diff -Nru kde4libs-4.8.5/debian/changelog kde4libs-4.8.5/debian/changelog
--- kde4libs-4.8.5/debian/changelog	2016-07-25 19:06:18.000000000 +0000
+++ kde4libs-4.8.5/debian/changelog	2017-03-08 15:28:36.000000000 +0000
@@ -1,3 +1,12 @@
+kde4libs (4:4.8.5-0ubuntu0.6) precise-security; urgency=medium
+
+  * SECURITY UPDATE: information leak via crafted PAC file (LP: #1668871)
+    - debian/patches/CVE-2017-6410.patch: sanitize URLs in
+      kio/misc/kpac/script.cpp.
+    - CVE-2017-6410
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 08 Mar 2017 10:28:36 -0500
+
 kde4libs (4:4.8.5-0ubuntu0.5) precise-security; urgency=medium
 
   * SECURITY UPDATE: file extraction out of the expected directory
diff -Nru kde4libs-4.8.5/debian/patches/CVE-2017-6410.patch kde4libs-4.8.5/debian/patches/CVE-2017-6410.patch
--- kde4libs-4.8.5/debian/patches/CVE-2017-6410.patch	1970-01-01 00:00:00.000000000 +0000
+++ kde4libs-4.8.5/debian/patches/CVE-2017-6410.patch	2017-03-08 15:28:32.000000000 +0000
@@ -0,0 +1,39 @@
+From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:08:50 +0100
+Subject: Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+---
+ kio/misc/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
+index a595301..9ab360a 100644
+--- a/kio/misc/kpac/script.cpp
++++ b/kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+             }
+         }
+ 
++        KUrl cleanUrl = url;
++        cleanUrl.setUserInfo(QString());
++        if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
++            cleanUrl.setPath(QString());
++            cleanUrl.setQuery(QString());
++        }
++
+         QScriptValueList args;
+-        args << url.url();
+-        args << url.host();
++        args << cleanUrl.url();
++        args << cleanUrl.host();
+ 
+         QScriptValue result = func.call(QScriptValue(), args);
+         if (result.isError()) {
+-- 
+cgit v0.11.2
+
diff -Nru kde4libs-4.8.5/debian/patches/series kde4libs-4.8.5/debian/patches/series
--- kde4libs-4.8.5/debian/patches/series	2016-07-25 19:06:11.000000000 +0000
+++ kde4libs-4.8.5/debian/patches/series	2017-03-08 15:28:32.000000000 +0000
@@ -28,3 +28,4 @@
 kubuntu_meinproc-libxml-fix.diff
 CVE-2014-5033.patch
 CVE-2016-6232.patch
+CVE-2017-6410.patch