diff -u kdelibs-3.5.10.dfsg.1/debian/rules kdelibs-3.5.10.dfsg.1/debian/rules
--- kdelibs-3.5.10.dfsg.1/debian/rules
+++ kdelibs-3.5.10.dfsg.1/debian/rules
@@ -5,6 +5,9 @@
 include /usr/share/cdbs/1/rules/simple-patchsys.mk
 include /usr/share/cdbs/1/rules/utils.mk
 
+# disable parallel building
+DEB_BUILD_PARALLEL=
+
 #not for Kubuntu
 #DEB_KDE_APIDOX := yes                                                                                                                   
 
diff -u kdelibs-3.5.10.dfsg.1/debian/changelog kdelibs-3.5.10.dfsg.1/debian/changelog
--- kdelibs-3.5.10.dfsg.1/debian/changelog
+++ kdelibs-3.5.10.dfsg.1/debian/changelog
@@ -1,3 +1,20 @@
+kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.10.1) maverick-security; urgency=low
+
+  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
+    - Ark and KMail performs insufficient validation which leads to
+      specially crafted archive files, using unknown MIME types, to be
+      rendered using a KHTML instance, this can trigger uncontrolled
+      XMLHTTPRequests to remote sites.
+    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
+      restricts xmlhttprequest to http protocols only.
+      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
+    - http://www.kde.org/info/security/advisory-20091027-1.txt
+    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
+    - CVE n/a
+  * Fix FTBFS: disable parallel building.
+
+ -- Felix Geyer <debfx-pkg@fobos.de>  Fri, 15 Oct 2010 21:19:11 +0200
+
 kdelibs (4:3.5.10.dfsg.1-3ubuntu2) lucid; urgency=low
 
   * Remove kubuntu_97_kde4_menu_applications.diff, obsolete and can
only in patch2:
unchanged:
--- kdelibs-3.5.10.dfsg.1.orig/debian/patches/security_05_XMLHttpRequest_vulnerability.diff
+++ kdelibs-3.5.10.dfsg.1/debian/patches/security_05_XMLHttpRequest_vulnerability.diff
@@ -0,0 +1,31 @@
+Index: xmlhttprequest.cpp
+===================================================================
+--- kdelibs-3.5.10.dfsg.1/khtml/ecma/xmlhttprequest.cpp	(revision 954808)
++++ kdelibs-3.5.10.dfsg.1/khtml/ecma/xmlhttprequest.cpp	(working copy)
+@@ -342,17 +342,17 @@
+ {
+   aborted = false;
+ 
++  const QString protocol = url.protocol().lower();
++  // Abandon the request when the protocol is other than "http",
++  // instead of blindly doing a KIO::get on other protocols like file:/.
++  if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
++  {
++    abort();
++    return;
++  }
++
+   if (method == "post") {
+-    QString protocol = url.protocol().lower();
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+-    {
+-      abort();
+-      return;
+-    }
+-
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+     QByteArray buf;