explanations in addition to the HTTP status code.
+  * Tailscale SSH supports sending environment variables to hosts. It's also possible to specify
+    permitted environment variables using the acceptEnv field.
+  * Tailscale SSH no longer breaks some terminal applications by omitting pixel width and height when
+    resizing the application window.
+
+-------------------------------------------------------------------
+Sat Sep 21 05:28:42 UTC 2024 - Eric Torres <eric.torres@its-et.me>
+
+- Change path of zsh completion file to make zsh properly recognize completions
+  * /usr/share/zsh/site-functions/tailscale moved to /usr/share/zsh/site-functions/_tailscale
+
+-------------------------------------------------------------------
+Wed Sep 18 19:10:19 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.74.1:
+  * wgengine/magicsock: disable raw disco by default; add envknob to enable
+
+-------------------------------------------------------------------
+Fri Sep 13 10:48:17 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.74.0
+  * AuthKey system policy can be used to authenticate a device with Tailscale using an MDM solution.
+  * tailscale dns CLI command is added for accessing Tailscale DNS settings and status.
+  * Tailnet Lock long rotation signatures are truncated automatically to avoid excessive growth.
+  * Log In option in the client works as expected.
+  * TCP generic receive offload (GRO) support is added for improved userspace mode throughput.
+  * TCP generic segmentation offload (GSO) is re-introduced for supporting improved userspace mode throughput.
+    This was initially introduced in Tailscale v1.72.0 and then rolled back in v1.72.1.
+  * Device posture integration with CrowdStrike Falcon can now use MAC addresses to match devices that lack serial numbers.
+    When Falcon integration is configured, Device Identity Collection will automatically collect MAC addresses.
+
 -------------------------------------------------------------------
 Thu Aug 22 22:08:51 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
 

tailscale.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tailscale
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,24 +17,25 @@
 
 
 Name:           tailscale
-Version:        1.72.1
+Version:        1.80.3
 Release:        0
 Summary:        The easiest, most secure way to use WireGuard and 2FA
 License:        BSD-3-Clause
-Group:          Productivity/Networking/Security
 URL:            https://github.com/tailscale/tailscale
 Source:         %{name}-%{version}.tar.gz
 Source1:        vendor.tar.gz
-Source2:        tailscaled.service
-Source3:        tailscaled.defaults
-Patch1:         build-verbose.patch
-Patch2:         disable-auto-update.patch
+Source2:        %{name}d.service
+Source3:        %{name}d.defaults
+Patch0:         build-verbose.patch
+Patch1:         disable-auto-update.patch
+Patch2:         fix-CVE-2025-22869.patch
 BuildRequires:  bash-completion
 BuildRequires:  fish
-BuildRequires:  git
+BuildRequires:  git-core
 BuildRequires:  golang-packaging
 BuildRequires:  zsh
 BuildRequires:  golang(API) = 1.23
+Requires:       %{default_firewall_backend}
 ExcludeArch:    i586
 %{?systemd_requires}
 
@@ -76,14 +77,18 @@ export GOFLAGS="-buildmode=pie"
 export VERSION_SHORT=%{version}
 export VERSION_LONG=%{version}
 export VERSION_GIT_HASH='$(git rev-parse v%{version})'
-./build_dist.sh ./cmd/tailscale
-./build_dist.sh ./cmd/tailscaled
+./build_dist.sh ./cmd/%{name}
+./build_dist.sh ./cmd/%{name}d
 
 #generate completions
 ./%{name} completion bash > ./%{name}.bash
 ./%{name} completion zsh > ./%{name}.zsh
 ./%{name} completion fish > ./%{name}.fish
 
+%check
+./%{name} version
+./%{name}d -version
+
 %install
 mkdir -p %{buildroot}%{_sharedstatedir}/%{name}
 
@@ -92,13 +97,15 @@ install -D -p -m 0755 %{name}d %{buildroot}%{_sbindir}/%{name}d
 
 # service
 install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d.service
+%if 0%{?suse_version} < 1600
 ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}d
+%endif
 
 # defaults
 install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/default/%{name}d
 
 install -D -p -m 0644 ./%{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name}
-install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/%{name}
+install -D -p -m 0644 ./%{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name}
 install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name}
 
 %pre
@@ -121,13 +128,15 @@ install -D -p -m 0644 ./%{name}.fish %{buildroot}%{_datadir}/fish/vendor_complet
 %{_bindir}/%{name}
 %{_sbindir}/%{name}d
 %{_unitdir}/%{name}d.service
+%if 0%{?suse_version} < 1600
 %{_sbindir}/rc%{name}d
+%endif
 
 %files bash-completion
 %{_datadir}/bash-completion/completions/%{name}
 
 %files zsh-completion
-%{_datadir}/zsh/site-functions/%{name}
+%{_datadir}/zsh/site-functions/_%{name}
 
 %files fish-completion
 %{_datadir}/fish/vendor_completions.d/%{name}

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2233214ad5bc4185d8b35517d4a0042b9cc86a65db35637009e9588edb3db7ae
-size 18607906
+oid sha256:55812d888060e6b92a0a1612e1f0ab69de3529825842c4327029f0f8a2ee9563
+size 20212560