Puppet 8.9.0

Released September 2024.

This release resolves several Puppet issues and implements updates in third-party software to help prevent security vulnerabilities.

GitHub releases

Additional details about release updates are available on GitHub. For more information, go to the following sites:

• Facter
• Puppet
• Puppet agent
• Puppet runtime

Security

Upgrade Ruby in puppet-runtime

Ruby is upgraded to version 3.2.5 to address CVE-2024-39908 and CVE-2024-35176.

PA-6875, PA-6736, PA-6507

Upgrade Curl

Curl is upgraded to version 8.9.1 to address the following CVEs: CVE-2024-6874, CVE-2024-6197, and CVE-2024-7264.

PA-6872

Update REXML

The REXML gem was updated to version 3.3.6 to address CVE-2024-41946, CVE-2024-41123, and CVE-2024-43398.

PA-6882, PA-6881, PA-6901

Bump puppet-agent's bundled OpenSSL

OpenSSL was upgraded to version 3.0.15 to address CVE-2024-5535.

PA-6699

Resolved issues

Resolved issue with catalog download.

Addressed an issue where catalog download would fail when running the puppet catalog download command with the default options. The puppet catalog download command now correctly sends facts to download the catalog. Community member nabertrand submitted this issue.

PUP-12046

Default Security-Enhanced Linux (SELinux) types on file resources are now correctly assigned.

Fixed a regression introduced in Puppet 8.8.1 when assigning default SELinux contexts to files. Community member davejbax submitted this issue and contributed to the fix.

PUP-12066

Resolved issue with node definition using regular expressions (regex).

Previously, under certain circumstances, duplicate nodes could be defined, due to the order in which regex type node names were checked. The issue was resolved to help ensure that nodes are matched to unique definitions.

PUP-11515

Addressed an issue with profiling timers.

Addressed an issue where, under certain circumstances, NTP updates or other similar events were causing Puppet profiling timers to display inconsistent results. This issue was resolved by switching to a monotonic clock, to help ensure that time displays in Puppet profile results are not affected by these events.

PUP-7520

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the September 2024 releases and extends special thanks to @davejbax as a first-time contributor.