Skip to content

⬆️ Update tailscale/tailscale to v1.98.9#713

Open
rraina wants to merge 1 commit into
hassio-addons:mainfrom
rraina:upgrade-tailscale-1.98.9
Open

⬆️ Update tailscale/tailscale to v1.98.9#713
rraina wants to merge 1 commit into
hassio-addons:mainfrom
rraina:upgrade-tailscale-1.98.9

Conversation

@rraina

@rraina rraina commented Jul 15, 2026

Copy link
Copy Markdown

Summary

Bumps the bundled Tailscale from v1.98.8 → v1.98.9 to pick up fixes for a set of Tailscale SSH authentication vulnerabilities. main is currently pinned to 1.98.8, which remains affected.

Security context

Per the Tailscale security bulletins, the following are fixed in 1.98.9:

  • TS-2026-009 — Insecure SSH command-line argument handling. A username beginning with - (e.g. -i) is interpreted as a flag by getent, allowing an attacker to obtain a root session in violation of ACLs.
  • TS-2026-006 — SSH root bypass via numeric UID (0@host), circumventing ACL restrictions.
  • TS-2026-004 — SSH unix-socket forwarding symlink bypass.

Given that TS-2026-009 is an ACL-bypassing root escalation over Tailscale SSH, this should be treated as a security-priority update rather than a routine version bump.

Changes

  • tailscale/Dockerfile: ARG TAILSCALE_VERSION v1.98.8v1.98.9

Verified that both the amd64 and arm64 1.98.9 stable tarballs are available at the URL the Dockerfile fetches. 1.98.9 is also the current latest stable.

Note

Renovate is configured to auto-merge Tailscale patch bumps and will likely open its own PR for 1.98.9 shortly; this manual PR is intended to land the fix faster given the severity. Close whichever is redundant.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the bundled Tailscale version to v1.98.9.
    • Includes the latest Tailscale build during container image creation.

Fixes Tailscale SSH authentication vulnerabilities. Tailscale
security bulletin TS-2026-009 covers insecure SSH command-line
argument handling where a username beginning with "-" (e.g. "-i")
is interpreted as a flag by getent, allowing an attacker to obtain
a root session in violation of ACLs. Related SSH auth bypasses
TS-2026-006 (numeric UID root bypass) and TS-2026-004 (unix-socket
forwarding symlink bypass) are also fixed in this release.

All three are fixed in Tailscale 1.98.9. The add-on was pinned to
1.98.8, which remains affected.

Ref: https://tailscale.com/security-bulletins

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: de8b9180-1009-427e-80bf-d384b3ed9eef

📥 Commits

Reviewing files that changed from the base of the PR and between 2b00f29 and ce73caa.

📒 Files selected for processing (1)
  • tailscale/Dockerfile

Walkthrough

The Dockerfile updates the Tailscale build argument from v1.98.8 to v1.98.9, changing the release archive downloaded during the image build.

Changes

Tailscale version update

Layer / File(s) Summary
Update Tailscale archive version
tailscale/Dockerfile
The TAILSCALE_VERSION build argument now targets Tailscale v1.98.9.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: renovate[bot], lmagyar

Poem

A bunny hops through build-time cheer,
A newer Tailscale version is here.
The archive downloads fresh and bright,
One tiny change makes the tag take flight.
“Ship it!” I thump, with ears upright.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: updating the bundled Tailscale version to v1.98.9.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@rraina

rraina commented Jul 15, 2026

Copy link
Copy Markdown
Author

Hi @frenck — friendly nudge on this one when you have a moment. It bumps Tailscale to 1.98.9, which fixes the SSH auth issues from the July security bulletins (TS-2026-009 lets a username like -i reach a root session in violation of ACLs; also TS-2026-006 / TS-2026-004). main is currently on 1.98.8, which is still affected. Happy to adjust anything needed — thanks for maintaining this add-on!


Generated by Claude Code

@SzaBee13

Copy link
Copy Markdown

They prefer to stick with the latest version according to the Tailscale GitHub releases, because that works for everyone, and it auto updates with Renovate.

@lmagyar

lmagyar commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

They prefer to stick with the latest version according to the Tailscale GitHub releases, because that works for everyone, and it auto updates with Renovate.

TS should create a new release on GH not several days after it really released it. GH release triggers Renovate not TS changelog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants