diff -Nru xmltooling-1.6.4/debian/changelog xmltooling-1.6.4/debian/changelog
--- xmltooling-1.6.4/debian/changelog	2018-03-06 10:04:50.000000000 +0100
+++ xmltooling-1.6.4/debian/changelog	2019-03-14 11:56:34.000000000 +0100
@@ -1,3 +1,21 @@
+xmltooling (1.6.4-1ubuntu3) bionic-security; urgency=high
+
+  * SECURITY UPDATE: uncaught exception on malformed XML declaration
+    Invalid data in the XML declaration causes an exception of a type that
+    was not handled properly in the parser class and propagates an
+    unexpected exception type.
+    This generally manifests as a crash in the calling code, which in the
+    Service Provider software's case is usually the shibd daemon process,
+    but can be Apache in some cases. Note that the crash occurs prior to
+    evaluation of a message's authenticity, so can be exploited by an
+    untrusted attacker.
+    - debian/patches/security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch
+    - CVE-2019-9628
+    - https://shibboleth.net/community/advisories/secadv_20190311.txt
+    - LP: #1819912
+
+ -- Etienne Dysli Metref <etienne.dysli-metref@switch.ch>  Thu, 14 Mar 2019 11:56:34 +0100
+
 xmltooling (1.6.4-1ubuntu2) bionic; urgency=medium
 
   * Switch back to openssl1.0 via newly-added libcurl-openssl1.0-dev, since
diff -Nru xmltooling-1.6.4/debian/patches/security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch xmltooling-1.6.4/debian/patches/security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch
--- xmltooling-1.6.4/debian/patches/security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmltooling-1.6.4/debian/patches/security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch	2019-03-14 11:56:34.000000000 +0100
@@ -0,0 +1,60 @@
+## Description: CVE-2019-9628 - uncaught exception on malformed XML declaration
+## Origin/Author: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5
+## Bug: https://shibboleth.net/community/advisories/secadv_20190311.txt
+## Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924346
+## Bug-Ubuntu: https://launchpad.net/bugs/1819912
+From: Scott Cantor <cantor.2@osu.edu>
+Date: Wed, 6 Mar 2019 21:14:13 -0500
+Subject: CVE-2019-9628 - uncaught exception on malformed XML declaration
+
+Invalid data in the XML declaration causes an exception of a type
+that was not handled properly in the parser class and propagates an
+unexpected exception type.
+
+This generally manifests as a crash in the calling code, which in the
+Service Provider software's case is usually the shibd daemon process,
+but can be Apache in some cases. Note that the crash occurs prior to
+evaluation of a message's authenticity, so can be exploited by an
+untrusted attacker.
+
+https://shibboleth.net/community/advisories/secadv_20190311.txt
+https://issues.shibboleth.net/jira/browse/CPPXT-143
+---
+ xmltooling/util/ParserPool.cpp | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/xmltooling/util/ParserPool.cpp b/xmltooling/util/ParserPool.cpp
+index 67e793d..98d6fcc 100644
+--- a/xmltooling/util/ParserPool.cpp
++++ b/xmltooling/util/ParserPool.cpp
+@@ -150,14 +150,28 @@ DOMDocument* ParserPool::parse(DOMLSInput& domsrc)
+         checkinBuilder(janitor.release());
+         return doc;
+     }
+-    catch (XMLException& ex) {
++    catch (const DOMException& ex) {
++        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
++        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
++        checkinBuilder(janitor.release());
++        auto_ptr_char temp(ex.getMessage());
++        throw XMLParserException(string("DOM error during parsing: ") + (temp.get() ? temp.get() : "no message"));
++    }
++    catch (const SAXException& ex) {
++        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
++        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
++        checkinBuilder(janitor.release());
++        auto_ptr_char temp(ex.getMessage());
++        throw XMLParserException(string("SAX error during parsing: ") + (temp.get() ? temp.get() : "no message"));
++    }
++    catch (const XMLException& ex) {
+         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+         checkinBuilder(janitor.release());
+         auto_ptr_char temp(ex.getMessage());
+         throw XMLParserException(string("Xerces error during parsing: ") + (temp.get() ? temp.get() : "no message"));
+     }
+-    catch (XMLToolingException&) {
++    catch (const XMLToolingException&) {
+         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+         checkinBuilder(janitor.release());
diff -Nru xmltooling-1.6.4/debian/patches/series xmltooling-1.6.4/debian/patches/series
--- xmltooling-1.6.4/debian/patches/series	2018-02-28 10:29:02.000000000 +0100
+++ xmltooling-1.6.4/debian/patches/series	2019-03-14 11:48:23.000000000 +0100
@@ -20,3 +20,4 @@
 Enable-skipping-tests-which-require-network-access.patch
 Enable-the-dot-feature-of-Doxygen.patch
 Get-new-pthread-checks-from-the-Autoconf-Archive.patch
+security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch