From ${URL} : This is a remote denial of service against haproxy (uncontrollable crash). http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b The problem was apparently introduced in haproxy 1.6.0, and is fixed in git (which will become 1.6.6). @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
1.6.5 has been removed.
CVE-2016-5360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5360): HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service (uninitialized memory access and crash) or possibly have unspecified other impact via unknown vectors.
Upstream commit verifies that the issue was introduced in 1.6-dev2: "Commit 108b1dd ("MEDIUM: http: configurable http result codes for http-request deny") introduced in 1.6-dev2 was incomplete." @Christian, thanks for the bump and cleanup!