Explicitly upgrade openssl in docker file and enforce new version of cryptography (#9697)

erikjohnston · web-flow · commit 12d61847133c · 2021-03-26T12:00:25.000Z
diff --git a/changelog.d/9697.docker b/changelog.d/9697.docker
@@ -0,0 +1 @@
+Ensure that the docker container has up to date versions of openssl.
diff --git a/changelog.d/9697.misc b/changelog.d/9697.misc
@@ -0,0 +1 @@
+Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -20,17 +20,18 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder
 
 # install the OS build deps
 RUN apt-get update && apt-get install -y \
-    build-essential \
-    libffi-dev \
-    libjpeg-dev \
-    libpq-dev \
-    libssl-dev \
-    libwebp-dev \
-    libxml++2.6-dev \
-    libxslt1-dev \
-    rustc \
-    zlib1g-dev \
- && rm -rf /var/lib/apt/lists/*
+        build-essential \
+        libffi-dev \
+        libjpeg-dev \
+        libpq-dev \
+        libssl-dev \
+        libwebp-dev \
+        libxml++2.6-dev \
+        libxslt1-dev \
+        openssl \
+        rustc \
+        zlib1g-dev \
+        && rm -rf /var/lib/apt/lists/*
 
 # Build dependencies that are not available as wheels, to speed up rebuilds
 RUN pip install --prefix="/install" --no-warn-script-location \
@@ -63,14 +64,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \
 FROM docker.io/python:${PYTHON_VERSION}-slim
 
 RUN apt-get update && apt-get install -y \
-    curl \
-    gosu \
-    libjpeg62-turbo \
-    libpq5 \
-    libwebp6 \
-    xmlsec1 \
-    libjemalloc2 \
- && rm -rf /var/lib/apt/lists/*
+        curl \
+        gosu \
+        libjpeg62-turbo \
+        libpq5 \
+        libwebp6 \
+        xmlsec1 \
+        libjemalloc2 \
+        libssl-dev \
+        openssl \
+        && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /install /usr/local
 COPY ./docker/start.py /start.py
@@ -83,4 +86,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
 ENTRYPOINT ["/start.py"]
 
 HEALTHCHECK --interval=1m --timeout=5s \
-  CMD curl -fSs http://localhost:8008/health || exit 1
+        CMD curl -fSs http://localhost:8008/health || exit 1
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
@@ -82,6 +82,9 @@
     "Jinja2>=2.9",
     "bleach>=1.4.3",
     "typing-extensions>=3.7.4",
+    # We enforce that we have a `cryptography` version that bundles an `openssl`
+    # with the latest security patches.
+    "cryptography>=3.4.7;python_version>='3.6'",
 ]
 
 CONDITIONAL_REQUIREMENTS = {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Ensure that the docker container has up to date versions of openssl.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,9 @@`
`82`	`82`	`"Jinja2>=2.9",`
`83`	`83`	`"bleach>=1.4.3",`
`84`	`84`	`"typing-extensions>=3.7.4",`
	`85`	+ # We enforce that we have a `cryptography` version that bundles an `openssl`
	`86`	`+ # with the latest security patches.`
	`87`	`+ "cryptography>=3.4.7;python_version>='3.6'",`
`85`	`88`	`]`
`86`	`89`
`87`	`90`	`CONDITIONAL_REQUIREMENTS = {`