Puppet 8.3.1
Released November 2023.
On this page:
Enhancements
Ship FIPS compatible Java key store in fips agents
FIPS Puppet agent builds now include a FIPS-compatibile java keystore.
The following Certificate Authorities were also added and removed:
- create Atos_TrustedRoot_Root_CA_ECC_TLS_2021:2.16.61.152.59.166.102.61.144.99.247.126.38.87.56.4.239.0.crt
- create Atos_TrustedRoot_Root_CA_RSA_TLS_2021:2.16.83.213.207.230.25.147.11.251.43.5.18.216.194.42.162.164.crt
- create BJCA_Global_Root_CA1:2.16.85.111.101.227.180.217.144.106.27.9.209.108.62.192.108.32.crt
- create BJCA_Global_Root_CA2:2.16.44.23.8.125.100.42.192.254.133.24.89.6.207.180.74.235.crt
- create Certainly_Root_E1:2.16.6.37.51.177.71.3.51.39.92.249.141.154.185.191.204.248.crt
- create Certainly_Root_R1:2.17.0.142.15.249.75.144.113.104.101.51.84.244.212.68.57.183.224.crt
- create DigiCert_TLS_ECC_P384_Root_G5:2.16.9.224.147.101.172.247.217.200.185.62.28.11.4.42.46.243.crt
- create DigiCert_TLS_RSA4096_Root_G5:2.16.8.249.180.120.168.250.126.218.106.51.55.137.222.124.207.138.crt
- delete E-Tugra_Certification_Authority:2.8.106.104.62.156.81.155.203.83.crt
- delete EC-ACC:2.16.238.43.61.235.212.33.222.20.168.98.172.4.243.221.196.1.crt
- delete Hellenic_Academic_and_Research_Institutions_RootCA_2011:2.1.0.crt
- delete Hongkong_Post_Root_CA_1:2.2.3.232.crt
- delete Network_Solutions_Certificate_Authority:2.16.87.203.51.111.194.92.22.230.71.22.23.227.144.49.104.224.crt
- create SSL.com_TLS_ECC_Root_CA_2022:2.16.20.3.245.171.251.55.139.23.64.91.226.67.178.165.209.196.crt
- create SSL.com_TLS_RSA_Root_CA_2022:2.16.111.190.218.173.115.189.8.64.226.139.77.190.212.247.91.145.crt
- create Sectigo_Public_Server_Authentication_Root_E46:2.16.66.242.204.218.27.105.55.68.95.21.254.117.40.16.184.244.crt
- create Sectigo_Public_Server_Authentication_Root_R46:2.16.117.141.253.139.174.124.7.0.250.169.37.167.225.199.173.20.crt
- create Security_Communication_ECC_RootCA1:2.9.0.214.93.155.179.120.129.46.235.crt
- create Security_Communication_RootCA3:2.9.0.225.124.55.64.253.27.254.103.crt
- delete Staat_der_Nederlanden_EV_Root_CA:2.4.0.152.150.141.crt
Bump augeas to 1.14.1
Updated the augeas component of Puppet agent to from 1.13.0 to 1.14.1. PA-4938
PubkeyAcceptedAlgorithms
setting in /etc/ssh/sshd_config from a string to a
list. Example: the line 'set
Settings/PubkeyAcceptedAlgorithms
+ssh-rsa' in the following code block:
augeas { 'sshd_allow_rsa':
incl => '/etc/ssh/sshd_config',
lens => 'Sshd.lns',
context => '/files/etc/ssh/sshd_config/Match/',
changes => [
'set Condition/Address 192.168.0.3',
'set Condition/User user',
'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
]
}must be changed to 'set
Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"]
ssh-rsa' following this
update.Add RHEL 9 (ARM64) support
Puppet now supports RHEL 9 (ARM64). PA-4998
Add Ubuntu 22.04 (ARM64) support
Puppet now supports Ubuntu 22.04 (ARM64). PA-5050
Make split() sensitive aware
The split function now accepts
sensitive values and returns a Sensitive[Array]. This change was
contributed by community user cocker-cc. PUP-11429
Freeze string literals
String literals are now frozen or immutable by default. PUP-11841
Log openssl version and fips mode
Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930
Monkey patch {File,Dir}.exists?
Added a monkey patch in Ruby for Puppet code using older Ruby
language exists? method.
PUP-11945
Resolved issues
puppet ssl clean <REMOTE CERT> clears local private key and local certificate
puppet ssl clean <argument> now
prints an error that <argument> is unexpected instead of
deleting the local certificate and private key. PUP-11895
100% usage of a CPU core when an exec command sends EOF
Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897
string.new generates strings with unexpected encoding
A regression was introduced in Puppet 8.0.0 which caused the epp and inline_epp functions to return a binary
string. If the value was assigned to the parameter of an
exported resource, then the parameter's value was converted
to base64 in PuppetDB. Any agents that collected the
resource then received the base64 encoded value. This
release fixes the regression so the functions return a UTF-8
string. PUP-11932
puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to String#codepoints is deprecated
Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934
Correct inaccurate comment in find_file() function
Updated find_file function
documentation. This fix was contributed by community member
pillarsdotnet. PUP-11940
epp and inline_epp functions return binary strings
Fixed a regression that caused the epp and inline_epp functions to return binary
strings instead of UTF-8 encoded strings. This resulted in
exported resources being stored as base64 in puppetdb,
breaking any node that collected those resources. Fix
contributed by community member smortex. PUP-11943
Update host_autorenewal_intervalPuppet setting documentation
Previously documentation implied that host_autorenewal_interval refreshes in
30 days regardless of when it expires by default.
Documentation was updated to better reflect actual behavior
where implementation only attempts to renew its client cert
if the cert expires within N days from now. PUP-11944
Error when using {File,Dir}.exists? in Ruby
Added a patch for some Puppet code
using older Ruby language exists? method.
Security
Upgrade OpenSSL
Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783
Patch Curl in puppet-runtime
Patched Curl to address CVE-2023-38545. PA-5848
Deprecations and removals
Remove TrustCor CA certs
The following CA certs were removed:
- TrustCor_ECA-1:2.9.0.132.130.44.95.28.98.208.64.crt
- TrustCor_RootCert_CA-1:2.9.0.218.155.236.113.243.3.176.25.crt
- TrustCor_RootCert_CA-2:2.8.37.161.223.202.51.203.89.2.crt