Update module tailscale.com to v1.66.4 #28

Merged
alazyreader merged 1 commits from renovate/tailscale.com-1.x into main 2024-06-09 14:48:13 +00:00
Contributor

This PR contains the following updates:

Package Type Update Change
tailscale.com require minor v1.64.2 -> v1.66.4

Release Notes

tailscale/tailscale (tailscale.com)

v1.66.4

Compare Source

All platforms
Linux
  • Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.

v1.66.3

Compare Source

All platforms
  • Fixed: Login URLs did not always appear in the console when running tailscale up.
Android
  • Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
  • Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
  • Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
  • Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.
Kubernetes operator
  • Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
  • New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
  • New: Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #​11019.
  • New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #​11019.
  • New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD.
    Refer to ProxyClass API.
  • New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.
  • New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
  • New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to ProxyClass API.
  • Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #​11867.
Containers
  • Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #​11326.
  • Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #​11326.

v1.66.2

Compare Source

An internal release which was not distributed

v1.66.1

Compare Source

This release is exclusively for Linux platforms and the standalone variant of the macOS client. It is not available for other platforms.

Linux
  • tailscale set command flags --netfilter-mode, --snat-subnet-routes, and --stateful-filtering are added.
  • Resolved issues with nftables rules for stateful filtering, introduced in v1.66.0.
macOS
  • A version mismatch warning no longer displays when upgrading, if no mismatch is detected.

v1.66.0

Compare Source

We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements.

All platforms
  • Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
Linux
  • Use the --stateful-filtering flag for the tailscale up to enable stateful filtering for subnet routers and exit nodes, as a mitigation for a security vulnerability described in TS-2024-005.
    • Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command.
  • Use tab completion to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the tailscale completion command.
  • Use the tailscale exit-node suggest command to automatically pick an available exit node that is likely to perform best.
  • Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.
macOS
  • View a suggested exit node in the Exit Node picker when available.
  • Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues.
  • Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
iOS
  • See direct vs. relayed connections in the Ping view.
  • View a suggested exit node in the Exit Node picker when available.
  • Use auth keys to log in without using the browser.
  • Search tagged devices by tag in the Devices list.
  • Remove accounts in the Fast User Switching view by using a long press, without having to log out.
  • Improved UI experience to log into a custom coordination server like Headscale.
  • The Fast User Switching view can now be used when Tailscale is disconnected.
  • Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
  • Reduced app launch time.
tvOS
  • Manage DNS configuration in the DNS Settings view.
  • Generate a bug report identifier by navigating to About Tailscale > Report an issue.
  • Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension.
Android
  • We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices.
  • Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information.
  • See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view.
  • See the status of Tailnet lock and node keys.
  • Use Fast user switching to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate.
  • Use auth keys to log in without using the browser.
  • Manage Android devices in your tailnet using Mobile Device Management (MDM) solutions such as Google Workspace, Microsoft Intune, or TinyMDM, among other tools.
  • Accessibility support.
  • Use dark mode as an alternative to light mode.
  • The Quick Settings tile has been temporarily disabled, pending resolution of an issue.
  • More intuitive behavior switching between exit nodes.
  • Resolved an issue with LAN access during exit node use.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tailscale.com](https://github.com/tailscale/tailscale) | require | minor | `v1.64.2` -> `v1.66.4` | --- ### Release Notes <details> <summary>tailscale/tailscale (tailscale.com)</summary> ### [`v1.66.4`](https://github.com/tailscale/tailscale/releases/tag/v1.66.4) [Compare Source](https://github.com/tailscale/tailscale/compare/v1.66.3...v1.66.4) ##### All platforms - Fixed: Restored UDP connectivity through [Mullvad exit nodes][kb-mullvad]. ##### Linux - Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in [TS-2024-005][co-security-bulletins-2024-05], and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when `autogroup:danger-all` is used in [ACLs][kb-acls]. [co-security-bulletins-2024-05]: /security-bulletins#ts-2024-005 [kb-acls]: /kb/1018/acls [kb-mullvad]: /kb/1258/mullvad-exit-nodes ### [`v1.66.3`](https://github.com/tailscale/tailscale/releases/tag/v1.66.3) [Compare Source](https://github.com/tailscale/tailscale/compare/v1.66.2...v1.66.3) ##### All platforms - Fixed: Login URLs did not always appear in the console when running [`tailscale up`][kb-tailscale-up]. ##### Android - Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed. - Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled. - Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings. - Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color. ##### Kubernetes operator - Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages. - New: [Expose cloud services][kb-expose-cloud-service] on cluster network to the tailnet, using Kubernetes `ExternalName` Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names. - New: Expose tailnet services that use [Tailscale HTTPS][kb-enabling-https] to cluster workloads. Refer to [#&#8203;11019][gh-tailscale-pull-11019]. - New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to [#&#8203;11019][gh-tailscale-pull-11019]. - New: Configure environment variables for Tailscale Kubernetes operator proxies using `ProxyClass` CRD. Refer to [`ProxyClass` API][gh-tailscale-proxy-class-api]. - New: Expose `tailscaled` metrics endpoint for Tailscale Kubernetes operator proxies through `ProxyClass` CRD. Note that the `tailscaled` metrics are unstable and will likely change in the future. Refer to [`ProxyClass` API][gh-tailscale-proxy-class-api]. - New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to [Helm chart values][gh-tailscale-helm-chart-values]. - New: Configure affinity rules for Kubernetes operator proxy Pods with `ProxyClass`. Refer to [`ProxyClass` API][gh-tailscale-proxy-class-api]. - Fixed: Kubernetes operator proxy `init` container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to [#&#8203;11867][gh-tailscale-pull-11867]. ##### Containers - Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes `Secret` is pre-created for the `tailscaled` state. Refer to [#&#8203;11326][gh-tailscale-pull-11326]. - Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the `tailscaled` state `Secret`. Refer to [#&#8203;11326][gh-tailscale-pull-11326]. [kb-expose-cloud-service]: https://tailscale.com/kb/1236/kubernetes-operator#expose-a-cloud-service-to-your-tailnet [kb-enabling-https]: https://tailscale.com/kb/1153/enabling-https [gh-tailscale-helm-chart-values]: https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/chart/values.yaml [kb-tailscale-up]: https://tailscale.com/kb/1080/cli#up [gh-tailscale-pull-11019]: https://github.com/tailscale/tailscale/pull/11019 [gh-tailscale-pull-11326]: https://github.com/tailscale/tailscale/pull/11326 [gh-tailscale-pull-11867]: https://github.com/tailscale/tailscale/pull/11867 [gh-tailscale-proxy-class-api]: https://github.com/tailscale/tailscale/blob/main/k8s-operator/api.md#proxyclass ### [`v1.66.2`](https://github.com/tailscale/tailscale/releases/tag/v1.66.2) [Compare Source](https://github.com/tailscale/tailscale/compare/v1.66.1...v1.66.2) An internal release which was not distributed ### [`v1.66.1`](https://github.com/tailscale/tailscale/releases/tag/v1.66.1) [Compare Source](https://github.com/tailscale/tailscale/compare/v1.66.0...v1.66.1) This release is exclusively for Linux platforms and the [standalone variant](https://tailscale.com/kb/1065/macos-variants) of the macOS client. It is not available for other platforms. ##### Linux - [tailscale set](https://tailscale.com/kb/1080/cli#set) command flags `--netfilter-mode`, `--snat-subnet-routes`, and `--stateful-filtering` are added. - Resolved issues with [nftables](https://tailscale.com/kb/1294/firewall-mode) rules for stateful filtering, introduced in v1.66.0. ##### macOS - A version mismatch warning no longer displays when upgrading, if no mismatch is detected. ### [`v1.66.0`](https://github.com/tailscale/tailscale/releases/tag/v1.66.0) [Compare Source](https://github.com/tailscale/tailscale/compare/v1.64.2...v1.66.0) We recommend updating all Tailscale clients to v1.66.0 or later to benefit from additional security improvements. ##### All platforms - Implemented client-side quarantining for shared-in exit nodes, as a mitigation for a security vulnerability described in [TS-2024-005](https://tailscale.com/security-bulletins#ts-2024-005). ##### Linux - Use the --stateful-filtering flag for the [tailscale up](https://tailscale.com/kb/1241/tailscale-up) to enable stateful filtering for [subnet routers](https://tailscale.com/kb/1019/subnets) and [exit nodes](https://tailscale.com/kb/1103/exit-nodes), as a mitigation for a security vulnerability described in [TS-2024-005](https://tailscale.com/security-bulletins#ts-2024-005). - Note: This change can break existing setups that depend on forwarding connections from external hosts (internet, LAN, Docker containers, etc.) into the tailnet through a Tailscale node. If your setup depends on such forwarding, you can disable stateful filtering with the tailscale up --stateful-filtering=false command. - Use [tab completion](https://tailscale.com/kb/1080/cli#tab-completion) to type the first few letters of a Tailscale CLI command, flag, or arguments, followed by the tab key to complete the item being typed. Set up tab completion by using the [tailscale completion](https://tailscale.com/kb/1080/cli#completion) command. - Use the [tailscale exit-node suggest](https://tailscale.com/kb/1080/cli#exit-node) command to automatically pick an available exit node that is likely to perform best. - [Site-to-site networking](https://tailscale.com/kb/1214/site-to-site) now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false. ##### macOS - View a suggested [exit node](https://tailscale.com/kb/1103/exit-nodes) in the Exit Node picker when available. - Generate a macOS Configuration Report .txt file from the Bug Report view to help the Tailscale support team diagnose issues. - Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension. ##### iOS - See direct vs. relayed connections in the Ping view. - View a suggested [exit node](https://tailscale.com/kb/1103/exit-nodes) in the Exit Node picker when available. - Use [auth keys](https://tailscale.com/kb/1085/auth-keys) to log in without using the browser. - Search [tagged devices](https://tailscale.com/kb/1068/acl-tags) by tag in the Devices list. - Remove accounts in the Fast User Switching view by using a long press, without having to log out. - Improved UI experience to log into a custom coordination server like [Headscale](https://tailscale.com/blog/opensource#the-open-source-coordination-server). - The Fast User Switching view can now be used when Tailscale is disconnected. - Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension. - Reduced app launch time. ##### tvOS - Manage DNS configuration in the DNS Settings view. - Generate a [bug report](https://tailscale.com/kb/1227/bug-report) identifier by navigating to About Tailscale > Report an issue. - Improved error detection logic warns the user when a version mismatch is detected between the Tailscale client GUI and the network extension. ##### Android - We've rebuilt the Android app from the ground up, adopting a similar design that we've previously rolled out on iOS and using the latest Android best practices. - Use new status indicators to see at-a-glance insights into node connectivity. Tap on a node to see detailed information. - See detailed information about resolvers, domains, and routing configurations in a dedicated DNS Settings view. - See the status of [Tailnet lock](https://tailscale.com/kb/1226/tailnet-lock) and node keys. - Use [Fast user switching](https://tailscale.com/kb/1225/fast-user-switching) to switch between two or more logged-in accounts on the same device, without requiring you to re-authenticate. - Use [auth keys](https://tailscale.com/kb/1085/auth-keys) to log in without using the browser. - Manage Android devices in your tailnet using [Mobile Device Management](https://tailscale.com/kb/1384/android-mdm) (MDM) solutions such as [Google Workspace](https://tailscale.com/kb/1386/mdm-google-workspace), [Microsoft Intune](https://tailscale.com/kb/1327/mmdm-microsoft-intune), or [TinyMDM](https://tailscale.com/kb/1385/tinymdm), among other tools. - Accessibility support. - Use dark mode as an alternative to light mode. - The Quick Settings tile has been temporarily disabled, pending resolution of an issue. - More intuitive behavior switching between exit nodes. - Resolved an issue with LAN access during exit node use. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNDAuMyIsInVwZGF0ZWRJblZlciI6IjM3LjE0MC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
renovate added 1 commit 2024-05-08 22:01:10 +00:00
renovate force-pushed renovate/tailscale.com-1.x from 7f0af3b207 to cc2b3c92ee 2024-05-09 21:01:29 +00:00 Compare
renovate changed title from Update module tailscale.com to v1.66.0 to Update module tailscale.com to v1.66.1 2024-05-09 21:01:29 +00:00
renovate force-pushed renovate/tailscale.com-1.x from cc2b3c92ee to bcdd7a30b5 2024-05-14 21:01:25 +00:00 Compare
renovate changed title from Update module tailscale.com to v1.66.1 to Update module tailscale.com to v1.66.2 2024-05-14 21:01:26 +00:00
renovate force-pushed renovate/tailscale.com-1.x from bcdd7a30b5 to fa31615d97 2024-05-14 22:01:22 +00:00 Compare
renovate changed title from Update module tailscale.com to v1.66.2 to Update module tailscale.com to v1.66.3 2024-05-14 22:01:23 +00:00
renovate changed title from Update module tailscale.com to v1.66.3 to Update module tailscale.com to v1.66.4 2024-05-21 01:01:29 +00:00
renovate force-pushed renovate/tailscale.com-1.x from fa31615d97 to ab7137c44e 2024-05-21 01:01:29 +00:00 Compare
alazyreader merged commit f52f0fcc04 into main 2024-06-09 14:48:13 +00:00
alazyreader deleted branch renovate/tailscale.com-1.x 2024-06-09 14:48:13 +00:00
Sign in to join this conversation.
No reviewers
No Label
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: alazyreader/ts-docker-proxy#28
No description provided.