Skip to content

Commit

Permalink
Merge tag 'v1.92.2' into develop
Browse files Browse the repository at this point in the history
This is a Docker-only update to mitigate [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863), a critical vulnerability in `libwebp`. Server admins not using Docker should ensure that their `libwebp` is up to date (if installed). We encourage admins to upgrade as soon as possible.

- Update docker image to use Debian bookworm as the base. ([\matrix-org#16324](matrix-org#16324))
  • Loading branch information
yingziwu committed Sep 15, 2023
2 parents 4efed5b + e7274f7 commit 3bc3b5d
Show file tree
Hide file tree
Showing 7 changed files with 32 additions and 16 deletions.
10 changes: 10 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
# Synapse 1.92.2 (2023-09-15)

This is a Docker-only update to mitigate [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863), a critical vulnerability in `libwebp`. Server admins not using Docker should ensure that their `libwebp` is up to date (if installed). We encourage admins to upgrade as soon as possible.


### Updates to the Docker image

- Update docker image to use Debian bookworm as the base. ([\#16324](https://github.com/matrix-org/synapse/issues/16324))


# Synapse 1.92.1 (2023-09-12)

Stop building Ubuntu Kinetic since it is EOL and repos seem to be dead.
Expand Down
6 changes: 6 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
matrix-synapse-py3 (1.92.2) stable; urgency=medium

* New Synapse release 1.92.2.

-- Synapse Packaging team <[email protected]> Fri, 15 Sep 2023 13:17:41 +0100

matrix-synapse-py3 (1.92.1) stable; urgency=medium

* New Synapse release 1.92.1.
Expand Down
14 changes: 7 additions & 7 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ ARG PYTHON_VERSION=3.10
###
### Stage 0: generate requirements.txt
###
# We hardcode the use of Debian bullseye here because this could change upstream
# and other Dockerfiles used for testing are expecting bullseye.
FROM pypy:${PYTHON_VERSION}-slim-bullseye as requirements
# We hardcode the use of Debian bookworm here because this could change upstream
# and other Dockerfiles used for testing are expecting bookworm.
FROM pypy:${PYTHON_VERSION}-slim-bookworm as requirements

# RUN --mount is specific to buildkit and is documented at
# https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#build-mounts-run---mount.
Expand Down Expand Up @@ -93,7 +93,7 @@ RUN if [ -z "$TEST_ONLY_IGNORE_POETRY_LOCKFILE" ]; then \
###
### Stage 1: builder
###
FROM pypy:${PYTHON_VERSION}-slim-bullseye as builder
FROM pypy:${PYTHON_VERSION}-slim-bookworm as builder

# install the OS build deps
RUN \
Expand Down Expand Up @@ -164,7 +164,7 @@ RUN --mount=type=cache,target=/synapse/target,sharing=locked \
### Stage 2: runtime
###

FROM pypy:${PYTHON_VERSION}-slim-bullseye
FROM pypy:${PYTHON_VERSION}-slim-bookworm

LABEL org.opencontainers.image.url='https://matrix.org/docs/projects/server/synapse'
LABEL org.opencontainers.image.documentation='https://github.com/matrix-org/synapse/blob/master/docker/README.md'
Expand All @@ -179,10 +179,10 @@ RUN \
gosu \
libjpeg62-turbo \
libpq5 \
libwebp6 \
libwebp7 \
xmlsec1 \
libjemalloc2 \
libicu67 \
libicu72 \
libssl-dev \
openssl \
&& rm -rf /var/lib/apt/lists/*
Expand Down
4 changes: 2 additions & 2 deletions docker/Dockerfile-workers
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION
# target image. For repeated rebuilds, this is much faster than apt installing
# each time.

FROM docker.io/library/debian:bullseye-slim AS deps_base
FROM docker.io/library/debian:bookworm-slim AS deps_base
RUN \
--mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
Expand All @@ -21,7 +21,7 @@ FROM docker.io/library/debian:bullseye-slim AS deps_base
# which makes it much easier to copy (but we need to make sure we use an image
# based on the same debian version as the synapse image, to make sure we get
# the expected version of libc.
FROM docker.io/library/redis:7-bullseye AS redis_base
FROM docker.io/library/redis:7-bookworm AS redis_base

# now build the final image, based on the the regular Synapse docker image
FROM $FROM
Expand Down
4 changes: 2 additions & 2 deletions docker/complement/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ FROM $FROM
# the same debian version as Synapse's docker image (so the versions of the
# shared libraries match).
RUN adduser --system --uid 999 postgres --home /var/lib/postgresql
COPY --from=docker.io/library/postgres:13-bullseye /usr/lib/postgresql /usr/lib/postgresql
COPY --from=docker.io/library/postgres:13-bullseye /usr/share/postgresql /usr/share/postgresql
COPY --from=docker.io/library/postgres:13-bookworm /usr/lib/postgresql /usr/lib/postgresql
COPY --from=docker.io/library/postgres:13-bookworm /usr/share/postgresql /usr/share/postgresql
RUN mkdir /var/run/postgresql && chown postgres /var/run/postgresql
ENV PATH="${PATH}:/usr/lib/postgresql/13/bin"
ENV PGDATA=/var/lib/postgresql/data
Expand Down
8 changes: 4 additions & 4 deletions docker/editable.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ ARG PYTHON_VERSION=3.9
###
### Stage 0: generate requirements.txt
###
# We hardcode the use of Debian bullseye here because this could change upstream
# and other Dockerfiles used for testing are expecting bullseye.
FROM docker.io/library/python:${PYTHON_VERSION}-slim-bullseye
# We hardcode the use of Debian bookworm here because this could change upstream
# and other Dockerfiles used for testing are expecting bookworm.
FROM docker.io/library/python:${PYTHON_VERSION}-slim-bookworm

# Install Rust and other dependencies (stolen from normal Dockerfile)
# install the OS build deps
Expand All @@ -33,7 +33,7 @@ RUN \
gosu \
libjpeg62-turbo \
libpq5 \
libwebp6 \
libwebp7 \
xmlsec1 \
libjemalloc2 \
&& rm -rf /var/lib/apt/lists/*
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ manifest-path = "rust/Cargo.toml"

[tool.poetry]
name = "matrix-synapse"
version = "1.92.1"
version = "1.92.2"
description = "Homeserver for the Matrix decentralised comms protocol"
authors = ["Matrix.org Team and Contributors <[email protected]>"]
license = "Apache-2.0"
Expand Down

0 comments on commit 3bc3b5d

Please sign in to comment.