Debian Linux Security Advisory 5010-1 - Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
287a5690f611c2d9a93b84ab409ee0c9fa54818656b8b0b546738a2972280154