CVE-2019-18277 (https://nvd.nist.gov/vuln/detail/CVE-2019-18277): A flaw was found in haproxy before version 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value was not being correctly rejected. The impact was limited but if combined with "http-reuse always", it could be used as an help to construct a content smuggling attack against a vulnerable component employing a lenient parser which would ignore the content-length header as soon as it sees a transfer-encoding one, without even parsing it.
@maintainer(s), please advise if you are ready for stabilisation or call for stabilisation yourself.