diff -Nru xmltooling-1.5.6/debian/changelog xmltooling-1.5.6/debian/changelog
--- xmltooling-1.5.6/debian/changelog	2018-03-29 23:21:59.000000000 +0200
+++ xmltooling-1.5.6/debian/changelog	2019-03-20 08:48:35.000000000 +0100
@@ -1,3 +1,23 @@
+xmltooling (1.5.6-2ubuntu0.3) xenial-security; urgency=medium
+
+  [ Ferenc Wágner ]
+  * SECURITY UPDATE: Upstream patch to fix CVE-2019-9628 (LP: #1819912)
+    - d/p/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch:
+      New patch fixing CVE-2019-9628: uncaught exception on malformed
+      XML declaration.
+      Invalid data in the XML declaration causes an exception of a type
+      that was not handled properly in the parser class and propagates an
+      unexpected exception type.
+      This generally manifests as a crash in the calling code, which in the
+      Service Provider software's case is usually the shibd daemon process,
+      but can be Apache in some cases. Note that the crash occurs prior to
+      evaluation of a message's authenticity, so can be exploited by an
+      untrusted attacker.
+      DSA-4407-1, DLA-1710-1
+      https://shibboleth.net/community/advisories/secadv_20190311.txt
+
+ -- Etienne Dysli Metref <etienne.dysli-metref@switch.ch>  Wed, 20 Mar 2019 08:48:35 +0100
+
 xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
diff -Nru xmltooling-1.5.6/debian/patches/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch xmltooling-1.5.6/debian/patches/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch
--- xmltooling-1.5.6/debian/patches/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmltooling-1.5.6/debian/patches/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch	2019-03-20 08:48:35.000000000 +0100
@@ -0,0 +1,59 @@
+## Description: fix CVE-2019-9628, uncaught exception on malformed XML declaration
+## Origin/Author: af27c422f551e16989ff6f1722d83614c8550eb5
+## Bug: https://issues.shibboleth.net/jira/browse/CPPXT-143
+## Bug-Ubuntu: https://launchpad.net/bugs/1819912
+From: Scott Cantor <cantor.2@osu.edu>
+Date: Wed, 6 Mar 2019 21:14:13 -0500
+Subject: CVE-2019-9628 - uncaught exception on malformed XML declaration
+
+Invalid data in the XML declaration causes an exception of a type
+that was not handled properly in the parser class and propagates an
+unexpected exception type.
+
+This generally manifests as a crash in the calling code, which in the
+Service Provider software's case is usually the shibd daemon process,
+but can be Apache in some cases. Note that the crash occurs prior to
+evaluation of a message's authenticity, so can be exploited by an
+untrusted attacker.
+
+https://shibboleth.net/community/advisories/secadv_20190311.txt
+https://issues.shibboleth.net/jira/browse/CPPXT-143
+---
+ xmltooling/util/ParserPool.cpp | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/xmltooling/util/ParserPool.cpp b/xmltooling/util/ParserPool.cpp
+index 67e793d..98d6fcc 100644
+--- a/xmltooling/util/ParserPool.cpp
++++ b/xmltooling/util/ParserPool.cpp
+@@ -150,14 +150,28 @@ DOMDocument* ParserPool::parse(DOMLSInput& domsrc)
+         checkinBuilder(janitor.release());
+         return doc;
+     }
+-    catch (XMLException& ex) {
++    catch (const DOMException& ex) {
++        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
++        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
++        checkinBuilder(janitor.release());
++        auto_ptr_char temp(ex.getMessage());
++        throw XMLParserException(string("DOM error during parsing: ") + (temp.get() ? temp.get() : "no message"));
++    }
++    catch (const SAXException& ex) {
++        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
++        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
++        checkinBuilder(janitor.release());
++        auto_ptr_char temp(ex.getMessage());
++        throw XMLParserException(string("SAX error during parsing: ") + (temp.get() ? temp.get() : "no message"));
++    }
++    catch (const XMLException& ex) {
+         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+         checkinBuilder(janitor.release());
+         auto_ptr_char temp(ex.getMessage());
+         throw XMLParserException(string("Xerces error during parsing: ") + (temp.get() ? temp.get() : "no message"));
+     }
+-    catch (XMLToolingException&) {
++    catch (const XMLToolingException&) {
+         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+         checkinBuilder(janitor.release());
diff -Nru xmltooling-1.5.6/debian/patches/series xmltooling-1.5.6/debian/patches/series
--- xmltooling-1.5.6/debian/patches/series	2018-03-29 23:21:59.000000000 +0200
+++ xmltooling-1.5.6/debian/patches/series	2019-03-20 08:48:35.000000000 +0100
@@ -3,3 +3,4 @@
 CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch
 Add-disallowDoctype-to-parser-configuration.patch
 CVE-2018-0489-Fix-additional-data-forgery-flaws.patch
+CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch