diff --git a/CHANGES.md b/CHANGES.md index 1bf9514ac2..9b9a6263bd 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,33 @@ +Synapse 1.30.1 (2021-03-26) +=========================== + +This release is identical to Synapse 1.30.0, with the exception of explicitly +setting a minimum version of Python's Cryptography library to ensure that users +of Synapse are protected from the recent [OpenSSL security advisories](https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html), +especially CVE-2021-3449. + +Note that Cryptography defaults to bundling its own statically linked copy of +OpenSSL, which means that you may not be protected by your operating system's +security updates. + +It's also worth noting that Cryptography no longer supports Python 3.5, so +admins deploying to older environments may not be protected against this or +future vulnerabilities. Synapse will be dropping support for Python 3.5 at the +end of March. + + +Updates to the Docker image +--------------------------- + +- Ensure that the docker container has up to date versions of openssl. ([\#9697](https://github.com/matrix-org/synapse/issues/9697)) + + +Internal Changes +---------------- + +- Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches. ([\#9697](https://github.com/matrix-org/synapse/issues/9697)) + + Synapse 1.30.0 (2021-03-22) =========================== diff --git a/debian/changelog b/debian/changelog index e6b2122d6f..18dc04cd82 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.30.1) stable; urgency=medium + + * New synapse release 1.30.1. + + -- Synapse Packaging team Fri, 26 Mar 2021 12:01:28 +0000 + matrix-synapse-py3 (1.30.0) stable; urgency=medium * New synapse release 1.30.0. diff --git a/docker/Dockerfile b/docker/Dockerfile index 7cd4dd7d1e..a442b34598 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -25,17 +25,18 @@ LABEL org.opencontainers.image.licenses='Apache-2.0' # install the OS build deps RUN apt-get update && apt-get install -y \ - build-essential \ - libffi-dev \ - libjpeg-dev \ - libpq-dev \ - libssl-dev \ - libwebp-dev \ - libxml++2.6-dev \ - libxslt1-dev \ - rustc \ - zlib1g-dev \ - && rm -rf /var/lib/apt/lists/* + build-essential \ + libffi-dev \ + libjpeg-dev \ + libpq-dev \ + libssl-dev \ + libwebp-dev \ + libxml++2.6-dev \ + libxslt1-dev \ + openssl \ + rustc \ + zlib1g-dev \ + && rm -rf /var/lib/apt/lists/* # Build dependencies that are not available as wheels, to speed up rebuilds RUN pip install --prefix="/install" --no-warn-script-location \ @@ -68,14 +69,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \ FROM docker.io/python:${PYTHON_VERSION}-slim RUN apt-get update && apt-get install -y \ - curl \ - gosu \ - libjpeg62-turbo \ - libpq5 \ - libwebp6 \ - xmlsec1 \ - libjemalloc2 \ - && rm -rf /var/lib/apt/lists/* + curl \ + gosu \ + libjpeg62-turbo \ + libpq5 \ + libwebp6 \ + xmlsec1 \ + libjemalloc2 \ + libssl-dev \ + openssl \ + && rm -rf /var/lib/apt/lists/* COPY --from=builder /install /usr/local COPY ./docker/start.py /start.py @@ -88,4 +91,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp ENTRYPOINT ["/start.py"] HEALTHCHECK --interval=1m --timeout=5s \ - CMD curl -fSs http://localhost:8008/health || exit 1 + CMD curl -fSs http://localhost:8008/health || exit 1 diff --git a/synapse/__init__.py b/synapse/__init__.py index 8e57739cd2..c9bc8fb9e9 100644 --- a/synapse/__init__.py +++ b/synapse/__init__.py @@ -48,7 +48,7 @@ try: except ImportError: pass -__version__ = "1.30.0" +__version__ = "1.30.1" if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)): # We import here so that we don't have to install a bunch of deps when diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py index 321a333820..14ddaed026 100644 --- a/synapse/python_dependencies.py +++ b/synapse/python_dependencies.py @@ -82,6 +82,9 @@ REQUIREMENTS = [ "Jinja2>=2.9", "bleach>=1.4.3", "typing-extensions>=3.7.4", + # We enforce that we have a `cryptography` version that bundles an `openssl` + # with the latest security patches. + "cryptography>=3.4.7;python_version>='3.6'", ] CONDITIONAL_REQUIREMENTS = {