[Qgis-user] Risk of security vulnerability using older version of QGis

Wed Feb 28 03:23:40 PST 2024

Hi Adam,

thank you very much for your detailed information! Because i’m concerned with Software as an end-user only, your explanation gave me really helpful insight and further understanding of the circumstances under which security issues in a program like QGis may arise. 

As far as i understood, my concerns about security risks seem more or less negligible, if you work with your own projects mainly. On the other hand i now see that updating should not cause problems because, in case, there still is the option to switch back to the previously used version. 

I didn’t know about online vulnerability databases yet. In the future this will also be a helpful resource for me for issues like this!

I really appreciate your help!
Thanks and best wishes 
Max

> Am 28.02.2024 um 00:37 schrieb Adam Nielsen <a.nielsen at shikadi.net>:
> 
> 
>> 
>> As a private and amateur end-user of QGis I would really like to know
>> if not running the latest version of QGis is a (serious) security
>> risk for my Computer?
> 
> Do you open projects and data sources from untrusted people?  If so
> then it can be a security risk if you are opening a malicious data
> file.  If you trust the files and data sources then the risks are
> minimal, although of course those people could be hacked so there's
> always some unavoidable risk.
> 
>> Because of concerns regarding the bug-less performance and
>> compatibility of my old project files (albeit potentially
>> unjustified) and the inconvenience resulting from a missing built in
>> Update feature of QGis, I have not installed the latest version of
>> the program yet.
> 
> There's no harm in making a copy of your projects, upgrading QGIS, and
> testing them out.  If they break and you can't fix it, you can install
> the old version and restore the project from the copy you made.
> 
> I've only been using QGIS for a little over a year now, and kept
> regularly up to date.  I've never had a problem with upgrades and even
> going backwards in versions.  Different versions have different
> features and bug fixes but so far the likelihood of breaking my projects
> seems pretty low.  Of course I still keep backups just in case, because
> there are many other things that can go wrong as well (hardware failure,
> ransomware, etc.)
> 
>> As I am quite new to Mac computers and (as many people convinced me
>> it is not necessary) I am not using extra anti-virus software, I have
>> serious concerns if an older version of QGis could be a security risk
>> for my computer.
> 
> When security problems are discovered in popular programs like QGIS,
> they are typically recorded in an online vulnerability database.  You
> can search this for your favourite programs to see how many
> vulnerabilities there are and how old they are, then do your own
> research to find out what version they were fixed in.  The search for
> QGIS shows no security issues found so far:
> 
>  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qgis
> 
> It doesn't mean there aren't any security flaws, just that nobody has
> found any yet.
> 
> Often security issues will be in an obscure part of a program that you
> are unlikely to use, so even if there are issues, they may not affect
> you anyway.  You'll have to read the details listed on the issue to find
> that out.
> 
> Cheers,
> Adam.