diff --git a/kdelibs-3.5.10-CVE-2017-6410.patch b/kdelibs-3.5.10-CVE-2017-6410.patch
new file mode 100644
index 0000000..2605226
--- /dev/null
+++ b/kdelibs-3.5.10-CVE-2017-6410.patch
@@ -0,0 +1,24 @@
+diff -ur kdelibs-3.5.10/kio/misc/kpac/script.cpp kdelibs-3.5.10-CVE-2017-6410/kio/misc/kpac/script.cpp
+--- kdelibs-3.5.10/kio/misc/kpac/script.cpp	2008-02-13 10:41:06.000000000 +0100
++++ kdelibs-3.5.10-CVE-2017-6410/kio/misc/kpac/script.cpp	2017-03-04 18:42:29.638992390 +0100
+@@ -446,10 +446,18 @@
+ 	if (!findObj.isValid() || !findObj.implementsCall())
+ 	  throw Error( "No such function FindProxyForURL" );
+ 
++        KURL cleanUrl = url;
++        cleanUrl.setPass(QString());
++        cleanUrl.setUser(QString());
++        if (cleanUrl.protocol().lower() == "https") {
++            cleanUrl.setPath(QString());
++            cleanUrl.setQuery(QString());
++        }
++
+ 	Object thisObj;
+ 	List args;
+-	args.append(String(url.url()));
+-	args.append(String(url.host()));
++	args.append(String(cleanUrl.url()));
++	args.append(String(cleanUrl.host()));
+ 	Value retval = findObj.call( exec, thisObj, args );
+ 
+ 	if ( exec->hadException() ) {
diff --git a/kdelibs3.spec b/kdelibs3.spec
index 91162d5..617bd04 100644
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@@ -18,7 +18,7 @@
 Summary: KDE 3 Libraries
 Name:    kdelibs3
 Version: 3.5.10
-Release: 83%{?dist}
+Release: 84%{?dist}
 
 License: LGPLv2
 Url: http://www.kde.org/
@@ -124,6 +124,10 @@ Patch210: kdelibs-3.5.10-CVE-2015-7543.patch
 # CVE-2016-6232 - directory traversal vulnerability in KArchive
 # patch from Trinity (Slávek Banko), based on KF5 fix (Andreas Cord-Landwehr)
 Patch211: kdelibs-3.5.10-CVE-2016-6232.patch
+# CVE-2017-6410 - info leak when accessing https when using a malicious PAC file
+# backport upstream fix (by Albert Astals Cid) from kdelibs 4:
+# http://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559
+Patch212: kdelibs-3.5.10-CVE-2017-6410.patch
 
 ## fixes to common KDE 3 autotools machinery
 # tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
@@ -311,6 +315,7 @@ This package includes tools kgrantpty and kpac_dhcp_helper.
 %patch209 -p1 -b .CVE-2013-2074
 %patch210 -p1 -b .CVE-2015-7543
 %patch211 -p1 -b .CVE-2016-6232
+%patch212 -p1 -b .CVE-2017-6410
 
 %patch300 -p1 -b .acinclude
 %patch301 -p1 -b .automake-version
@@ -638,6 +643,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
 %attr(4755,root,root) %{_bindir}/kpac_dhcp_helper
 
 %changelog
+* Sat Mar 04 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-84
+- backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
+
 * Mon Feb 27 2017 Than Ngo <than@redhat.com> - 3.5.10-83
 - devel requires compat-openssl10-devel, fix kdebase3 FTBS