diff -Nru xmltooling-1.5.6/debian/changelog xmltooling-1.5.6/debian/changelog
--- xmltooling-1.5.6/debian/changelog	2016-01-17 02:46:29.000000000 -0500
+++ xmltooling-1.5.6/debian/changelog	2018-01-17 18:01:08.000000000 -0500
@@ -1,3 +1,9 @@
+xmltooling (1.5.6-2ubuntu1) xenial; urgency=medium
+
+  * Upstream patch to fix CVE-2018-0486 (LP: #1743762)
+
+ -- Ray Link <rlink+launchpad@cs.cmu.edu>  Wed, 17 Jan 2018 17:48:31 -0500
+
 xmltooling (1.5.6-2) unstable; urgency=medium
 
   * [287f903] Wildcard version number in debian/rules
diff -Nru xmltooling-1.5.6/debian/patches/CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch xmltooling-1.5.6/debian/patches/CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch
--- xmltooling-1.5.6/debian/patches/CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch	1969-12-31 19:00:00.000000000 -0500
+++ xmltooling-1.5.6/debian/patches/CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch	2018-01-17 17:36:46.000000000 -0500
@@ -0,0 +1,27 @@
+Description: Block entity reference nodes during unmarshalling.
+ CVE-2018-0486: Through addition/manipulation of a DTD, it's possible to
+ make changes to an XML document that do not break a digital signature
+ but are mishandled by the SP and its libraries. These manipulations can
+ alter the user data passed through to applications behind the SP and
+ result in impersonation attacks and exposure of protected information.
+Author: Scott Cantor <cantor.2@osu.edu>
+Origin: vendor
+Bug: https://issues.shibboleth.net/jira/browse/CPPXT-127
+Forwarded: not-needed
+Reviewed-by: Ray Link <rlink+launchpad@cs.cmu.edu>
+Last-Update: 2018-01-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: xmltooling-1.5.6/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+===================================================================
+--- xmltooling-1.5.6.orig/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
++++ xmltooling-1.5.6/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+@@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unma
+         else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) {
+             m_log.debug("processing text content at position (%d)", position);
+             setTextContent(childNode->getNodeValue(), position);
++        } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) {
++            throw UnmarshallingException("Unmarshaller found Entity/Reference node.");
+         }
+         
+         childNode = childNode->getNextSibling();
diff -Nru xmltooling-1.5.6/debian/patches/series xmltooling-1.5.6/debian/patches/series
--- xmltooling-1.5.6/debian/patches/series	2016-01-17 02:46:29.000000000 -0500
+++ xmltooling-1.5.6/debian/patches/series	2018-01-17 17:30:35.000000000 -0500
@@ -1,2 +1,3 @@
 Disable-forcing-of-libtool-silent.patch
 Avoid-forward-incompatibility-warnings-from-Automake.patch
+CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch