diff -Nru xmltooling-1.5.6/debian/changelog xmltooling-1.5.6/debian/changelog
--- xmltooling-1.5.6/debian/changelog	2018-01-17 18:49:45.000000000 -0500
+++ xmltooling-1.5.6/debian/changelog	2018-03-29 15:25:16.000000000 -0400
@@ -1,3 +1,17 @@
+xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
+    - d/p/Add-disallowDoctype-to-parser-configuration.patch:
+      Generic protection against data forgery.  Irrelevant under
+      Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch.
+    - d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch:
+      New patches fixing CVE-2018-0489: additional data forgery flaws.
+      These flaws allow for changes to an XML document that do not break a
+      digital signature but alter the user data passed through to applications
+      enabling impersonation attacks and exposure of protected information.
+
+ -- Ray Link <rlink+launchpad@cs.cmu.edu>  Thu, 29 Mar 2018 15:17:35 -0400
+
 xmltooling (1.5.6-2ubuntu0.1) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Upstream patch to fix CVE-2018-0486 (LP: #1743762)
diff -Nru xmltooling-1.5.6/debian/patches/Add-disallowDoctype-to-parser-configuration.patch xmltooling-1.5.6/debian/patches/Add-disallowDoctype-to-parser-configuration.patch
--- xmltooling-1.5.6/debian/patches/Add-disallowDoctype-to-parser-configuration.patch	1969-12-31 19:00:00.000000000 -0500
+++ xmltooling-1.5.6/debian/patches/Add-disallowDoctype-to-parser-configuration.patch	2018-03-29 15:03:57.000000000 -0400
@@ -0,0 +1,18 @@
+Description: Add disallowDoctype to parser configuration
+ Add disallowDoctype to parser configuration to resolve a conflict in
+ the CVE-2018-0489 patch.  It does not provide additional protection
+ under Xerces 3.1 in Xenial, but does provide general protection under
+ Xerces 3.2.
+Author: Scott Cantor <cantor.2@osu.edu>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/xmltooling/util/ParserPool.cpp
++++ b/xmltooling/util/ParserPool.cpp
+@@ -417,6 +417,7 @@
+     parser->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true);
+     parser->getDomConfig()->setParameter(XMLUni::fgDOMResourceResolver, dynamic_cast<DOMLSResourceResolver*>(this));
+     parser->getDomConfig()->setParameter(XMLUni::fgXercesSecurityManager, m_security.get());
++    parser->getDomConfig()->setParameter(XMLUni::fgDOMDisallowDoctype, true);
+     return parser;
+ }
+ 
diff -Nru xmltooling-1.5.6/debian/patches/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch xmltooling-1.5.6/debian/patches/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch
--- xmltooling-1.5.6/debian/patches/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch	1969-12-31 19:00:00.000000000 -0500
+++ xmltooling-1.5.6/debian/patches/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch	2018-03-29 15:09:05.000000000 -0400
@@ -0,0 +1,93 @@
+Description: CVE-2018-0489 - Fix additional data forgery flaws
+  These flaws allow for changes to an XML document that do not break a
+  digital signature but alter the user data passed through to applications
+  enabling impersonation attacks and exposure of protected information.
+  https://shibboleth.net/community/advisories/secadv_20180227.txt
+  https://issues.shibboleth.net/jira/browse/CPPXT-128
+Author: Scott Cantor <cantor.2@osu.edu>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/xmltooling/AbstractComplexElement.cpp
++++ b/xmltooling/AbstractComplexElement.cpp
+@@ -102,5 +102,19 @@
+         m_text.push_back(nullptr);
+         ++size;
+     }
+-    m_text[position] = prepareForAssignment(m_text[position], value);
++
++    // Merge if necessary.
++    if (value && *value) {
++        if (!m_text[position] || !*m_text[position]) {
++            m_text[position] = prepareForAssignment(m_text[position], value);
++        }
++        else {
++            XMLSize_t initialLen = XMLString::stringLen(m_text[position]);
++            XMLCh* merged = new XMLCh[initialLen + XMLString::stringLen(value) + 1];
++            auto_arrayptr<XMLCh> janitor(merged);
++            XMLString::copyString(merged, m_text[position]);
++            XMLString::catString(merged + initialLen, value);
++            m_text[position] = prepareForAssignment(m_text[position], merged);
++        }
++    }
+ }
+--- a/xmltooling/AbstractSimpleElement.cpp
++++ b/xmltooling/AbstractSimpleElement.cpp
+@@ -77,12 +77,18 @@
+     if (position > 0)
+         throw XMLObjectException("Cannot set text content in simple element at position > 0.");
+ 
+-    // We overwrite the "one" piece of Text content if:
+-    //  - the new value is null
+-    //  - there is no existing value
+-    //  - the old value is all whitespace
+-    // If there's a non-whitespace value set, we leave it alone unless we're clearing it with a null.
+-
+-    if (!value || !m_value || XMLChar1_0::isAllSpaces(m_value, XMLString::stringLen(m_value)))
+-        m_value=prepareForAssignment(m_value, value);
++    // Merge if necessary.
++    if (value && *value) {
++        if (!m_value || !*m_value) {
++            m_value = prepareForAssignment(m_value, value);
++        }
++        else {
++            XMLSize_t initialLen = XMLString::stringLen(m_value);
++            XMLCh* merged = new XMLCh[initialLen + XMLString::stringLen(value) + 1];
++            auto_arrayptr<XMLCh> janitor(merged);
++            XMLString::copyString(merged, m_value);
++            XMLString::catString(merged + initialLen, value);
++            m_value = prepareForAssignment(m_value, merged);
++        }
++    }
+ }
+--- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
++++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+@@ -206,8 +206,9 @@
+         else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) {
+             m_log.debug("processing text content at position (%d)", position);
+             setTextContent(childNode->getNodeValue(), position);
+-        } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) {
+-            throw UnmarshallingException("Unmarshaller found Entity/Reference node.");
++        }
++        else if (childNode->getNodeType() != DOMNode::ATTRIBUTE_NODE) {
++            throw UnmarshallingException("Unmarshaller found unsupported node type.");
+         }
+         
+         childNode = childNode->getNextSibling();
+--- a/xmltooling/util/ParserPool.cpp
++++ b/xmltooling/util/ParserPool.cpp
+@@ -418,6 +418,7 @@
+     parser->getDomConfig()->setParameter(XMLUni::fgDOMResourceResolver, dynamic_cast<DOMLSResourceResolver*>(this));
+     parser->getDomConfig()->setParameter(XMLUni::fgXercesSecurityManager, m_security.get());
+     parser->getDomConfig()->setParameter(XMLUni::fgDOMDisallowDoctype, true);
++    parser->getDomConfig()->setParameter(XMLUni::fgDOMComments, false);
+     return parser;
+ }
+ 
+@@ -464,6 +465,7 @@
+     parser->setProperty(XMLUni::fgXercesSecurityManager, m_security.get());
+     parser->setFeature(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+     parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);
++    parser->setFeature(XMLUni::fgDOMComments, false);
+     parser->setEntityResolver(this);
+     return parser;
+ }
diff -Nru xmltooling-1.5.6/debian/patches/series xmltooling-1.5.6/debian/patches/series
--- xmltooling-1.5.6/debian/patches/series	2018-01-17 18:34:02.000000000 -0500
+++ xmltooling-1.5.6/debian/patches/series	2018-03-29 15:04:39.000000000 -0400
@@ -1,3 +1,5 @@
 Disable-forcing-of-libtool-silent.patch
 Avoid-forward-incompatibility-warnings-from-Automake.patch
 CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch
+Add-disallowDoctype-to-parser-configuration.patch
+CVE-2018-0489-Fix-additional-data-forgery-flaws.patch