tailscale-1.94.1-bp160.1.1

- Update to version 1.94.0:
  * IS SET and NOT SET have been added as device posture operators
  * India DERP Region City Name updated
  * Custom DERP servers support GCP Certificate Manager
  * Tailscale SSH authentication, when successful, results in LOGIN audit
    messages being sent to the kernel audit subsystem
  * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
    option is supported on multi-core systems
  * Tailscale Peer Relay server handshake transmission is guarded against
    routing loops over Tailscale
  * MagicDNS always resolves when using resolv.conf without a DNS manager
  * tailscaled_peer_relay_forwarded_packets_total and
    tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
    Tailscale Peer Relays
  * Identity tokens are automatically generated for workload identities
  * --audience flag added to tailscale up command to support auto generation of
    ID tokens for workload identity
  * tsnet nodes can host Tailscale Services
  * The tailscale lock status -json command returns tailnet key authority (TKA)
    data in a stable format
  * Tailscale Peer Relays deliver improved throughput through monotonic time
    comparison optimizations and reduced lock contention
  * Tailscale Services virtual IPs are now automatically accepted by clients
    across all platforms regardless of the status of the --accept-routes
    feature

- Update to version 1.94.0:
  * derp/derpserver: add a unique sender cardinality estimate
  * syncs: add means of declare locking assumptions for debug mode
  * cmd/k8s-operator: add support for taiscale.com/http-redirect
  * cmd/k8s-operator fix populateTLSSecret on tests
  * feature/posture: log method and full URL for posture identity requests
  * k8s-operator: Fix typos in egress-pod-readiness.go
  * cmd/tailscale,ipn: add Unix socket support for serve
  * client/systray: change systray to start after graphical.target
  * cmd/k8s-operator: warn if users attempt to expose a headless Service
  * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
  * tsnet: ensure funnel listener cleans up after itself when closed
  * ipn/store/kubestore: don't load write replica certs in memory
  * tsnet: allow for automatic ID token generation

- Update to version 1.92.5:
  * types/persist: omit Persist.AttestationKey based on IsZero
  * disable hardware attestation for kubernetes
  * allow opting out of ACME order replace extension
- Update to version 1.92.4:
  * nothing of importance

- Update to version 1.92.3:
  * WireGuard configuration that occurs automatically in the client, no longer
    results in a panic

- Update to version 1.92.2:
  * cmd/derper: add GCP Certificate Manager support

- Update to version 1.92.1:
  * fix LocalBackend deadlock when packet arrives during profile switch
  * wgengine: fix TSMP/ICMP callback leak
- Update to version 1.92.0:
  * no changelog provided
- Update to version 1.90.9:
  * tailscaled no longer deadlocks during event bursts
  * The client no longer hangs after wake up

- Update to version 1.90.8:
  * tka: move RemoveAll() to CompactableChonk
- Update to version 1.90.7:
  * wgengine/magicsock: validate endpoint.derpAddr
  * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
  * net/udprelay: replace VNI pool with selection algorithm
  * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
  * feature/relayserver: fix Shutdown() deadlock
  * net/netmon: do not abandon a subscriber when exiting early
  * tka: don't try to read AUMs which are partway through being written
  * tka: rename a mutex to mu instead of single-letter l
  * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable

- Update to version 1.90.6:
  * Routes no longer stall and fail to apply when updated repeatedly in a short
    period of time
  * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
    affected tailnets that use Tailscale SSH recording

- Update to version 1.90.4:
  * deadlock issue no longer occurs in the client when checking
    for the network to be available
  * tailscaled no longer sporadically panics when a
    Trusted Platform Module (TPM) device is present

- Update to version 1.90.3:
  * tailscaled shuts down as expected and without panic
  * tailscaled starts up as expected in a no router configuration environment

- add patch fix-CVE-2025-22869.patch, fixes bsc#1239353

- update to 1.80.3:
  * appc: fix a deadlock in route advertisements
  * client/web: fix CSRF handler order in web UI

- update to 1.80.2:
  * Use ip:country as a geolocation device posture attribute (generally available).

- update to 1.80.1:
  * net/netmon: add extra panic guard around ParseRIB

- update to 1.80.0:
  * Hostname system policy is added for overriding the device hostname
    configured by the operating system, using an MDM solution.
  * Web interface displays a Login button instead of the Reauthenticate button
    when adding a new device to your tailnet.
  * Tailscale Funnel configuration on devices displays errors when incoming
    connections are not permitted and connections are disallowed.
  * Connections to a custom coordination server that does not support HTTPS
    will no longer fail when a custom port number is specified.
  * TLS certificate requests from Let’s Encrypt include the device's DNS name
    in the CSR’s SAN extension and set the Common Name field.
  * Tailscale Funnel disabled on a device no longer displays enabled in the
    admin console.
  * GitHub username change automatically updates tailnet name
  * 4via6 subnet routers GA
  * Auto approvers GA
  * Node attributes GA
  * Download invoices GA
  * Fast user switching GA
  * Configuration log streaming integration with S3 buckets GA
  * Network flow log streaming integration with S3 buckets GA
  * NextDNS profiles per device GA
  * GitHub secret scanning
- remove fix-CVE-2024-45337.patch, as it's now included

- add patch fix-CVE-2024-45337.patch, to circumevent a possibility
  of exploiting the golang-x-crypto security hole. (fix #1234506)

- update to 1.78.3:
  * cmd/containerboot: fix nil pointer exception
  * hostinfo: fix testing in container

- update to 1.78.1:
  * health: fix TestHealthMetric

- update to 1.78.0:
  * Client metrics have been added, to provide insights into Tailscale client
    behavior, health, and performance.
  * tailscale metrics command has been added, to expose and collect client
    metrics for use with third-party monitoring systems.
  * tailscale syspolicy command has been added, to list system policies, reload
    system policies, or view errors related to the system policies configured
    on the device.
  * Tailscale system policies are applied immediately when pushed via mobile
    device management (MDM) or Group Policy, without requiring a client restart.
  * Tailscale SSH session recording detects the disappearance of the recorder
    node sooner. This fix addresses a security vulnerability described
    in TS-2024-013.
  * New scopes for OAuth clients have been added with more granular permissions.
    Existing OAuth clients using the previous set of scopes, and keys generated
    using these clients, are still valid.

- update to 1.76.6:
  * Logging for when clients move home DERP regions is improved.
  * Tailscale clients no longer move their home DERP server prematurely in
    response to unusual latency at very specific times.