diff -Nru jackson-databind-2.9.8/debian/changelog jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog	2020-07-09 20:51:32.000000000 +0530
+++ jackson-databind-2.9.8/debian/changelog	2021-04-24 19:56:57.000000000 +0530
@@ -1,3 +1,32 @@
+jackson-databind (2.9.8-3+deb10u3) buster; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Add patch to fix:
+    - CVE-2020-24616: Block one more gadget type (Anteros-DBCP)
+    - CVE-2020-24750: Block one more gadget type
+                      (com.pastdev.httpcomponents)
+    - CVE-2020-25649: setExpandEntityReferences(false) may not
+                      prevent external entity expansion in all
+                      cases
+    - CVE-2020-35490 and CVE-2020-35491: Block 2 more gadget
+                      types (commons-dbcp2)
+    - CVE-2020-35728: Block one more gadget type
+                      (org.glassfish.web/javax.servlet.jsp.jstl)
+    - CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, and
+      CVE-2020-36182: Block some more DBCP-related potential
+                      gadget classes
+    - CVE-2020-36183: Block one more gadget type
+                      (org.docx4j.org.apache:xalan-interpretive)
+    - CVE-2020-36184 and CVE-2020-36185: Block 2 more gadget
+                      types (org.apache.tomcat/tomcat-dbcp)
+    - CVE-2020-36186 and CVE-2020-36187: Block 2 more gadget
+                      types (tomcat/naming-factory-dbcp)
+    - CVE-2020-36188 and CVE-2020-36189: Block 2 more gadget
+                      types (newrelic-agent)
+    - CVE-2021-20190: Block one more gadget type (javax.swing)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Sat, 24 Apr 2021 19:56:57 +0530
+
 jackson-databind (2.9.8-3+deb10u2) buster; urgency=medium
 
   * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2020-24{616,750}.patch jackson-databind-2.9.8/debian/patches/CVE-2020-24{616,750}.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2020-24{616,750}.patch	1970-01-01 05:30:00.000000000 +0530
+++ jackson-databind-2.9.8/debian/patches/CVE-2020-24{616,750}.patch	2021-04-24 19:19:54.000000000 +0530
@@ -0,0 +1,37 @@
+From 3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 10 Aug 2020 19:39:03 -0700
+Subject: [PATCH] Add a block for #2814
+
+From 6cc9f1a1af323cd156f5668a47e43bab324ae16f Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 20 Jul 2020 17:40:57 -0700
+Subject: [PATCH] Work for addressing #2798
+
+Co-Author: Utkarsh Gupta <utkarsh@debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -137,9 +137,11 @@
+         // [databind#2631]: shaded hikari-config
+         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
+ 
+-        // [databind#2634]: ibatis-sqlmap, anteros-core
++        // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
+         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++        // [databind#2814]: anteros-dbcp
++        s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
+ 
+         // [databind#2642]: javax.swing (jdk)
+         s.add("javax.swing.JEditorPane");
+@@ -196,6 +198,9 @@
+         // [databind#2764]: org.jsecurity:
+         s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+ 
++        // [databind#2798]: com.pastdev.httpcomponents:
++        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2020-25649 jackson-databind-2.9.8/debian/patches/CVE-2020-25649
--- jackson-databind-2.9.8/debian/patches/CVE-2020-25649	1970-01-01 05:30:00.000000000 +0530
+++ jackson-databind-2.9.8/debian/patches/CVE-2020-25649	2021-04-24 19:31:46.000000000 +0530
@@ -0,0 +1,24 @@
+From 612f971b78c60202e9cd75a299050c8f2d724a59 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 9 Jan 2020 19:22:07 -0800
+Subject: [PATCH] Fix #2589
+
+Co-Author: Utkarsh <utkarsh@debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+@@ -39,6 +39,14 @@
+             // 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs
+             //   (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too
+         }
++
++        // [databind#2589] add two more settings just in case
++        try {
++            parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        } catch (Throwable t) { } // as per previous one, nothing much to do
++        try {
++            parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++        } catch (Throwable t) { } // as per previous one, nothing much to do
+         DEFAULT_PARSER_FACTORY = parserFactory;
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2020-35{490,491,728}.patch jackson-databind-2.9.8/debian/patches/CVE-2020-35{490,491,728}.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2020-35{490,491,728}.patch	1970-01-01 05:30:00.000000000 +0530
+++ jackson-databind-2.9.8/debian/patches/CVE-2020-35{490,491,728}.patch	2021-04-24 19:39:47.000000000 +0530
@@ -0,0 +1,29 @@
+From 41b8bdb5ccc1d8edb71acf1c8234da235a24249d Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Tue, 15 Dec 2020 17:27:03 -0800
+Subject: [PATCH] Fixed #2986
+
+From 1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 26 Dec 2020 14:20:53 -0800
+Subject: [PATCH] Fixed #2999
+
+Co-Author: Utkarsh Gupta <utkarsh@debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -201,6 +201,14 @@
+         // [databind#2798]: com.pastdev.httpcomponents:
+         s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+ 
++        // [databind#2986]: dbcp2
++        s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
++        s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
++
++        // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
++        // (derivative of #2469)
++        s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2020-361{79-90}.patch jackson-databind-2.9.8/debian/patches/CVE-2020-361{79-90}.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2020-361{79-90}.patch	1970-01-01 05:30:00.000000000 +0530
+++ jackson-databind-2.9.8/debian/patches/CVE-2020-361{79-90}.patch	2021-04-24 19:52:03.000000000 +0530
@@ -0,0 +1,82 @@
+Description: Multiple fixes (CVE-2020-36179 to CVE-2020-36190)
+ cherry-picked together from upstream.
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Co-Author: Utkarsh Gupta <utkarsh@debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -118,9 +118,12 @@
+         // [databind#2704]: xalan2
+         s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+ 
+-        // [databind#2478]: comons-dbcp, p6spy
++        // [databind#2478]: commons-dbcp 1.x, p6spy
++        // [databind#3004]: commons-dbcp 1.x
++        s.add("org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
+         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++
+         s.add("com.p6spy.engine.spy.P6DataSource");
+ 
+         // [databind#2498]: log4j-extras (1.2)
+@@ -143,8 +146,9 @@
+         // [databind#2814]: anteros-dbcp
+         s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
+ 
+-        // [databind#2642]: javax.swing (jdk)
++        // [databind#2642][databind#2854]: javax.swing (jdk)
+         s.add("javax.swing.JEditorPane");
++        s.add("javax.swing.JTextPane");
+ 
+         // [databind#2648], [databind#2653]: shire-core
+         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+@@ -183,8 +187,11 @@
+         // [databind#2682]: commons-jelly
+         s.add("org.apache.commons.jelly.impl.Embedded");
+ 
+-        // [databind#2688]: apache/drill
++        // [databind#2688], [databind#3004]: apache/drill
+         s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++        s.add("oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
++        s.add("oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
++        s.add("oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ 
+         // [databind#2698]: weblogic w/ oracle/aq-jms
+         // (note: dependency not available via Maven Central, but as part of
+@@ -201,14 +208,35 @@
+         // [databind#2798]: com.pastdev.httpcomponents:
+         s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+ 
+-        // [databind#2986]: dbcp2
++        // [databind#2986], [databind#3004]: dbcp2
++        s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
+         s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
+         s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
+ 
++        // [databind#2996]: newrelic-agent + embedded-logback-core
++        // (derivative of #2334 and #2389)
++        s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
++        s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
++
++        // [databind#2997]/[databind#3004]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
++        // (derivative of #2478)
++        s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
++        s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
++        s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
++
++        // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
++        // (derivative of #2478)
++        s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
++        s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
++        s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
++
+         // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
+         // (derivative of #2469)
+         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
++        // [databind#3003]: another case of embedded Xalan (derivative of #2469)
++        s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/series jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series	2020-07-09 20:51:32.000000000 +0530
+++ jackson-databind-2.9.8/debian/patches/series	2021-04-24 19:51:36.000000000 +0530
@@ -3,3 +3,7 @@
 CVE-2019-12814.patch
 polymorphic-typing-issues.patch
 multiple-CVE-SubTypeValidator.patch
+CVE-2020-24{616,750}.patch
+CVE-2020-25649
+CVE-2020-35{490,491,728}.patch
+CVE-2020-361{79-90}.patch