Seriously? This is dereliction of duty. Wonder how many states have this issue?

the money wasn't there to change the copyright notice. It does require either a code change or table edit change to implement, which of course, cost money.

And Apache is about as "corporate" as an open source project gets: they make sure they dot their i's with that stuff.

When you update versions, the version numbers change on the screen. You can do a query on the version too and get it. And Apache is open source and "free". No $$$ involved. The labor to do the maintenance on it would obviously have a cost but that should be something included in a maintenance contract with either outside techs and/or included in the duties of the state's IT staff if they handle or oversee it.

The only other issue here might be whatever software application the system is using that probably bundled that version of Apache and whether that system was even updated and/or could even run on the newer web server implementations without some major modification.

it doesn't need to be changed or edited doesn't mean that for 100% of all software, that it doesn't need to be changed. It depends on the software and I didn't know enough about Apache nor was the information provided in the orig. post to determine this.

most organizations "publicly" copyright their work and follow traditional code change versioning (i.e., denoting "major" / "minor" ).

To me, this appears to literally be a stock Apache install at the level that probably came bundled with the system they bought (the same version that eventually spawned Tomcat too). Quite a few things come bundled with web servers (whether they are enabled or not) and really, for a system that is to be used by some government entity that may end up with parts that are public-facing, there really needs to be some kind of schedule of maintenance on it.

Courts have been horrible in voter cases saying yes you're horrible but it's ok

And even v 2.2.x is already at end of life for patches as of 2017.

https://httpd.apache.org/



They can't really do anything with that now. It would probably require a whole new parallel install and then transition to the new version (after major UAT, etc).

If you're moving slower than RedHat, you're moving too slowly.

Yeah, 2.2 is old!

I remember briefly running RH 6.0 (had been running 5.1 - various versions including for Sparc and Alpha) with 2.2 and decided to just go back to my SuSE (now OpenSuSE) on my desktop. Of course now RH is gonna be owned by IBM. Guess it was a matter of time.

Version Initial release Latest release
1.3 1998-06-06[49] 2010-02-03 (1.3.42)[50]
2.0 2002-04-06[51] 2013-07-10 (2.0.65)[52]
2.2 2005-12-01[53] 2017-07-11 (2.2.34)[54]
2.4 2012-02-21[55] 2018-10-23 (2.4.37)[56]

The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, feature-rich and freely available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project.[57][58][59]

Apache 2.4 dropped support for BeOS, TPF and even older platforms.[8]

I remember Be operating system (at least the free version). Had been out during the period when I was fooling around with the various pre-windoze 95 OSes that came out in the '90s, and that also included OS/2.

Feeling old now...

What a sham, and this is obviously intentional.

He's got 20K followers, and they include a lot of tech CIOs and CTOs.

All I can do, at this point is meditate on what it would be like to have a solid takeover in Congress.

software versions so rapidly and oftentimes users are struggling to keep up with the changes. This was one of my top issues w/ IBM and all of its changes it made to software on a constant basis. And IBM isn't / wasn't the only company doing this practice. I know that fixes and the like are required, but the user community is oftentimes struggling to keep up w/ all of the updates.

Something as sensitive as the web server as described in this original post, I don't know. Depending upon the security enacted by the carrier(s) it may or may not be a problem. Perhaps the web server is behind a firewall located at a provider's host site. Too many open ended ?s as to true impact.

And nearly all of them are in-band, i.e., it's a perfectly legal HTTP request that a firewall would let through that compromises the server in some way.

so the code they release and deem as "stable" would have had a better chance of having issues caught before getting that designation vs proprietary systems (like windoze... ).

.

The fallacy is the open-source is better, yet their development communities are taken over by nation state actors and hackers. People thing that open-source is safer because people review it. It turns out, that besides academia, doing it, most reviews are by hackers.

Many companies are using the Spring framework, which is rife with security exposures, and it's last fix was in 2017.

.

And it has a significantly better security record than its closed-source competitors.

The machines are ancient, so nothing surprises me. But we are careful to report the correct number of voters, and the machines won't be out of my sight until I take the final counts to the county. Georgia has no party affiliation when you register, so it's hard to guess outcomes. We are being told to prepare for a possible run off (I hope not, I won't be in the country that day.) Republicans are running against Nancy Pelosi, and that's getting old around here. Jon Ossoff wasn't Nancy Pelosi, and neither is Lucy McBath. They are even suggesting that local candidates like Sally Harrell are somehow the image of Nancy Pelosi. That seems really weird to me.

Seem like a last ditch effort to scare their base into coming out.

Thanks for your work at the precincts!

Republicans refuse to offer good pay for technical support. Many years ago in Austin, TX a job with the state paid a full third less than the City of Austin for the same work. That did not attract the best and brightest. Their tech managers were the worst.

Politicians should not be making decisions about complex online computer security. Not having competent and unbiased network pprofessionals overseeing these agencies is a BIG problem.

Well maybe, considering it's GA, the voting system ain't broke it's doing exactly what the republicans want it to do.

Stealing votes?
Allowing remote access?
Allowing remote access for altering the final tallies?
Keeping suppressed voter suppressed via a DIY patch?

One more extended message.

IGNORE THE POLLS.... YOU GET OUT AND VOTE!

But the entire protocol stack of TLS1 suffers from design problems.

This may be difficult in some locations, but I always ask and have been accommodated.

We can only determine that the server delivering this message may not have had Apache patches since 2011.

Best of luck to Stacey Abrams and all Georgia Democrats!