Windows: Update Expat to 2.2.3 to fix DLL hijacking (CVE-2017-11742)

[hartwork]

Hi!

You seem target Windows and bundle Expat 2.2.1.
Please update your bundle to Expat 2.2.3 to fix vulnerability CVE-2017-11742.

Thanks!

[scheffle]

Not possible to use Expat 2.2.3 (or 2.2.4) without compiler errors on Windows. As the vulnerable feature is not used in VSTGUI I close this issue now.

[hartwork]

As the vulnerable feature is not used in VSTGUI I close this issue now.

I believe we have a misunderstanding here: There is no way of using that version of Expat without being vulnerable on Windows. You that troublesome call to LoadLibrary and it will be called on Windows.

Not possible to use Expat 2.2.3 (or 2.2.4) without compiler errors on Windows

If you have compile errors, please report bugs upstream, use a post-2.2.4 commit or request a soon release of 2.2.5. I'm quite sure we fixed these errors already.

Let's co-operate on this matter. Please re-open this ticket.

[scheffle]

I reverted back to version 2.1.1 now. It's just to much hassle to update expat in its current state.

[hartwork]

Expat 2.2.5 with the compile fixes for Windows has been released now.

[hartwork]

Any news?

[scheffle]

Using XML is now deprecated in VSTGUI, so this issue should fade away