Well, I do, I think it's actually much more important than forcing a fairly small subset of the users to update PHP when there's a new security-related version of libxml2 coming out (for most of the users, local exploits are of no interest, it's mostly interesting to hosting providers, so most libxml2 issues are not very relevant to the majority of PHP users).
Given the way XML is used in xmlrpc and SOAP systems, I don't think I would classify a security problem in libxml as a local exploit. Much more so than any other library, libxml2 is going to be reading remote xml data and acting on the contents so chances are any security problem in it is going to lead to a remote exploit. For example, a recent one:
http://seclists.org/lists/fulldisclosure/2004/Nov/0084.html
With an exploit here:
http://www.k-otik.com/exploits/20041026.libxml2.c.php
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
