Is q2a 1.8.6 more secure than version 1.7.5?

Question

I still use version 1.7.5 and was wondering if it is less secure than the more up to date 1.8.6

Comments

Considering how simple it is to upgrade, this question should be irrelevant. Have you tried my suggested process to upgrade from a potentially broken installation?

https://www.question2answer.org/qa/95112/database-error-whilst-trying-to-upgrade-q2a-from-version-to?show=95384#a95384

---

Yes, but now appears

Database query error 1062
Duplicate entry 'Mo\xF5\x0A-V' for key 'ip'

UPDATE qa_iplimits SET ip = UNHEX(HEX(CAST(ip AS UNSIGNED)))

---

The error you are facing is happening BEFORE the error you asked help for in the other question. 10 months ago, when I added the answer, it would have worked. Now you need to comment other lines of code as well

---

In the same install.php file? I searched for it and didn't find it.

Answer 1

Generally speaking: yes. It's practically always advisable to keep software up to date, because new versions fix known (potentially exploitable) bugs in older versions.

For more information you can review the version history. From a quick glance notable security improvements appear to be:

• Security fix: prevent use of <embed> and <object> tags. (v1.8.4)
• Reworked file cache to securely allow cache inside web root. (v1.8.0 beta 2)
• Password security has been upgraded from sha1 to use PHP's password_hash function where available. (v1.8.0 beta 2)

You should also keep PHP, your webserver and your database updated, since those are part of the system's attack surface as well.