Puppet 7.34.0 $$$Released October 2024. In this release; support is added for Debian 12 (Bookworm) amd64 on Puppet Server and PuppetDB; and several updates are implemented to address security vulnerabilities.$$$$$$GitHub releases$$$Additional details about release updates are available on GitHub. For more information; go to the following sites:$$$Facter$$$$$$Puppet$$$$$$Puppet agent$$$$$$Puppet runtime$$$$$$Security$$$Patch Curl in agent-runtime$$$Patched Curl to address CVE-2024-8096.$$$$$$PA-6961$$$$$$Update libxml2$$$Puppet agents vendored libxml2 is upgraded to version 2.13.4 to address the following vulnerabilities: CVE-2024-25062; CVE-2024-34459; and CVE-2024-40896.$$$$$$PA-6973$$$$$$Update Ruby 2.7$$$Ruby 2.7 was updated to address CVE-2024-27281.$$$$$$PA-7089$$$$$$Contributors$$$The Puppet team appreciates all Puppet Community members who contributed content to the October 2024 releases.

Puppet 7.33.0 $$$Released September 2024. This release resolves an issue with catalog downloads and addresses security vulnerabilities.$$$$$$GitHub releases$$$Additional details about release updates are available on GitHub. For more information; go to the following sites:$$$Facter$$$$$$Puppet$$$$$$Puppet agent$$$$$$Puppet runtime$$$$$$Security$$$Update REXML$$$The REXML gem was updated to version 3.3.6 to address the following security vulnerabilities: CVE-2024-41946; CVE-2024-35176; CVE-2024-41123; CVE-2024-39908; and CVE-2024-43398.$$$$$$PA-6682; PA-6881; PA-6507; PA-6736; PA-6901$$$$$$Patch RDoc vulnerability$$$Patched a vulnerability in the RDoc gem as distributed in Ruby 2.7.8 to address CVE-2024-27281.$$$$$$PA-6282$$$$$$Patch Curl in agent-runtime$$$Patched Curl to address CVE-2024-7264.$$$$$$PA-6878$$$$$$Update OpenSSL$$$OpenSSL was updated to address CVE-2024-5535.$$$$$$PA-6889$$$$$$Resolved issues$$$Resolved issue with catalog download.$$$Addressed an issue where catalog download would fail when running the puppet catalog download command with the default options. The puppet catalog download command now correctly sends facts to download the catalog. Community member nabertrand submitted this issue.$$$$$$PUP-12046$$$$$$Contributors$$$The Puppet team appreciates all Puppet Community members who contributed content to the September 2024 releases.$$$$$$

Puppet 7.32.1 $$$Released July 2024. This release adds support for the following operating systems: AlmaLinux 9 (x86_64; AARCH64); Rocky Linux 9 (x86_64; AARCH64); and Ubuntu 24.04 (x86_64; ARM).$$$$$$GitHub releases$$$Additional details about release updates are available on GitHub. For more information; go to the following sites:$$$Facter$$$$$$Puppet$$$$$$Puppet agent$$$$$$Puppet runtime$$$$$$Enhancements

Puppet 7.31.0 $$$Released June 2024. This release introduces support for new operating systems.$$$$$$GitHub releases$$$Additional details about release updates are available on GitHub. For more information; go to the following sites:$$$$$$Facter$$$$$$Puppet$$$$$$Puppet Agent$$$$$$Puppet Runtime$$$$$$Enhancements$$$New operating systems$$$You can now install Puppet agent on the following new operating systems:$$$Amazon Linux 2 (aarch64)$$$Fedora 40 (x86_64)$$$Red Hat Enterprise Linux 9 for Power (ppc64le)$$$Security$$$CVE-2024-2511 and CVE-2024-27282$$$Two security fixes are backported to 7.31.0. The fixes address CVE-2024-2511 and CVE-2024-27282.$$$$$$Contributors$$$The Puppet team appreciates the Puppet Community members who contributed content for recent releases and extends special appreciation to these first-time contributors: anhpt37; Animeshz; garrettrowell; smokris; tlehman; and yakatz.

Puppet 7.30.0 $$$Released April 2024.$$$$$$GitHub Releases$$$More details about what has changed in this release are available on GitHub. Visit the following links for more information:$$$$$$Facter$$$$$$Puppet$$$$$$Puppet Agent$$$$$$Puppet Runtime$$$$$$Enhancements$$$Option to disable catalog messages $$$Added a boolean Puppet setting to disable notice level messages specifying which server the agent requests a catalog from and which server actually handles the request. Catalog messages are enabled by default. PUP-12023$$$$$$package: pacman provider: Add purgeable feature$$$Added an option to the pacman provider to purge config files. This feature was contributed by community member bastelfreak.$$$$$$Resolved issues$$$Non-literal class parameter types need to be deprecated. $$$Previously; non-literal class parameters caused errors due to the different default values of the strict setting. puppet parser validate also returned non-zero exit codes. Now the issue is a language deprecation; so a warning is generated and puppet parser validate returns 0. All language deprecation warnings can be disabled by setting disable_warnings=deprecations in the main section of puppet.conf. PUP-12026$$$$$$Package provider pip not fully functional with network urls on Ubuntu 22.04. $$$Puppets pip package provider now supports installing python modules via network URLs; e.g. source => git+https://github.com/<org>/<repo>.git. Fix contributed by community member smokris. PUP-12027$$$$$$Provider dnfmodule prompts user to trust gpg key when performing module list.$$$Added assumeyes option to dnf module list. Fix contributed by community member loopiv.$$$$$$Security$$$Vulnerabilities in curl$$$Backported patches for CVE-2024-2004 and CVE-2024-2398 in curl 7.88.1. PA-6291

Puppet 7.27.0 $$$Released November 2023.$$$$$$Enhancements$$$Ship FIPS compatible Java key store in fips agents$$$FIPS Puppet agent builds now include a FIPS-compatibile java keystore.$$$$$$The following Certificate Authorities were also added and removed:$$$create Atos_TrustedRoot_Root_CA_ECC_TLS_2021:2.16.61.152.59.166.102.61.144.99.247.126.38.87.56.4.239.0.crt$$$create Atos_TrustedRoot_Root_CA_RSA_TLS_2021:2.16.83.213.207.230.25.147.11.251.43.5.18.216.194.42.162.164.crt$$$create BJCA_Global_Root_CA1:2.16.85.111.101.227.180.217.144.106.27.9.209.108.62.192.108.32.crt$$$create BJCA_Global_Root_CA2:2.16.44.23.8.125.100.42.192.254.133.24.89.6.207.180.74.235.crt$$$create Certainly_Root_E1:2.16.6.37.51.177.71.3.51.39.92.249.141.154.185.191.204.248.crt$$$create Certainly_Root_R1:2.17.0.142.15.249.75.144.113.104.101.51.84.244.212.68.57.183.224.crt$$$create DigiCert_TLS_ECC_P384_Root_G5:2.16.9.224.147.101.172.247.217.200.185.62.28.11.4.42.46.243.crt$$$create DigiCert_TLS_RSA4096_Root_G5:2.16.8.249.180.120.168.250.126.218.106.51.55.137.222.124.207.138.crt$$$delete E-Tugra_Certification_Authority:2.8.106.104.62.156.81.155.203.83.crt$$$delete EC-ACC:2.16.238.43.61.235.212.33.222.20.168.98.172.4.243.221.196.1.crt$$$delete Hellenic_Academic_and_Research_Institutions_RootCA_2011:2.1.0.crt$$$delete Hongkong_Post_Root_CA_1:2.2.3.232.crt$$$delete Network_Solutions_Certificate_Authority:2.16.87.203.51.111.194.92.22.230.71.22.23.227.144.49.104.224.crt$$$create SSL.com_TLS_ECC_Root_CA_2022:2.16.20.3.245.171.251.55.139.23.64.91.226.67.178.165.209.196.crt$$$create SSL.com_TLS_RSA_Root_CA_2022:2.16.111.190.218.173.115.189.8.64.226.139.77.190.212.247.91.145.crt$$$create Sectigo_Public_Server_Authentication_Root_E46:2.16.66.242.204.218.27.105.55.68.95.21.254.117.40.16.184.244.crt$$$create Sectigo_Public_Server_Authentication_Root_R46:2.16.117.141.253.139.174.124.7.0.250.169.37.167.225.199.173.20.crt$$$create Security_Communication_ECC_RootCA1:2.9.0.214.93.155.179.120.129.46.235.crt$$$create Security_Communication_RootCA3:2.9.0.225.124.55.64.253.27.254.103.crt$$$delete Staat_der_Nederlanden_EV_Root_CA:2.4.0.152.150.141.crt$$$PA-4813$$$$$$Add RHEL 9 (ARM64) support$$$Puppet now supports RHEL 9 (ARM64). PA-4998$$$$$$Add Ubuntu 22.04 (ARM64) support$$$Puppet now supports Ubuntu 22.04 (ARM64). PA-5050$$$$$$Make split() sensitive aware$$$The split function now accepts sensitive values and returns a Sensitive[Array]. This change was contributed by community user cocker-cc. PUP-11429$$$$$$Log openssl version and fips mode$$$Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930$$$$$$Resolved issues$$$puppet ssl clean <REMOTE CERT> clears local private key and local certificate$$$puppet ssl clean <argument> now prints an error that <argument> is unexpected instead of deleting the local certificate and private key. PUP-11895$$$$$$100% usage of a CPU core when an exec command sends EOF$$$Previously; Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897$$$$$$puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to String#codepoints is deprecated$$$Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934$$$$$$Security$$$Upgrade OpenSSL$$$Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783$$$$$$Patch Curl in puppet-runtime$$$Patched Curl to address CVE-2023-38545. PA-5848$$$$$$Deprecations and removals$$$Remove TrustCor CA certs$$$The following CA certs were removed:$$$TrustCor_ECA-1:2.9.0.132.130.44.95.28.98.208.64.crt$$$TrustCor_RootCert_CA-1:2.9.0.218.155.236.113.243.3.176.25.crt$$$TrustCor_RootCert_CA-2:2.8.37.161.223.202.51.203.89.2.crt$$$PA-4809

Puppet 7.26.0 $$$Released August 2023.$$$$$$Enhancements$$$Upgrade hiera-eyaml to 3.4+$$$Upgraded the hiera-eyaml component to 3.4. PA-5633$$$$$$Resolved issues$$$ffi and nokogiri gem use the wrong architecture when cross compiling$$$Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666$$$$$$certname with .pp in the middle doesnt pick up its own manifest$$$Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788$$$$$$The --no-preprocess_deferred option breaks deferring of Sensitive file content$$$It is now possible to specify the content property for file resources as containing a Deferred function that returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred(new; [Sensitive; password]). PUP-11846$$$$$$Sleeping agents raise attempt to read body out of block (IOError)$$$Previously; the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry; the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853$$$$$$Security$$$Upgrade OpenSSL$$$Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817; CVE-2023-3446; CVE-2023-2975; CVE-2023-0464). PA-5699$$$$$$Bump Ruby URI component for CVE-2023-36617$$$Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638

Puppet 7.25.0$$$$$$Released June 2023.$$$Resolved issues$$$$$$Removed dependency on private class Concurrent::RubyThreadLocalVar$$$$$$The Puppet::ThreadLocal class no longer relies on concurrent-rubys private Concurrent::RubyThreadLocalVar class and instead uses Concurrent::ThreadLocalVar. PUP-11723$$$Setting to prevent falling back to non-rich data$$$$$$Before; Puppet fell back to PSON when unable to serialize to JSON. This can cause issues because rich data types cannot be serialized vis PSON. A new setting; allow_pson_serialization; allows users to turn PSON serialization on or off.$$$$$$allow_pson_serialization defaults to true in Puppet 7 and false in Puppet 8. When set to false; a warning is raised when falling back to PSON. When set to true; an error is raised instead. This option affects Puppet Servers configuration management service responses as well as when the agent saves its cached catalog. PUP-10928$$$Security$$$$$$Bump curl to 7.88.1$$$$$$Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393$$$

Released April 2023.$$$$$$Resolved issues$$$Puppet resource cant load time object to YAML$$$The file resource now supports puppet resource file <path> --to_yaml. PUP-11763$$$$$$each; map; and filter functions are slow and buggy on jruby$$$Fixed an issue where the each; map; and filter built-in functions in Puppet language had poor performance and consumed unnecessary resources. PUP-11755$$$$$$Enhancements$$$Warn if Puppet falls back to PSON

Puppet 7.29.1 $$$Released March 2024.$$$$$$Resolved issues$$$Using a negative value with the integer type assertion on a class causes a compilation error.$$$Previously; negative values caused a compilation errors when used with the integer type assertion on a class. This has been fixed. PUP-12024

Puppet 7.21.0 $$$Released December 2022.$$$$$$Enhancements$$$Allow legacy facts to be excluded $$$Added a Puppet setting include_legacy_facts to control whether legacy facts are sent to puppetserver when requesting a catalog. By default; Puppet continues to send legacy facts; but it can be disabled if all puppet manifests; hiera.yaml and hiera configuration layers are modified to no longer use legacy facts. PUP-11662$$$$$$Allow omission of unchanged resources from reports$$$With the new setting exclude_unchanged_resources; Puppet can omit data about unchanged resources from reports. This can decrease the size of reports significantly. PUP-11654$$$$$$Resolved issues$$$Tasks are not listed when a single task in an environment has malformed metadata$$$Tasks containing invalid JSON metadata are skipped in the GET /tasks endpoint rather than the whole response returning 500. PUP-11683$$$$$$Purging SSH keys on a user resource fails when alias is used$$$Catalog compilation no longer fails when using the purge_ssh_keys parameter on a user resource with an alias metaparameter. PUP-11631$$$$$$puppet lookup –E does not execute the ENC $$$If you specify puppet lookup with an explicit environment ( --environment web ) then lookup did not call to the classifier; causing any node parameters set in the classifier to be omitted. This was because calling the classifier assigns a different environment to the node by default; returning a lookup result for a different environment than was requested. This issue has been fixed. It also affected open source (replace the word classifier with ENC). PUP-11527$$$$$$Security$$$Bump puppet-runtimes Ruby to 2.7.7 $$$Updates puppet-agents Ruby to 2.7.7; addressing CVE-2021-33621. PA-4805$$$$$$Update libxml2 to 2.10.3 $$$Updates puppet-agents vendored libxml2 from 2.9.8 to 2.10.3; which addresses CVE-2021-4541; CVE-2022-23308; CVE-2022-29824; CVE-2022-40303; and CVE-2022-40304. Also updates puppet-agents vendored libxslt from 1.1.33 to 1.1.37; which addresses CVE-2021-30560. PA-4770$$$$$$osx-10.15-x86_64 - NULL pointer dereference in Nokogiri $$$Updates Nokogiri to 1.13.9; which addresses CVE-2022-2309; CVE-2022-40304; and CVE-2022-40303 in Nokogiris vendored libxml2 and CVE-2022-37434 in Nokogiris vendored zlib. PA-4767

Puppet 7.20.0 $$$Released October 2022.$$$$$$Enhancements$$$Tag and bump puppet-resource_api in Puppet 7 $$$Bumps resource-api gem to 1.8.16. PA-4702$$$$$$Resolved issues$$$Puppet::Util::Json raises an error when reading an empty file $$$Puppet no longer errors when loading an empty task metadata file. PUP-11629$$$$$$Augeas not working on M1 macOS Big Sur $$$Fixed a bug in the Augeas component of the puppet-agent platform on macOS. Contributed by Puppet community member h0tw1r3. PA-4704$$$$$$Augtool packaged in puppet-agent 7.19.0 is broken $$$puppet-agent 7.19.0 had a broken Augeas packaged with it. This is fixed in puppet-agent 7.20.0. PA-4686$$$$$$Deprecations and removals$$$Support for Debian 9 removed $$$This release removes support for Debian 9 (x86 and x86-64) from puppet-agent. PA-4576$$$$$$Support for Fedora 34 and 32 removed $$$This release removes support for Fedora 34 and 32 (x86-64) from puppet-agent. PA-4284; PA-4269

Puppet 7.19.0 $$$Released September 2022.$$$$$$Note:$$$New versions of Puppet now release every six weeks rather than every four weeks.$$$$$$Enhancements$$$Support for Fedora 36 (x86_64) $$$This release adds support for Fedora 36 (x86_64). PA-4668$$$$$$Updated Augeas to 1.13.0 $$$Bumped Augeas to 1.13.0 for all supported platforms except for Solaris and AIX. Those two platforms remain on 1.12.0; as Augeas 1.13.0 fails to compile due to a few readline function calls that are not on Solaris or AIX. PA-4494$$$$$$Resolved issues$$$Puppet sends malformed PuppetDB reports with Oj $$$Reports sent to PuppetDB using the Oj JSON backend are now properly formatted. PUP-11620$$$$$$puppet module list --render-as json does not report unmet dependencies $$$puppet module list --render-as json now includes information about unmet dependencies. PUP-11604$$$$$$Puppet does not write SELinux labels on ZFS $$$Marked ZFS as an SELinux-capable filesystem. PUP-11603$$$$$$Puppet::Util.safe_posix_fork fails if /proc/self is not a directory $$$Puppet now handles misconfigured /proc filesystems correctly. PUP-11594$$$$$$Puppet on Ruby 3.1 warns about ERB passing safe_level as non-keyword argument$$$Puppet now passes ERB arguments as keywords. PUP-11552$$$$$$Security$$$FIPS OpenSSL: disable c_rehash binary $$$Fixed CVE-2022-1292 and CVE-2022-2068. PA-4621

Enhancements$$$Bump to openssl-fips-1.1.1k-6$$$Updated openssl-fips on RedHat to 1.1.1k-6. PA-4498$$$$$$Update puppet-ca-bundle$$$Updated root certificate authority bundle included with puppet-agent. PA-4496$$$$$$Support for macOS 12 (M1)$$$This release adds support for macOS 12 (M1). PA-4457$$$$$$Support for Windows 11 Enterprise (x86_64)$$$This release adds support for Windows 11 Enterprise (x86_64). PA-4249$$$$$$Support for Ubuntu 22.04 (x86_64)$$$This release adds support for Ubuntu 22.04 (x86_64). PA-4233$$$$$$Resolved issues$$$Sub-directory names returned as task names when listing tasks from a module$$$The puppet/v3/tasks REST API only returns files in the tasks directory of each module and no longer includes the names of subdirectories. PUP-11539$$$$$$Puppet agent --disable is ignored with cron puppet agent (splay).$$$Puppet agent now checks the disabled lock file after sleeping due to splay. PUP-9998$$$$$$puppet-cacerts keystore is missing on Red Hat 9; SLES 15 and Ubuntu 20.04$$$If Puppet agent is installed; there is a java keystore file. PA-4440$$$$$$Deprecations and removals$$$Support for Operating Systems removed$$$This release removes support for Fedora 32; CentOS 8; and Ubuntu 16.04. PA-4328$$$$$$Security$$$Update puppet runtimes curl to 7.83.1$$$Updated runtime to fix CVE-2022-22576; CVE-2022-27774; and CVE-2022-27776. PA-4472