Puppet Core 8.20.0

Released June 2026. This version of Puppet Core adds agent support for Ubuntu 26.04 ARM, includes improvements to help prevent security vulnerabilities, improves handling for sensitive transactionstore.yaml data, improves validation for regex end-of-string characters, improves service management for macOS 26, and decreases PXP agent metadata write errors on Windows.

New features and enhancements

Agent platforms added

This release adds support for the Puppet agent on the following operating system platforms:

  • Ubuntu 26.04 ARM PA-8256

Security updates

Updated OpenSSL

Updated OpenSSL libraries to version 3.0.21 to address CVE 2026 7383, CVE 2026 9076, CVE 2026 34180, CVE 2026 34182, CVE 2026 42766, CVE 2026 42767, CVE 2026 45445, CVE 2026 45446, and CVE 2026 45447. PA-8824

Updated net-imap

Updated the bundled net-imap library from version 0.6.4 to 0.6.4.1 to address CVE 2026 47240, CVE 2026 47241, and CVE 2026 47242. PA-8826

Updated concurrent-ruby

Updated the concurrent ruby gem to version 1.3.7 to address CVE 2026 54904. PA-8873

Evaluated curl CVEs

The Puppet team has evaluated the following CVEs and determined that Puppet Core is not impacted by the following vulnerabilities:

  • CVE-2026-8286

  • CVE-2026-8458

  • CVE-2026-8924

  • CVE-2026-8925

  • CVE-2026-8926

  • CVE-2026-8927

  • CVE-2026-8932

  • CVE-2026-9079

  • CVE-2026-9080

  • CVE-2026-9545

  • CVE-2026-9546

  • CVE-2026-9547

  • CVE-2026-10536

  • CVE-2026-11352

  • CVE-2026-11564

  • CVE-2026-11586

  • CVE-2026-11856

  • CVE-2026-12064

PA- 8903

Resolved issues

Improved handling of sensitive data in transactionstore.yaml during deferred execution

Previously, when using custom resources with deferred functions, Puppet Core sometimes wrote sensitive data to the transactionstore.yaml file. Subsequent Puppet runs failed when transactionstore.yaml data couldn't be loaded. Puppet Core now supports sensitive values in transactionstore.yaml, ensuring that subsequent runs are completed successfully. PA-8346

Improved input validation for regex end of string characters

Previously, regular expressions using \Z incorrectly matched trailing newline characters, allowing invalid input values, such as environment or certificate names, to pass validation. Puppet Core now uses \z for end-of-string matching to ensure more accurate input validation. PA-8508

Improved macOS service management reliability

Previously, a race condition in Puppet agent on macOS caused service management to fail when the launchd overrides plist file was briefly truncated during writes, allowing concurrent reads to encounter an empty or invalid file. Now, plist files are written atomically, preventing partial or zero-length reads and improving the reliability of service management on macOS. PA-8816

Decrease PXP agent metadata write errors on Windows

Previously, running tasks in quick succession on Windows could trigger a file-rename race condition in PXP agent, causing failed to write metadata errors. This update adds uniquely named temporary files to help ensure tasks are completed more reliably under concurrent or high-frequency execution conditions. PA-8443