Comment 3 for bug 2023529

Thank you for the response.
Could you please let winlibs vendor know about this zlib CVE issue - so that they can bump zlib version, release new winilib, so new lxml (free from this CVE) can be released?
By the way - the latest lxml 4.9.2 was released on 2022-12-13. Basing on winlibs tags: https://github.com/winlibs/zlib/tags winilibs updated zlib from 1.2.11 to 1.2.12 on Mar 31, 2022, so the latest version of lxml (for windows) includes zlib 1.2.11.
This zlib has additional CVE (which was removed in zlib 1.2.12): CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Do you know if lxml is affected by any of these two vulnerabilities?