Puppet Core 8.19.0
Released May 2026. This version of Puppet Core includes improvements to help prevent security vulnerabilities, removes Puppet's dependency on the CSV gem, improves handling of Windows passwords, and helps prevent installation on unsupported Ruby versions.
New features and enhancements
Remove CSV dependency
Remove Puppet's dependency on the CSV gem. PA-8407
Security updates
Updated Ruby
Ruby was updated to version 3.2.11 to address CVE-2026-27820. PA-8387, PA-8321
Updated OpenSSL
OpenSSL was updated to 3.0.20 to address CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, and CVE-2026-31790. PA-8396
Updated libxml2
Libxml 2 was updated to 2.15.3 to address CVE-2026-6732. PA-8440
Updated curl
Curl was updated to 8.20.0 to address CVE-2026-6253, CVE-2026-6276, CVE-2026-6429, CVE-2026-7009, and CVE-2026-7168. PA-8447
Updated net-imap
Net-imap 0.4.24 is now bundled with Puppet agent to address CVE-2026-42245, CVE-2026-42246, CVE-2026-42256, CVE-2026-42257, and CVE-2026-42258. PA-8467
-
Uninstall the new gem by running:
Copy/opt/puppetlabs/puppet/bin/gem uninstall net-imap --all --executables -
Install the old gem by running:
Copy/opt/puppetlabs/puppet/bin/gem install net-imap -v 0.3.10
Updated erb gem
Puppet agent now includes erb 6.04 to address CVE-2026-41316. Puppet uses this version of the gem instead of the erb gem bundled with Ruby. PA-8430
Resolved issues
Improved handling of Windows passwords
When managing user resources on Windows, Puppet Core no longer rejects colons in passwords. Behavior on other platforms is unchanged. PA-8509
Help prevent Puppet Core installation on unsupported Ruby versions
In previous versions, installing Puppet Core 8 with an unsupported Ruby version ( Ruby 4) via bundler or gem commands, caused installation to crash with the error can't modify frozen Hash. Puppet Core now sets the maximum Ruby version to 3.x, which prevents installation with unsupported Ruby versions. PA-8512