Puppet Core 8.12.0
Released April 2025.
Updates were implemented to improve error messages and help prevent security vulnerabilities.
Enhancements
Hiera lookups using a custom backend fail with an improved error message when modules are missing
When you use a custom backend, and a module is missing, Hiera lookups now fail with an error indicating the affected module:
Error: Unable to find module named 'missing_module' with 'data_hash' function named 'missing_module::foo_function' (file: /Users/username.example/gh_repos/puppet-private/examples/hiera/hiera.yaml) on node example.local
PUP-12072
Security
The default server setting is no longer puppet
The server
setting is no longer set by default to puppet
. This prevents puppet
from being automatically trusted as an unprivileged user, addressing CVE-2024-9128. To enable previous behavior where agents automatically connected to puppet
, you must run puppet config set server <FQDN> --section main
after installing or upgrading Puppet Core 8.12.0 agents. PUP-12079
Updated GPG key
The GPG key for Puppet agent packages expired and was updated.
Updated Ruby
Ruby was updated to 3.2.8 for CVE-2025-27219, CVE-2025-27220, and CVE-2025-27221. PA-7241
Updated OpenSSL
OpenSSL was updated to 3.0.16 for CVE-2024-13176 and CVE-2025-0306. Implicit rejection mechanism was implemented. PA-7287, PA-7341
Updated curl
Curl was updated to 8.12.0 for CVE-2025-0725, CVE-2025-0665, and CVE-2025-0167. PA-7342
Updated libxml2
Libxml2 was updated to v2.13.6 for CVE-2025-24928 and CVE-2024-56171. PA-7348
Updated libxslt
Libxslt was updated to 1.1.43 for CVE-2024-55549 and CVE-2025-24855. PA-7406
Deprecations and removals
Puppet Core 7 is EOL. However, the Puppet Core 7.35.0 documentation is still available.