Work for addressing #2798

2 files changed, 8 insertions, 0 deletions

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 187307ed8..f06b7c5dc 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -4,6 +4,11 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.10.6 (not yet released)
+
+#2798: Block one more gadget type (xxx, xxx)
+ (reported by Al1ex@knownsec)
+
 2.9.10.5 (21-Jun-2020)
 
 #2688: Block one more gadget type (apache-drill, CVE-2020-14060)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 7c3d4bcc3..d0753df93 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -197,6 +197,9 @@ public class SubTypeValidator
         // [databind#2764]: org.jsecurity:
         s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
 
+        // [databind#2798]: com.pastdev.httpcomponents:
+        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }