Puppet Core 8.13.0

Released June 2025. This version helps prevent security vulnerabilities and resolves known issues with puppet config commands failing after a gem is installed and Windows service logon case sensitivity causing Puppet service restarts.

Security

Updated libxml2

Libxml2 was updated to 2.13.8 to address CVE-2025-32415 and CVE-2025-3241. PA-7456

Updated boost

To address CVE 2012-2677, boost was updated. For AIX, Solaris, and Windows, boost 1.73.0 was patched. For all other platforms, boost was updated to 1.80.0. PA-7462

Patched augeas

Augeas was patched to address CVE-2025-2588. PA-7463

Patched rapidjson

Rapidjson was patched in leatherman to address CVE 2024-39684 and CVE 2024-38517. PA-7503

Resolved issues

Fixed an issue where running a puppet config command failed if it was the first command run after the Puppet gem was installed.

Previously, when running puppet config commands the directory ~/.puppetlabs was created, but other expected parent directories were not created, causing the command to fail. Expected parent directories are now created. PUP-12094

Puppet now treats Windows service logon accounts as case insensitive.

Before this change, Puppet treated Windows service logon account names as case sensitive. When there was a case mismatch, Puppet treated it as a change to the account and restarted the associated Puppet service. Puppet now treats Windows service logon accounts as case insensitive, fixing the issue. PUP-12089