--- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig	2017-11-01 09:57:37.083991374 +0000
+++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2017-11-01 10:00:58.032279501 +0000
@@ -48,16 +48,29 @@
     static {
         Set<String> s = new HashSet<String>();
         // Courtesy of [https://github.com/kantega/notsoserial]:
-        // (and wrt [databind#1599]
+        // (and wrt [databind#1599])
         s.add("org.apache.commons.collections.functors.InvokerTransformer");
         s.add("org.apache.commons.collections.functors.InstantiateTransformer");
         s.add("org.apache.commons.collections4.functors.InvokerTransformer");
         s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+        // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]
+        //    this is NOT likely to  be exploitable via Jackson. But keep excluded just in case.
         s.add("org.codehaus.groovy.runtime.ConvertedClosure");
         s.add("org.codehaus.groovy.runtime.MethodClosure");
         s.add("org.springframework.beans.factory.ObjectFactory");
         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+        // [databind#1680]: may or may not be problem, take no chance
+        s.add("com.sun.rowset.JdbcRowSetImpl");
+        // [databind#1737]; JDK provided
+        s.add("java.util.logging.FileHandler");
+        s.add("java.rmi.server.UnicastRemoteObject");
+        // [databind#1737]; 3rd party
+        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }