diff --git a/CVE-2017-17485.patch b/CVE-2017-17485.patch
new file mode 100644
index 0000000..fe7435a
--- /dev/null
+++ b/CVE-2017-17485.patch
@@ -0,0 +1,12 @@
+--- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig	2018-01-11 13:52:07.289025352 +0000
++++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2018-01-11 13:52:33.253913719 +0000
+@@ -70,6 +70,9 @@
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++	// [databind#1855]: more 3rd party
++	s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++	s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ 
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
diff --git a/jackson-databind.spec b/jackson-databind.spec
index 06096a4..2b7f3cc 100644
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@@ -1,13 +1,15 @@
 Name:          jackson-databind
 Version:       2.7.6
-Release:       5%{?dist}
+Release:       6%{?dist}
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           http://wiki.fasterxml.com/JacksonHome
 Source0:       https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
 
+# These patches can go when we update to jackson >= 2.8.11 OR jackson >= 2.7.9.2
 Patch0: CVE-2017-7525.patch
 Patch1: CVE-2017-15095.patch
+Patch2: CVE-2017-17485.patch
 
 BuildRequires: maven-local
 BuildRequires: mvn(com.fasterxml.jackson:jackson-parent:pom:)
@@ -34,6 +36,7 @@ This package contains javadoc for %{name}.
 %setup -q -n %{name}-%{name}-%{version}
 %patch0 -p1
 %patch1
+%patch2
 
 cp -p src/main/resources/META-INF/LICENSE .
 cp -p src/main/resources/META-INF/NOTICE .
@@ -72,6 +75,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
 %license LICENSE NOTICE
 
 %changelog
+* Thu Jan 11 2018 Mat Booth <mat.booth@redhat.com> - 2.7.6-6
+- Backport a patch to fix CVE-2017-17485
+
 * Fri Nov 03 2017 Mat Booth <mat.booth@redhat.com> - 2.7.6-5
 - Backport a patch to fix CVE-2017-15095