⬆️ Update tailscale/tailscale to v1.98.9#713
Conversation
Fixes Tailscale SSH authentication vulnerabilities. Tailscale security bulletin TS-2026-009 covers insecure SSH command-line argument handling where a username beginning with "-" (e.g. "-i") is interpreted as a flag by getent, allowing an attacker to obtain a root session in violation of ACLs. Related SSH auth bypasses TS-2026-006 (numeric UID root bypass) and TS-2026-004 (unix-socket forwarding symlink bypass) are also fixed in this release. All three are fixed in Tailscale 1.98.9. The add-on was pinned to 1.98.8, which remains affected. Ref: https://tailscale.com/security-bulletins Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe Dockerfile updates the Tailscale build argument from ChangesTailscale version update
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Hi @frenck — friendly nudge on this one when you have a moment. It bumps Tailscale to 1.98.9, which fixes the SSH auth issues from the July security bulletins (TS-2026-009 lets a username like Generated by Claude Code |
|
They prefer to stick with the latest version according to the Tailscale GitHub releases, because that works for everyone, and it auto updates with Renovate. |
TS should create a new release on GH not several days after it really released it. GH release triggers Renovate not TS changelog. |
Summary
Bumps the bundled Tailscale from v1.98.8 → v1.98.9 to pick up fixes for a set of Tailscale SSH authentication vulnerabilities.
mainis currently pinned to 1.98.8, which remains affected.Security context
Per the Tailscale security bulletins, the following are fixed in 1.98.9:
-(e.g.-i) is interpreted as a flag bygetent, allowing an attacker to obtain arootsession in violation of ACLs.rootbypass via numeric UID (0@host), circumventing ACL restrictions.Given that TS-2026-009 is an ACL-bypassing root escalation over Tailscale SSH, this should be treated as a security-priority update rather than a routine version bump.
Changes
tailscale/Dockerfile:ARG TAILSCALE_VERSIONv1.98.8→v1.98.9Verified that both the
amd64andarm641.98.9 stable tarballs are available at the URL the Dockerfile fetches. 1.98.9 is also the current latest stable.Note
Renovate is configured to auto-merge Tailscale patch bumps and will likely open its own PR for 1.98.9 shortly; this manual PR is intended to land the fix faster given the severity. Close whichever is redundant.
🤖 Generated with Claude Code
Summary by CodeRabbit