Given the way XML is used in xmlrpc and SOAP systems, I don't think I would classify a security problem in libxml as a local exploit.
I know, that's why I said 'most', and not 'all' (some exploits may have more far reaching effects, for certain users). But again, if we do something like what I suggested (use the system library if it's good enough, use the bundled one if it isn't), we get the good of both worlds. Security-conscious people will have an uptodate library anyway. Those who aren't will get an out-of-the-box experience, that otherwise they wouldn't have gotten.
Zeev
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
