From 12d61847133c4da60d3e511af37d6f7e548ccb7a Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 12:00:25 +0000 Subject: [PATCH 1/4] Explicitly upgrade openssl in docker file and enforce new version of cryptography (#9697) --- changelog.d/9697.docker | 1 + changelog.d/9697.misc | 1 + docker/Dockerfile | 43 ++++++++++++++++++---------------- synapse/python_dependencies.py | 3 +++ 4 files changed, 28 insertions(+), 20 deletions(-) create mode 100644 changelog.d/9697.docker create mode 100644 changelog.d/9697.misc diff --git a/changelog.d/9697.docker b/changelog.d/9697.docker new file mode 100644 index 000000000..fb06ef6c4 --- /dev/null +++ b/changelog.d/9697.docker @@ -0,0 +1 @@ +Ensure that the docker container has up to date versions of openssl. diff --git a/changelog.d/9697.misc b/changelog.d/9697.misc new file mode 100644 index 000000000..e4866b01f --- /dev/null +++ b/changelog.d/9697.misc @@ -0,0 +1 @@ +Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches. diff --git a/docker/Dockerfile b/docker/Dockerfile index def450154..eddc941c4 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -20,17 +20,18 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder # install the OS build deps RUN apt-get update && apt-get install -y \ - build-essential \ - libffi-dev \ - libjpeg-dev \ - libpq-dev \ - libssl-dev \ - libwebp-dev \ - libxml++2.6-dev \ - libxslt1-dev \ - rustc \ - zlib1g-dev \ - && rm -rf /var/lib/apt/lists/* + build-essential \ + libffi-dev \ + libjpeg-dev \ + libpq-dev \ + libssl-dev \ + libwebp-dev \ + libxml++2.6-dev \ + libxslt1-dev \ + openssl \ + rustc \ + zlib1g-dev \ + && rm -rf /var/lib/apt/lists/* # Build dependencies that are not available as wheels, to speed up rebuilds RUN pip install --prefix="/install" --no-warn-script-location \ @@ -63,14 +64,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \ FROM docker.io/python:${PYTHON_VERSION}-slim RUN apt-get update && apt-get install -y \ - curl \ - gosu \ - libjpeg62-turbo \ - libpq5 \ - libwebp6 \ - xmlsec1 \ - libjemalloc2 \ - && rm -rf /var/lib/apt/lists/* + curl \ + gosu \ + libjpeg62-turbo \ + libpq5 \ + libwebp6 \ + xmlsec1 \ + libjemalloc2 \ + libssl-dev \ + openssl \ + && rm -rf /var/lib/apt/lists/* COPY --from=builder /install /usr/local COPY ./docker/start.py /start.py @@ -83,4 +86,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp ENTRYPOINT ["/start.py"] HEALTHCHECK --interval=1m --timeout=5s \ - CMD curl -fSs http://localhost:8008/health || exit 1 + CMD curl -fSs http://localhost:8008/health || exit 1 diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py index 321a33382..14ddaed02 100644 --- a/synapse/python_dependencies.py +++ b/synapse/python_dependencies.py @@ -82,6 +82,9 @@ REQUIREMENTS = [ "Jinja2>=2.9", "bleach>=1.4.3", "typing-extensions>=3.7.4", + # We enforce that we have a `cryptography` version that bundles an `openssl` + # with the latest security patches. + "cryptography>=3.4.7;python_version>='3.6'", ] CONDITIONAL_REQUIREMENTS = { From c6f8e8086cb32ec88ad87a8fa36d9f5eb6f9824d Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 12:03:29 +0000 Subject: [PATCH 2/4] 1.30.1 --- CHANGES.md | 19 +++++++++++++++++++ changelog.d/9697.docker | 1 - changelog.d/9697.misc | 1 - debian/changelog | 6 ++++++ synapse/__init__.py | 2 +- 5 files changed, 26 insertions(+), 3 deletions(-) delete mode 100644 changelog.d/9697.docker delete mode 100644 changelog.d/9697.misc diff --git a/CHANGES.md b/CHANGES.md index 1bf9514ac..f371f756d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,22 @@ +Synapse 1.30.1 (2021-03-26) +=========================== + +This is a security release to ensure that Synapse is running with a +`cryptography` package built against a patched version of OpenSSL. + + +Updates to the Docker image +--------------------------- + +- Ensure that the docker container has up to date versions of openssl. ([\#9697](https://github.com/matrix-org/synapse/issues/9697)) + + +Internal Changes +---------------- + +- Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches. ([\#9697](https://github.com/matrix-org/synapse/issues/9697)) + + Synapse 1.30.0 (2021-03-22) =========================== diff --git a/changelog.d/9697.docker b/changelog.d/9697.docker deleted file mode 100644 index fb06ef6c4..000000000 --- a/changelog.d/9697.docker +++ /dev/null @@ -1 +0,0 @@ -Ensure that the docker container has up to date versions of openssl. diff --git a/changelog.d/9697.misc b/changelog.d/9697.misc deleted file mode 100644 index e4866b01f..000000000 --- a/changelog.d/9697.misc +++ /dev/null @@ -1 +0,0 @@ -Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches. diff --git a/debian/changelog b/debian/changelog index e6b2122d6..18dc04cd8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.30.1) stable; urgency=medium + + * New synapse release 1.30.1. + + -- Synapse Packaging team Fri, 26 Mar 2021 12:01:28 +0000 + matrix-synapse-py3 (1.30.0) stable; urgency=medium * New synapse release 1.30.0. diff --git a/synapse/__init__.py b/synapse/__init__.py index 8e57739cd..c9bc8fb9e 100644 --- a/synapse/__init__.py +++ b/synapse/__init__.py @@ -48,7 +48,7 @@ try: except ImportError: pass -__version__ = "1.30.0" +__version__ = "1.30.1" if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)): # We import here so that we don't have to install a bunch of deps when From 548c4a6587fe517f3a66756407946335636cd044 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 12:17:37 +0000 Subject: [PATCH 3/4] Update cahngelog --- CHANGES.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index f371f756d..2adff4263 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,8 +1,20 @@ Synapse 1.30.1 (2021-03-26) =========================== -This is a security release to ensure that Synapse is running with a -`cryptography` package built against a patched version of OpenSSL. +This release is identical to Synapse 1.30.0, with the exception of explicitly +setting a minimum version of Python's Cryptography library to ensure that users +of Synapse are protected from the recent [OpenSSL security advisories](https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html), +especially CVE-2021-3449. + +Note that Cryptography defaults to bundling its own statically linked copy of +OpenSSL, which means that you may not be protected by your operating system's +security updates. + +It's also worth noting that Cryptography no longer supports Python 3.5, so +admins deploying to older environments may not be protected against this or +future vulnerabilities. + + Updates to the Docker image From 262ed05f5b4bb1c489119129065babb29be7f3f1 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 26 Mar 2021 12:21:04 +0000 Subject: [PATCH 4/4] Update cahngelog --- CHANGES.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 2adff4263..9b9a6263b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,9 +12,8 @@ security updates. It's also worth noting that Cryptography no longer supports Python 3.5, so admins deploying to older environments may not be protected against this or -future vulnerabilities. - - +future vulnerabilities. Synapse will be dropping support for Python 3.5 at the +end of March. Updates to the Docker image