diff --git a/release-notes/VERSION b/release-notes/VERSION
index 8718b82e5..bcb8ecb93 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -55,6 +55,7 @@ One more patch release for 1.9.
 * [databind#2653]: Block one more gadget type (shiro-core, 2nd class)
 * [databind#2658]: Block one more gadget type (ignite-jta, CVE-2020-10650)
 * [databind#2659]: Block one more gadget type (aries.transaction.jms, CVE-2020-10672)
+* [databind#2660]: Block one more gadget type (caucho-quercus, CVE-2020-10673)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
index a3ca7595d..9b216a0b6 100644
--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -129,7 +129,11 @@ public class SubTypeValidator
 
         // [databind#2659]: aries.transaction.jms
         s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
+        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
 
+        // [databind#2660]: caucho-quercus
+        s.add("com.caucho.config.types.ResourceRef");
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }