PE 2025.2

Released March 2025

New features

Advanced Patching: Launch of Vulnerability Remediation feature

Starting in Puppet Enterprise™ (PE) 2025.2.0, the Advanced Patching service available with the Puppet Enterprise Advanced license includes vulnerability remediation capabilities on the PE console and API. When enabled, this feature allows you to use the PE console to display and remediate security vulnerabilities detected by your third-party security scanner. To access vulnerability remediation capabilities you must:

• Purchase a PE Advanced license. For more information about the PE Advanced license, see  Getting a license.

• Activate the Advanced Patching service in the PE console.

• Deploy a vulnerability data transformer, see Integrate vulnerability data from a security scanner.

Advanced Patching: API support for dynamically updating patch groups

To support rules-based membership, where nodes are dynamically included in patch groups according to fact matching, the following endpoints have been updated:

• The POST /v1/command/create-patch-group endpoint for creating a patch group now allows you to specify the rule field as an argument.

• The GET /v1/patch-groups endpoint for listing patch groups has been updated to optionally return rules if specified.

• The GET /v1/patch-groups/{id} endpoint to get a single patch group has been updated to optionally return rules if specified.

Advanced Patching API: New endpoints

This feature includes several new endpoints:

• GET /v1/patch-groups/{id}/nodes: Retrieve an array of all of the nodes that are currently included in the specified patch group through pinned membership and dynamic (rules-based) membership.

• GET /v1/maintenance-windows/{id}: Fetch and display details of a specific maintenance window using its ID.

• GET /v1/blackout-windows/{id}: Fetch and display details of a specific blackout window using its ID.

Enhancement

Advanced Patching: Maintenance and blackout windows details pages added to the PE console

This page enables you to view details about your maintenance and blackout windows.

Advanced Patching: Scheduled patch jobs details page added to the PE console

This page enables you to view details of a scheduled patch job. The content may vary based on the type of job, for example, system updates or vulnerabilities and/or the type of scheduling applied to the job.

Advanced Patching: Previously executed patch job details page added to the PE console

This page enables you to view the details of how a previous patching job executed.

Platform support

Agent platforms added

This release adds support for the Puppet agent on the following operating system platforms:

• macOS 15 ARM

• Fedora 41 x86_64

• Microsoft Windows Server 2016 FIPS

Resolved issues

In the PE console, the run task review step masks sensitive parameters

In PE 2023.6-2023.8.2 and 2025.0.0-2025.1.0, the run task review step in the PE console did not mask sensitive parameters. This issue has been fixed in PE 2025.2.0.

It is now possible to set the LDAP ciphers and protocols in the RBAC LDAP APIs

In PE 2023.6.0-2023.8.2 and 2025.0.0-2025.1.0, it was not possible to set the LDAP ciphers and protocols in the RBAC LDAP APIs. In PE 2025.2.0, an addition has been made to allow custom sets of LDAP ciphers and protocols to be used for connecting your Puppet Enterprise RBAC to your LDAP server.

Console environment schema is less restrictive

In previous versions of Puppet Enterprise the Console’s schema for code environments was overly restrictive and in some cases, this resulted in tasks and plans not displaying. This has been fixed in 2025.2.0 and will be fixed in a subsequent LTS release.

Security fixes

Addressed the following CVEs:

• CVE-2025-27610