From 998efd708284778f29d83d7962a9bd935c228317 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Thu, 19 Sep 2019 23:25:50 -0700
Subject: [PATCH] Fix #2469

---
 release-notes/VERSION                                          | 1 +
 .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index 13595cd754..1d4202b840 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -13,6 +13,7 @@ Unreleased but backported
   (reported by kingkk)
 #2460: Block one more gadget type (ehcache, no CVE allocated yet)
 #2462: Block two more gadget types (commons-configuration)
+#2469: Block one more gadget type (xalan2)
 
 2.8.11.4 (25-Jul-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 8117f11adb..4fad2d0122 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -111,6 +111,9 @@ public class SubTypeValidator
         s.add("org.apache.commons.configuration.JNDIConfiguration");
         s.add("org.apache.commons.configuration2.JNDIConfiguration");
 
+        // [databind#2469]: xalan2
+        s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }