shibboleth-sp -- vulnerable to forged user attribute data

Shibboleth consortium reports:

    Shibboleth SP software vulnerable to forged user attribute data
  

    The Service Provider software relies on a generic XML parser to
    process SAML responses and there are limitations in older versions
    of the parser that make it impossible to fully disable Document Type
    Definition (DTD) processing.
  

    Through addition/manipulation of a DTD, it's possible to make
    changes to an XML document that do not break a digital signature but
    are mishandled by the SP and its libraries. These manipulations can
    alter the user data passed through to applications behind the SP and
    result in impersonation attacks and exposure of protected
    information.
  

    While newer versions of the xerces-c3 parser are configured by the
    SP into disallowing the use of a DTD via an environment variable,
    this feature is not present in the xerces-c3 parser before version
    3.1.4, so an additional fix is being provided now that an actual DTD
    exploit has been identified. Xerces-c3-3.1.4 was committed to the
    ports tree already on 2016-07-26.