diff --git a/.gitignore b/.gitignore
index b3c4ea2..1c46cf2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/haproxy-1.8.23.tar.gz
+SOURCES/haproxy-1.8.27.tar.gz
diff --git a/.haproxy.metadata b/.haproxy.metadata
index 3d2a7e7..1054205 100644
--- a/.haproxy.metadata
+++ b/.haproxy.metadata
@@ -1 +1 @@
-c1b6c1d4d5de55bcad874a0a7a02a94db5638b1f SOURCES/haproxy-1.8.23.tar.gz
+5a8a12d07da986d2ecba5f57a07a9e68fe597bfd SOURCES/haproxy-1.8.27.tar.gz
diff --git a/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch b/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
deleted file mode 100644
index a2f97d3..0000000
--- a/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 31 Dec 2018 07:41:24 +0100
-Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=latin1
-Content-Transfer-Encoding: 8bit
-
-Tim D�sterhus reported a possible crash in the H2 HEADERS frame decoder
-when the PRIORITY flag is present. A check is missing to ensure the 5
-extra bytes needed with this flag are actually part of the frame. As per
-RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
-
-Many thanks to Tim for responsibly reporting this issue with a working
-config and reproducer. This issue was assigned CVE-2018-20615.
-
-This fix must be backported to 1.9 and 1.8.
----
- src/mux_h2.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/mux_h2.c b/src/mux_h2.c
-index 5803a84ff..a67bbb049 100644
---- a/src/mux_h2.c
-+++ b/src/mux_h2.c
-@@ -3297,6 +3297,11 @@ next_frame:
- 			goto fail;
- 		}
- 
-+		if (flen < 5) {
-+			h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
-+			goto fail;
-+		}
-+
- 		hdrs += 5; // stream dep = 4, weight = 1
- 		flen -= 5;
- 	}
--- 
-2.20.1
-
diff --git a/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch b/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
deleted file mode 100644
index 24ed204..0000000
--- a/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sun, 29 Mar 2020 08:53:31 +0200
-Subject: BUG/CRITICAL: hpack: never index a header into the headroom after
- wrapping
-
-The HPACK header table is implemented as a wrapping list inside a contigous
-area. Headers names and values are stored from right to left while indexes
-are stored from left to right. When there's no more room to store a new one,
-we wrap to the right again, or possibly defragment it if needed. The condition
-do use the right part (called tailroom) or the left part (called headroom)
-depends on the location of the last inserted header. After wrapping happens,
-the code forces to stick to tailroom by pretending there's no more headroom,
-so that the size fit test always fails. The problem is that nothing prevents
-from storing a header with an empty name and empty value, resulting in a
-total size of zero bytes, which satisfies the condition to use the headroom.
-Doing this in a wrapped buffer results in changing the "front" header index
-and causing miscalculations on the available size and the addresses of the
-next headers. This may even allow to overwrite some parts of the index,
-opening the possibility to perform arbitrary writes into a 32-bit relative
-address space.
-
-This patch fixes the issue by making sure the headroom is considered only
-when the buffer does not wrap, instead of relying on the zero size. This
-must be backported to all versions supporting H2, which is as far as 1.8.
-
-Many thanks to Felix Wilhelm of Google Project Zero for responsibly
-reporting this problem with a reproducer and a detailed analysis.
----
- src/hpack-tbl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
-index 70d7f35834..727ff7a17b 100644
---- a/src/hpack-tbl.c
-+++ b/src/hpack-tbl.c
-@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
- 	 * room left in the tail to suit the protocol, but tests show that in
- 	 * practice it almost never happens in other situations so the extra
- 	 * test is useless and we simply fill the headroom as long as it's
--	 * available.
-+	 * available and we don't wrap.
- 	 */
--	if (headroom >= name.len + value.len) {
-+	if (prev == dht->front && headroom >= name.len + value.len) {
- 		/* install upfront and update ->front */
- 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
- 		dht->front = head;
--- 
-2.20.1
-
diff --git a/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch b/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch
new file mode 100644
index 0000000..2c20482
--- /dev/null
+++ b/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch
@@ -0,0 +1,45 @@
+From 58b3d8676bbef52bc76dd79ecfcf74582c34ec97 Mon Sep 17 00:00:00 2001
+From: William Lallemand <wlallemand@haproxy.org>
+Date: Thu, 17 Dec 2020 18:48:06 +0100
+Subject: [PATCH] BUG/MEDIUM: mworker: fix again copy_argv()
+
+When backporting patch df6c5a8 ("BUG/MEDIUM: mworker: fix the copy of
+options in copy_argv()") part of the patch was removed by mistake.
+Letting the bug #644 unfixed.
+
+This patch fixes the problem by reintroducing the missing part.
+
+1.8 only, no backport needed.
+---
+ src/haproxy.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/haproxy.c b/src/haproxy.c
+index 5ddf4d05..3947505b 100644
+--- a/src/haproxy.c
++++ b/src/haproxy.c
+@@ -1328,6 +1328,21 @@ static char **copy_argv(int argc, char **argv)
+ 						}
+ 						break;
+ 
++					case 'C':
++					case 'n':
++					case 'm':
++					case 'N':
++					case 'L':
++					case 'f':
++					case 'p':
++						/* these options have only 1 parameter which must be copied and can start with a '-' */
++						*newargv++ = *argv++;
++						argc--;
++						if (argc == 0)
++							goto error;
++						*newargv++ = *argv++;
++						argc--;
++						break;
+ 					default:
+ 						/* for other options just copy them without parameters, this is also done
+ 						 * for options like "--foo", but this  will fail in the argument parser.
+-- 
+2.26.2
+
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 8a342f8..8255a7b 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -7,8 +7,8 @@
 %global _hardened_build 1
 
 Name:           haproxy
-Version:        1.8.23
-Release:        5%{?dist}
+Version:        1.8.27
+Release:        2%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments
 
 Group:          System Environment/Daemons
@@ -22,8 +22,7 @@ Source3:        %{name}.logrotate
 Source4:        %{name}.sysconfig
 Source5:        halog.1
 
-Patch0:		bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
-Patch1:		bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
+Patch0:		rhbz1838319-mworker-fix-again-copy_argv.patch
 
 BuildRequires:  lua-devel
 BuildRequires:  pcre-devel
@@ -54,7 +53,6 @@ availability environments. Indeed, it can:
 %prep
 %setup -q
 %patch0 -p1
-%patch1 -p1
 
 %build
 regparm_opts=
@@ -140,6 +138,12 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Thu Dec 17 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.27-2
+- Fix copy_argv for arguments that begin with hypen (#1838319)
+
+* Thu Dec 10 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.27-1
+- Update to 1.8.27 (#1905663, #1838319)
+
 * Thu Jun 18 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.23-5
 - Use OPTIONS from systemd EnvironmentFile (#1845611)