Explicitly upgrade openssl in docker file and enforce new version of cryptography (#9697)

2021-03-26 12:00:25 +00:00 · 2021-03-26 12:00:25 +00:00 · 12d6184713
parent e2904f720d
commit 12d6184713
4 changed files with 28 additions and 20 deletions
--- a/changelog.d/9697.docker
+++ b/changelog.d/9697.docker
@ -0,0 +1 @@
+Ensure that the docker container has up to date versions of openssl.
--- a/changelog.d/9697.misc
+++ b/changelog.d/9697.misc
@ -0,0 +1 @@
+Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -28,6 +28,7 @@ RUN apt-get update && apt-get install -y \
        libwebp-dev \
        libxml++2.6-dev \
        libxslt1-dev \
+        openssl \
        rustc \
        zlib1g-dev \
        && rm -rf /var/lib/apt/lists/*
@ -70,6 +71,8 @@ RUN apt-get update && apt-get install -y \
        libwebp6 \
        xmlsec1 \
        libjemalloc2 \
+        libssl-dev \
+        openssl \
        && rm -rf /var/lib/apt/lists/*

 COPY --from=builder /install /usr/local
--- a/synapse/python_dependencies.py
+++ b/synapse/python_dependencies.py
@ -82,6 +82,9 @@ REQUIREMENTS = [
    "Jinja2>=2.9",
    "bleach>=1.4.3",
    "typing-extensions>=3.7.4",
+    # We enforce that we have a `cryptography` version that bundles an `openssl`
+    # with the latest security patches.
+    "cryptography>=3.4.7;python_version>='3.6'",
 ]

 CONDITIONAL_REQUIREMENTS = {
				`@ -0,0 +1 @@`
				`Ensure that the docker container has up to date versions of openssl.`
				`@ -0,0 +1 @@`
				Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.