diff --git a/fix-reqdeny-crash.patch b/fix-reqdeny-crash.patch
new file mode 100644
index 0000000..8bb5d04
--- /dev/null
+++ b/fix-reqdeny-crash.patch
@@ -0,0 +1,122 @@
+From 60f01f8c89e4fb2723d5a9f2046286e699567e0b Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 25 May 2016 16:23:59 +0200
+Subject: [PATCH] BUG/MAJOR: http: fix breakage of "reqdeny" causing random
+ crashes
+
+Commit 108b1dd ("MEDIUM: http: configurable http result codes for
+http-request deny") introduced in 1.6-dev2 was incomplete. It introduced
+a new field "rule_deny_status" into struct http_txn, which is filled only
+by actions "http-request deny" and "http-request tarpit". It's then used
+in the deny code path to emit the proper error message, but is used
+uninitialized when the deny comes from a "reqdeny" rule, causing random
+behaviours ranging from returning a 200, an empty response, or crashing
+the process. Often upon startup only 200 was returned but after the fields
+are used the crash happens. This can be sped up using -dM.
+
+There's no need at all for storing this status in the http_txn struct
+anyway since it's used immediately after being set. Let's store it in
+a temporary variable instead which is passed as an argument to function
+http_req_get_intercept_rule().
+
+As an extra benefit, removing it from struct http_txn reduced the size
+of this struct by 8 bytes.
+
+This fix must be backported to 1.6 where the bug was detected. Special
+thanks to Falco Schmutz for his detailed report including an exploitable
+core and a reproducer.
+(cherry picked from commit 58727ec088e55f739b146cff3baa955f8d1b2a3e)
+---
+ include/types/proto_http.h |  1 -
+ src/proto_http.c           | 21 +++++++++++++--------
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/include/types/proto_http.h b/include/types/proto_http.h
+index e5e9667..c3a73ef 100644
+--- a/include/types/proto_http.h
++++ b/include/types/proto_http.h
+@@ -362,7 +362,6 @@ struct http_txn {
+ 	unsigned int flags;             /* transaction flags */
+ 	enum http_meth_t meth;          /* HTTP method */
+ 	/* 1 unused byte here */
+-	short rule_deny_status;         /* HTTP status from rule when denying */
+ 	short status;                   /* HTTP status from the server, negative if from proxy */
+ 
+ 	char *uri;                      /* first line if log needed, NULL otherwise */
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 59cd5d2..6eac62b 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, struct http_msg *msg,
+  * further processing of the request (auth, deny, ...), and defaults to
+  * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or
+  * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT
+- * on txn->flags if it encounters a tarpit rule.
++ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL
++ * and a deny/tarpit rule is matched, it will be filled with this rule's deny
++ * status.
+  */
+ enum rule_result
+-http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)
++http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)
+ {
+ 	struct session *sess = strm_sess(s);
+ 	struct http_txn *txn = s->txn;
+@@ -3539,12 +3541,14 @@ resume_execution:
+ 			return HTTP_RULE_RES_STOP;
+ 
+ 		case ACT_ACTION_DENY:
+-			txn->rule_deny_status = rule->deny_status;
++			if (deny_status)
++				*deny_status = rule->deny_status;
+ 			return HTTP_RULE_RES_DENY;
+ 
+ 		case ACT_HTTP_REQ_TARPIT:
+ 			txn->flags |= TX_CLTARPIT;
+-			txn->rule_deny_status = rule->deny_status;
++			if (deny_status)
++				*deny_status = rule->deny_status;
+ 			return HTTP_RULE_RES_DENY;
+ 
+ 		case ACT_HTTP_REQ_AUTH:
+@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
+ 	struct redirect_rule *rule;
+ 	struct cond_wordlist *wl;
+ 	enum rule_result verdict;
++	int deny_status = HTTP_ERR_403;
+ 
+ 	if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
+ 		/* we need more data */
+@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
+ 
+ 	/* evaluate http-request rules */
+ 	if (!LIST_ISEMPTY(&px->http_req_rules)) {
+-		verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
++		verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
+ 
+ 		switch (verdict) {
+ 		case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
+@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
+ 
+ 		/* parse the whole stats request and extract the relevant information */
+ 		http_handle_stats(s, req);
+-		verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
++		verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
+ 		/* not all actions implemented: deny, allow, auth */
+ 
+ 		if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
+@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
+ 		manage_client_side_cookies(s, req);
+ 
+ 	txn->flags |= TX_CLDENY;
+-	txn->status = http_err_codes[txn->rule_deny_status];
++	txn->status = http_err_codes[deny_status];
+ 	s->logs.tv_request = now;
+-	stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));
++	stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));
+ 	stream_inc_http_err_ctr(s);
+ 	sess->fe->fe_counters.denied_req++;
+ 	if (sess->fe != s->be)
+-- 
+2.4.3
+
diff --git a/haproxy.spec b/haproxy.spec
index e0f00a6..b333989 100644
--- a/haproxy.spec
+++ b/haproxy.spec
@@ -8,22 +8,23 @@
 
 Name:           haproxy
 Version:        1.6.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments
 
 Group:          System Environment/Daemons
 License:        GPLv2+
 
 URL:            http://www.haproxy.org/
-Source0:        http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
+Source0:        http://www.haproxy.org/download/1.6/src/haproxy-%{version}.tar.gz
 Source1:        %{name}.service
 Source2:        %{name}.cfg
 Source3:        %{name}.logrotate
-Source4:	%{name}.sysconfig
+Source4:        %{name}.sysconfig
 Source5:        halog.1
 
 Patch0:         halog-unused-variables.patch
 Patch1:         iprange-return-type.patch
+Patch2:         fix-reqdeny-crash.patch
 
 BuildRequires:  lua-devel
 BuildRequires:  pcre-devel
@@ -54,6 +55,7 @@ availability environments. Indeed, it can:
 %setup -q
 %patch0 -p0
 %patch1 -p0
+%patch2 -p1
 
 %build
 regparm_opts=
@@ -139,6 +141,9 @@ exit 0
 %attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
 
 %changelog
+* Wed Jun 15 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.5-3
+- Fix reqdeny causing random crashes (CVE-2016-5360, #1346672)
+
 * Fri Jun 03 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.5-2
 - Utilize system-wide crypto-policies (#1256253)