Print

[Jan-E]

In the release-notes you stated:

Expat went C99 coding style in one file and doesn't build on VC versions below 12 which is why the difference. That said, Expat version 2.2.3 was a security release fixing CVE-2017-11742 DLL hijacking vulnerability in Windows and 2.2.4 just has one other minor bug fix.

I tried to build Expat 2.2.4 for lower VC-versions and it looks like I succeeded. The libexpat devs are using Appveyor to build a shared expat.lib + expat.dll for VC's as low as VC10. I changed their Appveyor.yml a bit:

• Switch from debug builds to release builds
• Turn off the tests
• Switch from shared builds to a static lib
• Switch from /MD builds to /MT builds (by patching expat.vcxproj with perl!)
• Add VC9 x86 builds

The results can be found at https://ci.appveyor.com/project/Jan-E/libexpat/build/libexpat-29

The expat.lib and the project files can be downloaded as artifact. For instance, the VC11 x64 lib is here:
https://ci.appveyor.com/project/Jan-E/libexpat/build/libexpat-29/job/l1iv9ke0ohnexeml/artifacts

The only thing I could not achieve with Appveyor is a v2.2.4 VC9 x64 build. But using the same commands I did that locally and added the project-files and the expat.lib to my repo. The expat.lib is here:
https://github.com/Jan-E/libexpat/tree/master/expat/Release

I did not test the resulting lib's with Apache 2.4.28 yet, but the first steps are promising.

[Gregg]

The problems will be fixed in 2.2.5 with commits e0b290eb and b4b89c2

I have run into b4b89c2 and others on many 3rd-party modules so my VC versions less than 12 have custom headers in VC's include folder for stdbool, stdint, etc, depending on what's missing per VC version.

That said APR-util compiles in the static library so CVE-2017-11742 doesn't really exist for us I don't think.