shibboleth-sp -- vulnerable to forged user attribute data

Shibboleth consortium reports:

    Shibboleth SP software vulnerable to additional data forgery flaws
  

    The XML processing performed by the Service Provider software has
    been found to be vulnerable to new flaws similar in nature to the
    one addressed in an advisory last month.
  

    These bugs involve the use of other XML constructs rather than
    entity references, and therefore required additional mitigation once
    discovered.  As with the previous issue, this flaw allows for
    changes to an XML document that do not break a digital signature but
    can alter the user data passed through to applications behind the SP
    and result in impersonation attacks and exposure of protected
    information.
  

    As before, the use of XML Encryption is a significant mitigation,
    but we have not dismissed the possibility that attacks on the
    Response "envelope" may be possible, in both the original and this
    new case. No actual attacks of this nature are known, so deployers
    should prioritize patching systems that expect to handle unencrypted
    SAML assertions.
  

    An updated version of XMLTooling-C (V1.6.4) is available that
    protects against these new attacks, and should help prevent similar
    vulnerabilities in the future.
  

    Unlike the previous case, these bugs are NOT prevented by any
    existing Xerces-C parser version on any platform and cannot be
    addressed by any means other than the updated XMLTooling-C library.
  

    The Service Provider software relies on a generic XML parser to
    process SAML responses and there are limitations in older versions
    of the parser that make it impossible to fully disable Document Type
    Definition (DTD) processing.
  

    Through addition/manipulation of a DTD, it's possible to make
    changes to an XML document that do not break a digital signature but
    are mishandled by the SP and its libraries. These manipulations can
    alter the user data passed through to applications behind the SP and
    result in impersonation attacks and exposure of protected
    information.
  

    While newer versions of the xerces-c3 parser are configured by the
    SP into disallowing the use of a DTD via an environment variable,
    this feature is not present in the xerces-c3 parser before version
    3.1.4, so an additional fix is being provided now that an actual DTD
    exploit has been identified. Xerces-c3-3.1.4 was committed to the
    ports tree already on 2016-07-26.