Puppet Core 8.12.0

Released April 2025.

Updates were implemented to improve error messages and help prevent security vulnerabilities.

Enhancements

Hiera lookups using a custom backend fail with an improved error message when modules are missing

When you use a custom backend, and a module is missing, Hiera lookups now fail with an error indicating the affected module:

Error: Unable to find module named 'missing_module' with 'data_hash' function named 'missing_module::foo_function' (file: /Users/username.example/gh_repos/puppet-private/examples/hiera/hiera.yaml) on node example.local

PUP-12072

Security

The default server setting is no longer puppet

The server setting is no longer set by default to puppet. This prevents puppet from being automatically trusted as an unprivileged user, addressing CVE-2024-9128. To enable previous behavior where agents automatically connected to puppet, you must run puppet config set server <FQDN> --section main after installing or upgrading Puppet Core 8.12.0 agents. PUP-12079

Updated GPG key

The GPG key for Puppet agent packages expired and was updated.

Updated Ruby

Ruby was updated to 3.2.8 for CVE-2025-27219, CVE-2025-27220, and CVE-2025-27221. PA-7241

Updated OpenSSL

OpenSSL was updated to 3.0.16 for CVE-2024-13176 and CVE-2025-0306. Implicit rejection mechanism was implemented. PA-7287, PA-7341

Updated curl

Curl was updated to 8.12.0 for CVE-2025-0725, CVE-2025-0665, and CVE-2025-0167. PA-7342

Updated libxml2

Libxml2 was updated to v2.13.6 for CVE-2025-24928 and CVE-2024-56171. PA-7348

Updated libxslt

Libxslt was updated to 1.1.43 for CVE-2024-55549 and CVE-2025-24855. PA-7406

Deprecations and removals

Puppet Core 7 is EOL. However, the Puppet Core 7.35.0 documentation is still available.