diff --git a/release-notes/VERSION b/release-notes/VERSION
index f5672b318f..67c5b565a9 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -3,6 +3,13 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+Unreleased but backported
+
+#2410: Block one more gadget type (CVE-2019-14540)
+  (reported by iSafeBlue@github / blue@ixsec.org)
+#2420: Block one more gadget type (no CVE allocated yet)
+  (reported by crazylirui@gmail.com)
+
 2.8.11.4 (25-Jul-2019)
 
 #2334: Block one more gadget type (CVE-2019-12384)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 93182b5f4e..0abadfdf33 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -98,6 +98,12 @@ public class SubTypeValidator
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
 
+        // [databind#2410]: HikariCP/metricRegistry config
+        s.add("com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2420]: CXF/JAX-RS provider/XSLT
+        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }