[Qgis-user] Risk of security vulnerability using older version of QGis

Adam Nielsen a.nielsen at shikadi.net
Tue Feb 27 15:36:56 PST 2024


> As a private and amateur end-user of QGis I would really like to know
> if not running the latest version of QGis is a (serious) security
> risk for my Computer?

Do you open projects and data sources from untrusted people?  If so
then it can be a security risk if you are opening a malicious data
file.  If you trust the files and data sources then the risks are
minimal, although of course those people could be hacked so there's
always some unavoidable risk.

> Because of concerns regarding the bug-less performance and
> compatibility of my old project files (albeit potentially
> unjustified) and the inconvenience resulting from a missing built in
> Update feature of QGis, I have not installed the latest version of
> the program yet.

There's no harm in making a copy of your projects, upgrading QGIS, and
testing them out.  If they break and you can't fix it, you can install
the old version and restore the project from the copy you made.

I've only been using QGIS for a little over a year now, and kept
regularly up to date.  I've never had a problem with upgrades and even
going backwards in versions.  Different versions have different
features and bug fixes but so far the likelihood of breaking my projects
seems pretty low.  Of course I still keep backups just in case, because
there are many other things that can go wrong as well (hardware failure,
ransomware, etc.)

> As I am quite new to Mac computers and (as many people convinced me
> it is not necessary) I am not using extra anti-virus software, I have
> serious concerns if an older version of QGis could be a security risk
> for my computer.

When security problems are discovered in popular programs like QGIS,
they are typically recorded in an online vulnerability database.  You
can search this for your favourite programs to see how many
vulnerabilities there are and how old they are, then do your own
research to find out what version they were fixed in.  The search for
QGIS shows no security issues found so far:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qgis

It doesn't mean there aren't any security flaws, just that nobody has
found any yet.

Often security issues will be in an obscure part of a program that you
are unlikely to use, so even if there are issues, they may not affect
you anyway.  You'll have to read the details listed on the issue to find
that out.

Cheers,
Adam.


More information about the QGIS-User mailing list