Puppet 8.2.0

Released August 2023.

On this page:

Enhancements

macOS 13 support

Added support for macOS 13. PA-4772

Upgrade hiera-eyaml to 3.4+

Upgraded the hiera-eyaml component to 3.4. PA-5633

Add agent renew REST implementation

Added a method to send a client certificate renewal request to puppetserver. PUP-11854

Add Puppet setting to configure renewal interval

Added a setting for how often a node attempts to automatically renew its client certificate. PUP-11855

Retry failed CA & CRL refreshes sooner than the next interval

Puppet now attempts to refresh its CA and CRL sooner if initial attempts fail. PUP-11869

Send auto-renew attribute in CSR

Puppet now has an auto-renew attribute. If the agent supports auto-renewal, this attribute is added to the CSR (Certificate Signing Request) when it is generated and is used by Puppet Server to determine if auto-renewal TTL needs to be enabled for a given agent.

Agents that either do not have the hostcert_renewal_interval setting or have it set to 0 do not support auto-renewal and do not have the auto-renew attribute. PUP-11896

Resolved issues

ffi and nokogiri gem use the wrong architecture when cross compiling

Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666

certname with .pp in the middle doesn't pick up its own manifest

Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788

The --no-preprocess_deferred option breaks deferring of Sensitive file content

It is now possible to specify the content property for file resources as containing a Deferred function that returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred('new', [Sensitive, "password"]). PUP-11846

"Sleeping" agents raise "attempt to read body out of block (IOError)"

Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853

puppet-resource_api bug with ruby 3.2 and integer munging

Updated puppet-resource_api to enable Ruby 3.2 compatibility. PA-5641

CRL authorityKeyIdentifier is not printed in Puppet 8

Fixed a regression in Puppet 8.x which caused the agent to omit the authorityKeyIdentifier extension for its CRL. PUP-11849

Security

Upgrade OpenSSL

Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975, CVE-2023-0464). PA-5699

Bump Ruby URI component for CVE-2023-36617

Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638