A new security advisory for the Apache Santuario XML Security for Java library has been released:
"The Apache Santuario XML Security for Java project is vulnerable to a Denial
of Service (DoS) type attack leading to an OutOfMemoryError, which is caused
by allowing Document Type Definitions (DTDs) when applying Transforms. From
the 1.5.6 release onwards, DTDs will not be processed at all when the "secure
validation" mode is enabled."
This issue is fixed (when secure validation is enabled) in Apache Santuario XML Security for Java 1.5.6. This release is picked up by new releases of Apache WSS4J (1.6.13), and Apache CXF (2.7.8 and 2.6.11).