Critical vulnerability CVE-2022-37434 in lxml introduced through zlib
Bug #2023529 reported by
Michal Mirkowski
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
Invalid
|
Undecided
|
Unassigned |
Bug Description
lxml uses a 3rd party package - zlib 1.2.12 which has CVE:
CVE-2022-37434 https:/
This vulnerability was removed in zlib 1.2.13.
I need an urgent information if lxml is exploitable or not.
When do you plan to update zlib version?
Regards,
Michal Mirkowski
CVE References
To post a comment you must log in.
zlib 1.2.13 was released two months before lxml 4.9.2, so the binary wheels probably picked it up. They always use the latest versions for zlib and iconv and include all library dependencies statically linked.
Note that you can always build your own lxml wheels locally, with or without statically linked libraries.
I'm assuming that this is resolved in 4.9.2.