What’s happening?
· Other
How can we help?
· None of the above
Other options
· Other
Describe the issue
Update Tailscale on Roon OS / ROCK it's lagging 6 versions. Security concerns.
Describe your network setup
Unifi hardware, using Tailscale.
Thank you for reaching out to Roon Support.
Regarding your concern about the Tailscale version on Roon OS/ROCK — while we understand your request to update it, we’d like to clarify that Tailscale version 1.72.1 is not associated with any known security vulnerabilities, and we have not received reports of performance or stability issues with this version.
We do see that you’ve already submitted a feature request to have it updated. Once that request gains significant support from other users, our product team will review it and consider prioritizing it in the development roadmap.
For now, we’ll mark this thread as Solved, but please don’t hesitate to reach out again if you have any further questions or concerns.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
What’s happening?
· Other
How can we help?
· None of the above
Other options
· I don't like how the product works
Describe the issue
update tailscale as 1.72.1 has security vulnerabilities
Describe your network setup
no issues with connectivity
Can you point out the fix and version?
Linux
- Nodes without the
tailscaled --statedirflag or theTS_STATE_DIRenvironment variable no longer fail to enforce signing checks in tailnets with Tailnet Lock enabled. This fix addresses a security vulnerability described in TS-2025-008.
Whether that affects Roon depends on a lot of things
In tailnets where Tailnet Lock is enabled, unsigned nodes running the
tailscaleddaemon (for example, on Linux) without specifying a--statediror--statefailed to enforce the required signing checks. This allowed them to communicate with other similarly misconfigured, unsigned nodes, or with malicious nodes that joined the tailnet. This behaviour bypassed the Tailnet Lock security policy for a specific subset of nodes.
Running with --statedir or --state, which seems to be the normal thing to do, already sufficed to be not vulnerable.
I don’t know if that’s case for Roon, it should be, but as always with security issues, details matter. A lot.
We have no idea of the internals of RoonOS, so Roon will need to confirm whether this vulnerability needs to be addressed.
My hope is Roon recieve and assess update notifications, and act accordingly.
Exactly, so stating „update it because there a vulnerabilities“ is more than premature.
Roon Labs did already state that they are monitoring it and will update as necessary.
There will occasionally and inevitably be questions, and that’s fine, EDIT: and in theory, someone could have found an actual vulnerability or even exploit, in which case by all means please do report it.
But users who drain resources because they think they know better based on superficial information usually aren’t helpful. (From experience, at work we need to pay an FTE whose only job is to debunk false, misguided security claims)
My view is this. If you’re concerned about such things, don’t run an appliance, i.e., ROCK, and install Roon server on an OS of your choice and manage updates yourself.
2 Likes
And in this case, if you want to make your own judgements, be an actual expert, understand deeply, and read carefully, or else you will just make things worse.
Hello everyone,
We brought up this issue with the team and they have confirmed that Tailscale on RoonOS already runs with the flag, meaning we are not affected by this vulnerability. Auto-updates to Tailscale are considered a feature request at the present time, and you can vote for this in the Feature Suggestions topic below:
Thank you.
4 Likes
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
What’s happening?
· Other
How can we help?
· None of the above
Other options
· Other
Describe the issue
Software Vulnerability. This has been raised on the forums several times. Tailscale is now alerting us that the version running in ROCK contains a known vulnerability. I understand the difficulty in allowing external provider software to auto-update. Please consider updating this version.
Describe your network setup
Ethernet
