Comment 4 for bug 2023529

According to https://nvd.nist.gov/vuln/detail/CVE-2022-37434, the vulnerability requires calling zlib's inflateGetHeader(). Neither libxml2 nor lxml do that.

https://nvd.nist.gov/vuln/detail/CVE-2018-25032 is data dependent, but according to https://github.com/madler/zlib/issues/605, it requires use of the recently added "Z_FIXED" option, which (again) neither libxml2 nor lxml do.

So, after reading up on some of the details, I don't think that any of the two CVEs is relevant for lxml, whether on Windows or other systems.

I'll close this ticket as "invalid" then.