[Suggested description]
The XMLTooling library provided with the OpenSAML and Shibboleth
Service Provider software contains an XML parsing class.

Invalid data in the XML declaration causes an exception of a type
that was not handled properly in the parser class and propagates an
unexpected exception type.

------------------------------------------

[Additional Information]
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.

------------------------------------------

[VulnerabilityType Other]
Unexpected program termination

------------------------------------------

[Vendor of Product]
Shibboleth Consortium

------------------------------------------

[Affected Product Code Base]
XMLTooling Library, all versions < 3.0.4

------------------------------------------

[Affected Component]
xmltooling::ParserPool class, parse method

------------------------------------------
[Attack Type]
Remote or Local

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Reference]
https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories