From d1c67a0396e84c08d0558fbb843b5bd1f26e1921 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Fri, 24 Apr 2020 20:12:06 -0700
Subject: [PATCH] Fix #2688

---
 release-notes/VERSION-2.x                                    | 5 +++++
 .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index dd4f556caf..f67053b604 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -4,6 +4,11 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.10.5 (not yet released)
+
+#2688: Block one more gadget type (apache-drill)
+ (reported by Topsec(tcc))
+
 2.9.10.4 (11-Apr-2020)
 
 #2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index b123bee8bc..a7853c026b 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -180,6 +180,9 @@ public class SubTypeValidator
         // [databind#2682]: commons-jelly
         s.add("org.apache.commons.jelly.impl.Embedded");
 
+        // [databind#2688]: apache/drill
+        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }