From 574d121223c72cf6150c6a46b6277d44a79580f8 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 10:38:01 +0000 Subject: [PATCH 1/6] Reformat --- docker/Dockerfile | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index def4501541fe..4e746b9c323e 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -20,17 +20,17 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder # install the OS build deps RUN apt-get update && apt-get install -y \ - build-essential \ - libffi-dev \ - libjpeg-dev \ - libpq-dev \ - libssl-dev \ - libwebp-dev \ - libxml++2.6-dev \ - libxslt1-dev \ - rustc \ - zlib1g-dev \ - && rm -rf /var/lib/apt/lists/* + build-essential \ + libffi-dev \ + libjpeg-dev \ + libpq-dev \ + libssl-dev \ + libwebp-dev \ + libxml++2.6-dev \ + libxslt1-dev \ + rustc \ + zlib1g-dev \ + && rm -rf /var/lib/apt/lists/* # Build dependencies that are not available as wheels, to speed up rebuilds RUN pip install --prefix="/install" --no-warn-script-location \ @@ -63,14 +63,14 @@ RUN pip install --prefix="/install" --no-warn-script-location \ FROM docker.io/python:${PYTHON_VERSION}-slim RUN apt-get update && apt-get install -y \ - curl \ - gosu \ - libjpeg62-turbo \ - libpq5 \ - libwebp6 \ - xmlsec1 \ - libjemalloc2 \ - && rm -rf /var/lib/apt/lists/* + curl \ + gosu \ + libjpeg62-turbo \ + libpq5 \ + libwebp6 \ + xmlsec1 \ + libjemalloc2 \ + && rm -rf /var/lib/apt/lists/* COPY --from=builder /install /usr/local COPY ./docker/start.py /start.py @@ -83,4 +83,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp ENTRYPOINT ["/start.py"] HEALTHCHECK --interval=1m --timeout=5s \ - CMD curl -fSs http://localhost:8008/health || exit 1 + CMD curl -fSs http://localhost:8008/health || exit 1 From f6e41c604b5df526b9368f124f3c6e7f98728cb6 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 10:39:13 +0000 Subject: [PATCH 2/6] Explicitly upgrade libssl/openssl --- docker/Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 4e746b9c323e..1750586d82c2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -24,10 +24,12 @@ RUN apt-get update && apt-get install -y \ libffi-dev \ libjpeg-dev \ libpq-dev \ + libssl \ libssl-dev \ libwebp-dev \ libxml++2.6-dev \ libxslt1-dev \ + openssl \ rustc \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* @@ -70,6 +72,9 @@ RUN apt-get update && apt-get install -y \ libwebp6 \ xmlsec1 \ libjemalloc2 \ + libssl \ + libssl-dev \ + openssl \ && rm -rf /var/lib/apt/lists/* COPY --from=builder /install /usr/local From f4ab3e6aa3dd87c15da8d90fabc20e17c6271a65 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 10:42:23 +0000 Subject: [PATCH 3/6] Explicitly require a cryptography version with a patched openssl --- synapse/python_dependencies.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py index 321a33382068..664783c6b02e 100644 --- a/synapse/python_dependencies.py +++ b/synapse/python_dependencies.py @@ -82,6 +82,9 @@ "Jinja2>=2.9", "bleach>=1.4.3", "typing-extensions>=3.7.4", + # We enforce that we have a `cryptography` version that bundles an `openssl` + # with the latest security patches. + "cryptography>=3.4.7", ] CONDITIONAL_REQUIREMENTS = { From 51e4baca97a67c953bb086a283c6e3c21674eaa2 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 10:45:40 +0000 Subject: [PATCH 4/6] Newsfile --- changelog.d/9697.docker | 1 + changelog.d/9697.misc | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog.d/9697.docker create mode 100644 changelog.d/9697.misc diff --git a/changelog.d/9697.docker b/changelog.d/9697.docker new file mode 100644 index 000000000000..fb06ef6c4811 --- /dev/null +++ b/changelog.d/9697.docker @@ -0,0 +1 @@ +Ensure that the docker container has up to date versions of openssl. diff --git a/changelog.d/9697.misc b/changelog.d/9697.misc new file mode 100644 index 000000000000..e4866b01fa77 --- /dev/null +++ b/changelog.d/9697.misc @@ -0,0 +1 @@ +Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches. From fa687b4cfe26e53ceff98be48d23c8ca264560a5 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 11:17:28 +0000 Subject: [PATCH 5/6] Only pin cryptograhpy for 3.6+ --- synapse/python_dependencies.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py index 664783c6b02e..14ddaed026e0 100644 --- a/synapse/python_dependencies.py +++ b/synapse/python_dependencies.py @@ -84,7 +84,7 @@ "typing-extensions>=3.7.4", # We enforce that we have a `cryptography` version that bundles an `openssl` # with the latest security patches. - "cryptography>=3.4.7", + "cryptography>=3.4.7;python_version>='3.6'", ] CONDITIONAL_REQUIREMENTS = { From 09d39a46d4a52b74088c1f17c635a91e205de40e Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 11:26:44 +0000 Subject: [PATCH 6/6] libssl doesn't exist, so drop it rather than explicitly depend on 1.1 Upgrading libssl-dev will pull in up to date version of it anyway --- docker/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 1750586d82c2..eddc941c489a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -24,7 +24,6 @@ RUN apt-get update && apt-get install -y \ libffi-dev \ libjpeg-dev \ libpq-dev \ - libssl \ libssl-dev \ libwebp-dev \ libxml++2.6-dev \ @@ -72,7 +71,6 @@ RUN apt-get update && apt-get install -y \ libwebp6 \ xmlsec1 \ libjemalloc2 \ - libssl \ libssl-dev \ openssl \ && rm -rf /var/lib/apt/lists/*