Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Update limesurvey 3.2 > limesurvey4.2.7 fails

  • Dennis
  • Dennis's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
3 years 9 months ago - 3 years 9 months ago #200730 by Dennis
During the update from 3.2 to 4.2, the database upgrade failed with the following error:


CDbCommand faalde tijdens het uitvoeren van volgend SQL statement: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '75-nl' for key 'lime_idx1_label_l10ns'

Bestand update_helper.php, regel 31.


The database is checked and clean. As 3.2 has a xss-vulnerability we would like to update. What to do?
Last edit: 3 years 9 months ago by Dennis.
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
3 years 9 months ago #200765 by holch

As 3.2 has a xss-vulnerability


Any source?

Currently I would NOT recommend 4.x for production environments.

Why not first upgrade from 3.2 to the latest version of this branch (3.22.19)?

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
  • Dennis
  • Dennis's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
3 years 9 months ago #200770 by Dennis
We got a warning from a pen-tester who demonstrated the XSS problem.

Ok, I'll try to install 3.22.19. Is it correct I have to pay to download that version?
Attachments:
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
3 years 9 months ago - 3 years 9 months ago #200771 by holch
As far as I know there has been a reported XSS vulnerability with the versions of 3.17 and before, but this version was from September 2019, so more than half a year old. After this, there has been a fix for this vulnerability, afaik.

And no, you do not have to pay to download that version. It is freely available in the download section here:

www.limesurvey.org/about-limesurvey/download

More specifically here:
www.limesurvey.org/lts-releases-download

With Limesurvey you generally only pay for two things:

- Limesurvey Pro (SaaS), the hosted version of Limesurvey. Here you are paying for the hosting.
- In Limesurvey CE you can decide to pay for the Comfort Update. It makes updating a lot easier, smoother and more comfortable, as the name says, but it is no requirement by any means. You can still upgrade the traditional manual way or write your own script to update.

As I said, I currently would not go for 4.x for a production installation. Too many annoying bugs still open and found every day. It makes sense to have an installation of 4.x in parallel for testing and bug reporting, but I personally would not run real surveys on it just yet.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Last edit: 3 years 9 months ago by holch.
The topic has been locked.
  • Dennis
  • Dennis's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
3 years 9 months ago #200774 by Dennis
Thank you!
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose