Puppet release notes

Upgrade Curl in agent-runtime

Curl is upgraded to version 8.10.1 to address CVE-2024-8096.

PA-6962

Upgrade libxml2

Puppet agent's vendored libxml2 is upgraded to version 2.13.4 to address the following vulnerabilities: CVE-2024-25062, CVE-2024-34459, and CVE-2024-40896.

PA-6973

Update OpenSSL

OpenSSL is updated to address CVE-2024-6119.

PA-6959

Fixed issue with splay limits and added logging.

An issue was corrected to ensure that any splay setting updates in the Puppet configuration file (puppet.conf) are applied to daemonized Puppet runs. Logging for splay has also now been added at the info level.

PUP-12061

Increased default soft limit for the total number of facts.

The default value of the number_of_facts_soft_limit setting is increased from 2048 to 10240, to address an issue where warnings were displayed after installing Puppet Enterprise with default configuration.

PUP-12071

Set default service provider for Raspbian.

SystemD is now the default service provider for Raspbian. This resolves an issue where incorrect default providers were identified when running Puppet agent on Raspberry Pi. Community member jaevans reported this issue and submitted a fix.

PUP-11949

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the October 2024 releases.

Upgrade Ruby in puppet-runtime

Ruby is upgraded to version 3.2.5 to address CVE-2024-39908 and CVE-2024-35176.

PA-6875, PA-6736, PA-6507

Upgrade Curl

Curl is upgraded to version 8.9.1 to address the following CVEs: CVE-2024-6874, CVE-2024-6197, and CVE-2024-7264.

PA-6872

Update REXML

The REXML gem was updated to version 3.3.6 to address CVE-2024-41946, CVE-2024-41123, and CVE-2024-43398.

PA-6882, PA-6881, PA-6901

Bump puppet-agent's bundled OpenSSL

OpenSSL was upgraded to version 3.0.15 to address CVE-2024-5535.

PA-6699

Resolved issue with catalog download.

Addressed an issue where catalog download would fail when running the puppet catalog download command with the default options. The puppet catalog download command now correctly sends facts to download the catalog. Community member nabertrand submitted this issue.

PUP-12046

Default Security-Enhanced Linux (SELinux) types on file resources are now correctly assigned.

Fixed a regression introduced in Puppet 8.8.1 when assigning default SELinux contexts to files. Community member davejbax submitted this issue and contributed to the fix.

PUP-12066

Resolved issue with node definition using regular expressions (regex).

Previously, under certain circumstances, duplicate nodes could be defined, due to the order in which regex type node names were checked. The issue was resolved to help ensure that nodes are matched to unique definitions.

PUP-11515

Addressed an issue with profiling timers.

Addressed an issue where, under certain circumstances, NTP updates or other similar events were causing Puppet profiling timers to display inconsistent results. This issue was resolved by switching to a monotonic clock, to help ensure that time displays in Puppet profile results are not affected by these events.

PUP-7520

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the September 2024 releases and extends special thanks to @davejbax as a first-time contributor.

New operating systems

Ruby update

Puppet is updated to ensure compatibility with Ruby 3.3.

OpenSSL upgrade

Upgraded to OpenSSL 3.0.14 to address CVE-2024-4603 and CVE-2024-2511.

Change related to splay limits was reverted.

In the Puppet 8.7.0 release, a defect was corrected to ensure that any splay setting updates in the Puppet configuration file (puppet.conf) would be applied to daemonized Puppet runs. However, the fix resulted in an unexpected side issue that caused splays to be frequently recalculated, potentially delaying Puppet startup times. For this reason, the change was reverted. In the Puppet 8.8.1 release, splay setting updates in the Puppet configuration file (puppet.conf) are not applied to daemonized Puppet runs.

Sensitive values returned by deferred functions are protected.

Previously, in certain circumstances, when a function of the Deferred type returned a value of the Sensitive type, the value was displayed in clear text. The issue is resolved to help ensure that sensitive values are protected.

Windows agents now run as expected.

Previously, when a value of 0 was specified for the runinterval setting, Windows agents ran every 30 minutes. Now, a setting of 0 causes the agents to run continuously as expected.

Resolved issue with catalog compilation.

Addressed an issue where catalog compilation would fail when running the puppet lookup command with the --compile option when server facts were present in the catalog.

Resolved issue to ensure that the Puppet agent service starts automatically.

In certain circumstances, when Puppet was successfully installed or upgraded on Microsoft Windows Server 2019 or 2022, the Puppet agent service did not restart automatically as expected. This fix helps to ensure that the service starts running without user intervention. Community member rismoney submitted the issue, which was fixed by another community member, vibe.

Deprecated Security-Enhanced Linux (SELinux) methods are replaced.

Deprecated SELinux methods of the matchpathcon family such as Selinux.matchpathcon are replaced by supported SELinux methods such as Selinux.selabel_lookup. This update does not require any action by Puppet users. Community member wbclark contributed to this fix.

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the July 2024 releases and extends special thanks to the following first-time contributors: @jiwonaid and @jordanbreen28.

New operating systems

Major version upgrade for curl

Curl is now upgraded in Puppet agent to Version 8.7.1. This version of curl is designed to enhance security and stability.

CVE-2024-27282

Upgraded to Ruby 3.2.4 to address CVE-2024-27282.

Contributors

The Puppet team appreciates the Puppet Community members who contributed content for recent releases and extends special appreciation to these first-time contributors: anhpt37, Animeshz, garrettrowell, smokris, tlehman, and yakatz.

Fixed issue with splay limits.

An issue was corrected to ensure that any splay setting updates in the Puppet configuration file (puppet.conf) are applied to daemonized Puppet runs.

Option to disable catalog messages

Added a boolean Puppet setting to disable "notice" level messages specifying which server the agent requests a catalog from and which server actually handles the request. Catalog messages are enabled by default. PUP-12023

package: pacman provider: Add purgeable feature

Added an option to the pacman provider to purge config files. This feature was contributed by community member bastelfreak.

Update core modules

Non-literal class parameter types need to be deprecated.

Previously, non-literal class parameters caused errors due to the different default values of the strict setting. puppet parser validate also returned non-zero exit codes. Now the issue is a language deprecation, so a warning is generated and puppet parser validate returns 0. All language deprecation warnings can be disabled by setting disable_warnings=deprecations in the main section of puppet.conf. PUP-12026

Package provider "pip" not fully functional with network urls on Ubuntu 22.04.

Puppet's pip package provider now supports installing python modules via network URLs, e.g. source => 'git+https://github.com/<org>/<repo>.git'. Fix contributed by community member smokris. PUP-12027

Provider dnfmodule prompts user to trust gpg key when performing module list.

Added assumeyes option to dnf module list. Fix contributed by community member loopiv.

Puppet resource returns zero if it fails to make changes

Added new --fail command line flag for Puppet resource.

Remove Accept-Encoding header on redirect

Previously, Puppet copied all request headers in an HTTP redirect, including Accept-Encoding. In some cases when HTTP compression was enabled, the response failed to decompress, then failed to parse and triggered a vague error. This change strips the Accept-Encoding headers on redirect, allowing Ruby's built-in Net::HTTP to both compress and decompress the traffic.

Accept UnaryMinusExpression as class parameter type

Previously, class parameters of the form Integer[-1] $param failed compilation, because the value -1 was lexed as a UnaryMinusExpression containing a LiteralInteger. And since the LiteralEvaluator didn't implement theliteral_UnaryMinusExpression method, the visitor called literal_XXX for each ancestor class, until reaching literal_Object, which always raises.

This adds the literal_UnaryMinusExpression method and returns -1 times the expression it wraps.

If strict is off, the issue is ignored. If strict is warning, a warning is reported, but compilation continues. If strict is error, compilation fails.

Upgrade OpenSSL

Upgraded openssl to version 3.0.13 to address the following CVEs: CVE-2023-5678; CVE-2023-6129; CVE-2023-6237; CVE-2024-0727. PA-6131

Vulnerabilities in curl

Backported patches for CVE-2024-2004 and CVE-2024-2398 in curl 7.88.1. PA-6291

New Digicert code-signing cert

Windows MSI are now signed with a new certificate, valid until March 2027. The Issuing CA is "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1".

Using a negative value with the integer type assertion on a class causes a compilation error.

Previously, negative values caused a compilation errors when used with the integer type assertion on a class. This has been fixed. PUP-12024

Debian 12 (x86_64) support

Added support for Debian 12 (x86_64). PA-5549

Debian 12 (ARM) support

Syntactically incorrect types cause nil types in Puppet::InfoService::ClassInformationService

Previously, when a type was incorrectly specified, Puppet’s class_information_service ignored the error and produced an empty type specification. Puppet now produces a warning and assigns a default type in the nil case. PUP-11981.

Bump concurrent-ruby to 1.2.2

Bumped concurrent-ruby gem to 1.2.2. PA-5960

Add logging of server hostnames when requesting configuration

Puppet agents now log server hostnames when requesting catalogs. PUP-11899

Add logging of which Puppet Server handled catalog requests

Puppet agents now log the FQDN name of the server that compiled the catalog. This is useful when there are multiple compilers behind a load balancer. PUP-11900

Update package & service providers for Amazon Linux 2023

Updates Amazon Linux 2023's default package and service providers to DNF and SystemD, respectively. Contributed by GitHub user vchepkov. PUP-11976

Debian 11 (ARM) support

Added support for Debian 11 (ARM).

Amazon Linux 2023 support

Added support for Amazon Linux 2023.

MacOS 14 support

Added support for MacOS 14.

puppet-agent-7.25: selinux Bindings broken on RHEL9.1

Fixed an issue introduced in 7.25.0 that prevented Puppet from managing selinux if the system libselinux libraries were previous to version 3.5. PA-5632

RHEL 8 FIPS agent fails to start after upgrade to Puppet 8

Fixed an issue that prevented the RHEL 8 FIPS agent from starting after upgrading to Puppet 8. PA-5786

/opt/puppetlabs/puppet/bin/openssl fails to load library dependencies on AIX

Set RPATH for openssl 1.1.1 to load dependencies from Puppetlabs libdir in order to ensure that /opt/puppetlabs/puppet/bin/opensslloads its library dependencies that were shipped in the puppet-agent package. PA-5925

Puppet agent on Solaris 11 x86 fails when updated to SRU >= 57

Fixed a regression that prevented the ffi gem's native extension from loading on newer versions of Solaris 11.4. PA-5929

Puppet chooses wrong service default provider on Gentoo if systemd is used

Systemd is now the default service provider on Gentoo. Fix contributed by community member bastelfreak. PUP-11593

Resources resource type should be marked as apply_to_all

Enables resources metatype compatibility with both hosts and devices. Contributed by GitHub user seanmil. PUP-11666

"Total number of facts" warning not counting array elements

Puppet incorrectly counted array elements and hash keys when determining if the number of facts exceeded the total fact count soft limit. This has been fixed. PUP-11685

Lazily deferred evaluation may not work if type implements autorequire, etc

The command parameter for an exec resource can now be deferred. PUP-11937

dnfmodule fails to enable module with ensure version and no default stream

Puppet can now manage dnfmodule packages with ensure values other than present such as ensure => '1.4'. Fix contributed by community member evgeni. PUP-11985

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.12. PA-5864

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38546. PA-5861

Ship FIPS compatible Java key store in fips agents

FIPS Puppet agent builds now include a FIPS-compatibile java keystore.

PA-4813

Bump augeas to 1.14.1

augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address 192.168.0.3',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
   ]
}

Add RHEL 9 (ARM64) support

Puppet now supports RHEL 9 (ARM64). PA-4998

Add Ubuntu 22.04 (ARM64) support

Puppet now supports Ubuntu 22.04 (ARM64). PA-5050

Make split() sensitive aware

The split function now accepts sensitive values and returns a Sensitive[Array]. This change was contributed by community user cocker-cc. PUP-11429

Freeze string literals

String literals are now frozen or immutable by default. PUP-11841

Log openssl version and fips mode

Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930

Monkey patch {File,Dir}.exists?

Added a monkey patch in Ruby for Puppet code using older Ruby language exists? method. PUP-11945

puppet ssl clean <REMOTE CERT> clears local private key and local certificate

puppet ssl clean <argument> now prints an error that <argument> is unexpected instead of deleting the local certificate and private key. PUP-11895

100% usage of a CPU core when an exec command sends EOF

Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897

string.new generates strings with unexpected encoding

A regression was introduced in Puppet 8.0.0 which caused the epp and inline_epp functions to return a binary string. If the value was assigned to the parameter of an exported resource, then the parameter's value was converted to base64 in PuppetDB. Any agents that collected the resource then received the base64 encoded value. This release fixes the regression so the functions return a UTF-8 string. PUP-11932

puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to String#codepoints is deprecated

Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934

Correct inaccurate comment in find_file() function

Updated find_file function documentation. This fix was contributed by community member pillarsdotnet. PUP-11940

epp and inline_epp functions return binary strings

Fixed a regression that caused the epp and inline_epp functions to return binary strings instead of UTF-8 encoded strings. This resulted in exported resources being stored as base64 in puppetdb, breaking any node that collected those resources. Fix contributed by community member smortex. PUP-11943

Update host_autorenewal_interval Puppet setting documentation

Previously documentation implied that host_autorenewal_interval refreshes in 30 days regardless of when it expires by default. Documentation was updated to better reflect actual behavior where implementation only attempts to renew its client cert if the cert expires within N days from now. PUP-11944

Error when using {File,Dir}.exists? in Ruby

Added a patch for some Puppet code using older Ruby language exists? method.

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38545. PA-5848

Remove TrustCor CA certs

macOS 13 support

Added support for macOS 13. PA-4772

Upgrade hiera-eyaml to 3.4+

Upgraded the hiera-eyaml component to 3.4. PA-5633

Add agent renew REST implementation

Added a method to send a client certificate renewal request to puppetserver. PUP-11854

Add Puppet setting to configure renewal interval

Added a setting for how often a node attempts to automatically renew its client certificate. PUP-11855

Retry failed CA & CRL refreshes sooner than the next interval

Puppet now attempts to refresh its CA and CRL sooner if initial attempts fail. PUP-11869

Send auto-renew attribute in CSR

Puppet now has an auto-renew attribute. If the agent supports auto-renewal, this attribute is added to the CSR (Certificate Signing Request) when it is generated and is used by Puppet Server to determine if auto-renewal TTL needs to be enabled for a given agent.

Agents that either do not have the hostcert_renewal_interval setting or have it set to 0 do not support auto-renewal and do not have the auto-renew attribute. PUP-11896

ffi and nokogiri gem use the wrong architecture when cross compiling

Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666

certname with .pp in the middle doesn't pick up its own manifest

Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788

The --no-preprocess_deferred option breaks deferring of Sensitive file content

It is now possible to specify the content property for file resources as containing a Deferred function that returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred('new', [Sensitive, "password"]). PUP-11846

"Sleeping" agents raise "attempt to read body out of block (IOError)"

Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853

puppet-resource_api bug with ruby 3.2 and integer munging

Updated puppet-resource_api to enable Ruby 3.2 compatibility. PA-5641

CRL authorityKeyIdentifier is not printed in Puppet 8

Fixed a regression in Puppet 8.x which caused the agent to omit the authorityKeyIdentifier extension for its CRL. PUP-11849

Upgrade OpenSSL

Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975, CVE-2023-0464). PA-5699

Bump Ruby URI component for CVE-2023-36617

Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638

Refresh cached Puppet CA on Puppet client

Puppet agents will now attempt to refresh their CA certificate(s) once per day. The frequency is controlled by a new Puppet setting: ca_refresh_interval. PUP-10639

Removed dependency on private class Concurrent::RubyThreadLocalVar

The Puppet::ThreadLocal class no longer relies on concurrent-ruby's private Concurrent::RubyThreadLocalVar class and instead uses Concurrent::ThreadLocalVar. PUP-11723

Yumrepo target attribute does not work

Using the yumrepo resource, enables the target parameter to set the filepath for a Yum repository to an arbitrary filepath or to an existing repository file. Thank you to community member nabertrand for this contribution. PA-5187

Bump curl to 7.88.1

Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393

Freeze string literals

String literals are now immutable by default. PUP-11841

Strict mode enabled by default

For Puppet 8, strict mode is on by default, meaning strict defaults to error and strict_variables defaults to true. With strict set to error, extra validation & checks are performed and fail as an error. This change could be a breaking change if your code does not conform to strict mode.

To return to the previous behavior, set, strict to warning and strict_variables to false. PUP-11725

Change default value of exclude_unchanged_resources

Puppet reports no longer contain detailed information about resources already matching their desired state. Doing so reduces the amount of data stored in PuppetDB in the most common case when nothing has changed. The previous behavior can be enabled by setting exclude_unchanged_resources=false in puppet.conf on each agent. PUP-11684

Drop Hiera 3 Requirement

Hiera 3 is no longer a hard dependency for Puppet. PUP-11621

Change default crl_refresh_interval to 1 day

Puppet agent now defaults to refreshing its certificate revocation list (CRL) once every 24 hours. PUP-11602

Evaluate deferred functions lazily by default

Deferred functions follow normal resource relationships and ordering, so it is now possible to install a dependency for a deferred function and call the deferred function in a single agent run. The previous behavior can be enabled by setting preprocess_deferred=false in puppet.conf on each agent. PUP-11526

Exclude legacy facts by default

Legacy facts are no longer collected on Puppet agent or sent to Puppet server. This saves network bandwidth and reduces Puppetserver's memory footprint when using templates.

Since legacy facts are not available during compilation, they cannot be referenced in Puppet code, ERB/EPP templates or Hiera configuration. The legacy_facts puppet-lint plugin can help identify and automatically correct legacy fact usage in Puppet code. For more information visit https://github.com/puppetlabs/puppet-lint/blob/main/lib/puppet-lint/plugins/legacy_facts/legacy_facts.rb.

Legacy facts can be re-enabled by setting include_legacy_facts=true in puppet.conf on each agent. PUP-11430

Replace c_rehash script with native openssl implementation

Puppet agent 8 no longer bundles the c_rehash binary. Instead, users must rely on the bundled openssl binary's subcommand rehash. Example: /opt/puppetlabs/puppet/bin/openssl rehash. PA-4265

MRI Ruby 3.2

Puppet agent vendors Ruby 3.2. Ruby 3.2 has several notable breaking changes that may affect Puppet extensions, such as functions, custom facts, types & providers, report processors, etc. For a complete list visit: https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#ruby-32-compatibility

If Puppet is installed as a gem, then it requires Ruby 3.1 or greater.

OpenSSL 3.0

Puppet agent vendors OpenSSL 3.0. If an application compiles against Puppet's openssl, then the application must be recompiled. For more information visit https://www.openssl.org/docs/man3.0/man7/migration_guide.html

selinux: undefining the allocator of T_DATA class swig_runtime_data

Patch selinux ruby native extension for Ruby 3.2 compatibility. PA-4844

ruby-shadow failing in Ruby 3.2

Patch shadow ruby native extension for Ruby 3.2. PA-4843

Remove Windows ENV patches on Ruby 3

The Puppet::Util methods for getting, setting, clearing and merging environment variables are still available, but are deprecated and will be removed in the next major release. Puppet 8 now uses Ruby's built-in ENV class to manage environment variables on Windows. PUP-11348

Remove extra cli option

The extra CLI option, which was previously hidden, has been entirely removed. PUP-11119

Drop openssl man pages and html docs

OpenSSL man pages and html docs are no longer included in Puppet agent. PA-4908

Drop Hiera 3 Component

This is a breaking change. The Hiera 3 gem is no longer vendored in puppet-agent packages, but may be installed separately.

If you rely on a Hiera 3 backend (a class that extends Hiera::Backend), you must convert your backend to Hiera 5 using the steps found at https://www.puppet.com/docs/puppet/latest/hiera_migrate.html, or manually install the Hiera 3 gem on all Puppet Server hosts. This change does not affect Hiera 5, puppet lookup or the hiera_include, hiera_hash, etc set of functions. PA-4646

Drop PSON support

Support for the PSON (Pure JSON) serialization format has been removed. Puppet agents may fail if binary data is accidentally added to the catalog without using the Binary data type or binary_file function. For more information visit https://www.puppet.com/docs/puppet/latest/lang_data_binary.html.

It is possible, but not recommended, to reenable PSON support by installing the puppet-pson gem on all agents and server hosts and setting preferred_serialization_format=pson in puppet.conf on each agent.