Explicitly upgrade openssl in docker file and enforce new version of cryptography (#9697)

changelog.d/9697.docker

@@ -0,0 +1 @@
+Ensure that the docker container has up to date versions of openssl.

changelog.d/9697.misc

@@ -0,0 +1 @@
+Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.

docker/Dockerfile

@@ -28,6 +28,7 @@ RUN apt-get update && apt-get install -y \
         libwebp-dev \
         libxml++2.6-dev \
         libxslt1-dev \
+        openssl \
         rustc \
         zlib1g-dev \
         && rm -rf /var/lib/apt/lists/*
@@ -70,6 +71,8 @@ RUN apt-get update && apt-get install -y \
         libwebp6 \
         xmlsec1 \
         libjemalloc2 \
+        libssl-dev \
+        openssl \
         && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /install /usr/local

synapse/python_dependencies.py

@@ -82,6 +82,9 @@ REQUIREMENTS = [
     "Jinja2>=2.9",
     "bleach>=1.4.3",
     "typing-extensions>=3.7.4",
+    # We enforce that we have a `cryptography` version that bundles an `openssl`
+    # with the latest security patches.
+    "cryptography>=3.4.7;python_version>='3.6'",
 ]
 
 CONDITIONAL_REQUIREMENTS = {