Explicitly upgrade openssl in docker file and enforce new version of cryptography (#9697)

author: Erik Johnston <erik@matrix.org> 2021-03-26 12:00:25 +0000
committer: GitHub <noreply@github.com> 2021-03-26 12:00:25 +0000
commit: 12d61847133c4da60d3e511af37d6f7e548ccb7a (patch)
tree: 4fd80e1684010d64315ef7b2144714575e5ab4c8
parent: 1.30.0 (diff)
download: synapse-12d61847133c4da60d3e511af37d6f7e548ccb7a.tar.xz
4 files changed, 28 insertions, 20 deletions
diff --git a/changelog.d/9697.docker b/changelog.d/9697.docker
new file mode 100644
index 0000000000..fb06ef6c48
--- /dev/null
+++ b/changelog.d/9697.docker
@@ -0,0 +1 @@
+Ensure that the docker container has up to date versions of openssl.
diff --git a/changelog.d/9697.misc b/changelog.d/9697.misc
new file mode 100644
index 0000000000..e4866b01fa
--- /dev/null
+++ b/changelog.d/9697.misc
@@ -0,0 +1 @@
+Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
diff --git a/docker/Dockerfile b/docker/Dockerfile
index def4501541..eddc941c48 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -20,17 +20,18 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder
 
 # install the OS build deps
 RUN apt-get update && apt-get install -y \
-    build-essential \
-    libffi-dev \
-    libjpeg-dev \
-    libpq-dev \
-    libssl-dev \
-    libwebp-dev \
-    libxml++2.6-dev \
-    libxslt1-dev \
-    rustc \
-    zlib1g-dev \
- && rm -rf /var/lib/apt/lists/*
+        build-essential \
+        libffi-dev \
+        libjpeg-dev \
+        libpq-dev \
+        libssl-dev \
+        libwebp-dev \
+        libxml++2.6-dev \
+        libxslt1-dev \
+        openssl \
+        rustc \
+        zlib1g-dev \
+        && rm -rf /var/lib/apt/lists/*
 
 # Build dependencies that are not available as wheels, to speed up rebuilds
 RUN pip install --prefix="/install" --no-warn-script-location \
@@ -63,14 +64,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \
 FROM docker.io/python:${PYTHON_VERSION}-slim
 
 RUN apt-get update && apt-get install -y \
-    curl \
-    gosu \
-    libjpeg62-turbo \
-    libpq5 \
-    libwebp6 \
-    xmlsec1 \
-    libjemalloc2 \
- && rm -rf /var/lib/apt/lists/*
+        curl \
+        gosu \
+        libjpeg62-turbo \
+        libpq5 \
+        libwebp6 \
+        xmlsec1 \
+        libjemalloc2 \
+        libssl-dev \
+        openssl \
+        && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /install /usr/local
 COPY ./docker/start.py /start.py
@@ -83,4 +86,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
 ENTRYPOINT ["/start.py"]
 
 HEALTHCHECK --interval=1m --timeout=5s \
-  CMD curl -fSs http://localhost:8008/health || exit 1
+        CMD curl -fSs http://localhost:8008/health || exit 1
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
index 321a333820..14ddaed026 100644
--- a/synapse/python_dependencies.py
+++ b/synapse/python_dependencies.py
@@ -82,6 +82,9 @@ REQUIREMENTS = [
     "Jinja2>=2.9",
     "bleach>=1.4.3",
     "typing-extensions>=3.7.4",
+    # We enforce that we have a `cryptography` version that bundles an `openssl`
+    # with the latest security patches.
+    "cryptography>=3.4.7;python_version>='3.6'",
 ]
 
 CONDITIONAL_REQUIREMENTS = {
author	Erik Johnston <erik@matrix.org>	2021-03-26 12:00:25 +0000
committer	GitHub <noreply@github.com>	2021-03-26 12:00:25 +0000
commit	12d61847133c4da60d3e511af37d6f7e548ccb7a (patch)
tree	4fd80e1684010d64315ef7b2144714575e5ab4c8
parent	1.30.0 (diff)
download	synapse-12d61847133c4da60d3e511af37d6f7e548ccb7a.tar.xz