Explicitly upgrade openssl in docker file and enforce new version of …

…cryptography (matrix-org#9697)
OlegGirko · Mar 26, 2021 · 12d6184 · 12d6184
1 parent e2904f7
commit 12d6184
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 20 deletions.
diff --git a/changelog.d/9697.docker b/changelog.d/9697.docker
@@ -0,0 +1 @@
+Ensure that the docker container has up to date versions of openssl.
diff --git a/changelog.d/9697.misc b/changelog.d/9697.misc
@@ -0,0 +1 @@
+Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -20,17 +20,18 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder
 
 # install the OS build deps
 RUN apt-get update && apt-get install -y \
-    build-essential \
-    libffi-dev \
-    libjpeg-dev \
-    libpq-dev \
-    libssl-dev \
-    libwebp-dev \
-    libxml++2.6-dev \
-    libxslt1-dev \
-    rustc \
-    zlib1g-dev \
- && rm -rf /var/lib/apt/lists/*
+        build-essential \
+        libffi-dev \
+        libjpeg-dev \
+        libpq-dev \
+        libssl-dev \
+        libwebp-dev \
+        libxml++2.6-dev \
+        libxslt1-dev \
+        openssl \
+        rustc \
+        zlib1g-dev \
+        && rm -rf /var/lib/apt/lists/*
 
 # Build dependencies that are not available as wheels, to speed up rebuilds
 RUN pip install --prefix="/install" --no-warn-script-location \
@@ -63,14 +64,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \
 FROM docker.io/python:${PYTHON_VERSION}-slim
 
 RUN apt-get update && apt-get install -y \
-    curl \
-    gosu \
-    libjpeg62-turbo \
-    libpq5 \
-    libwebp6 \
-    xmlsec1 \
-    libjemalloc2 \
- && rm -rf /var/lib/apt/lists/*
+        curl \
+        gosu \
+        libjpeg62-turbo \
+        libpq5 \
+        libwebp6 \
+        xmlsec1 \
+        libjemalloc2 \
+        libssl-dev \
+        openssl \
+        && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /install /usr/local
 COPY ./docker/start.py /start.py
@@ -83,4 +86,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
 ENTRYPOINT ["/start.py"]
 
 HEALTHCHECK --interval=1m --timeout=5s \
-  CMD curl -fSs http://localhost:8008/health || exit 1
+        CMD curl -fSs http://localhost:8008/health || exit 1
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
@@ -82,6 +82,9 @@
     "Jinja2>=2.9",
     "bleach>=1.4.3",
     "typing-extensions>=3.7.4",
+    # We enforce that we have a `cryptography` version that bundles an `openssl`
+    # with the latest security patches.
+    "cryptography>=3.4.7;python_version>='3.6'",
 ]
 
 CONDITIONAL_REQUIREMENTS = {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Ensure that the docker container has up to date versions of openssl.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.