diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer
index c10ce330ef3c4..00c2f1dd05e06 100755
--- a/hack/dockerfile/install/proxy.installer
+++ b/hack/dockerfile/install/proxy.installer
@@ -3,7 +3,7 @@
 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
 # updating the binary version, consider updating github.com/docker/libnetwork
 # in vendor.conf accordingly
-LIBNETWORK_COMMIT=3931ba4d815e385ab97093c64477b82f14dadefb
+LIBNETWORK_COMMIT=19279f0492417475b6bfbd0aa529f73e8f178fb5
 
 install_proxy() {
 	case "$1" in
diff --git a/vendor.conf b/vendor.conf
index 858182b841b2e..719970d273acf 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -35,7 +35,7 @@ github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
 #get libnetwork packages
 
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy accordingly
-github.com/docker/libnetwork 3931ba4d815e385ab97093c64477b82f14dadefb
+github.com/docker/libnetwork 19279f0492417475b6bfbd0aa529f73e8f178fb5
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go b/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go
index 9c83127d4f83f..8b6839656b11f 100644
--- a/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go
+++ b/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go
@@ -244,7 +244,15 @@ func (d *driver) DeleteNetwork(nid string) error {
 	}
 
 	d.Lock()
-	defer d.Unlock()
+	// Only perform a peer flush operation (if required) AFTER unlocking
+	// the driver lock to avoid deadlocking w/ the peerDB.
+	var doPeerFlush bool
+	defer func() {
+		d.Unlock()
+		if doPeerFlush {
+			d.peerFlush(nid)
+		}
+	}()
 
 	// This is similar to d.network(), but we need to keep holding the lock
 	// until we are done removing this network.
@@ -270,7 +278,7 @@ func (d *driver) DeleteNetwork(nid string) error {
 		}
 	}
 	// flush the peerDB entries
-	d.peerFlush(nid)
+	doPeerFlush = true
 	delete(d.networks, nid)
 
 	vnis, err := n.releaseVxlanID()
diff --git a/vendor/github.com/docker/libnetwork/service_linux.go b/vendor/github.com/docker/libnetwork/service_linux.go
index ef0590df78e2c..a95ece8a08b14 100644
--- a/vendor/github.com/docker/libnetwork/service_linux.go
+++ b/vendor/github.com/docker/libnetwork/service_linux.go
@@ -279,7 +279,7 @@ const ingressChain = "DOCKER-INGRESS"
 
 var (
 	ingressOnce     sync.Once
-	ingressProxyMu  sync.Mutex
+	ingressMu       sync.Mutex // lock for operations on ingress
 	ingressProxyTbl = make(map[string]io.Closer)
 	portConfigMu    sync.Mutex
 	portConfigTbl   = make(map[PortConfig]int)
@@ -328,6 +328,9 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
 		addDelOpt = "-D"
 	}
 
+	ingressMu.Lock()
+	defer ingressMu.Unlock()
+
 	chainExists := iptables.ExistChain(ingressChain, iptables.Nat)
 	filterChainExists := iptables.ExistChain(ingressChain, iptables.Filter)
 
@@ -497,13 +500,11 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error {
 
 	portSpec := fmt.Sprintf("%d/%s", iPort.PublishedPort, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]))
 	if isDelete {
-		ingressProxyMu.Lock()
 		if listener, ok := ingressProxyTbl[portSpec]; ok {
 			if listener != nil {
 				listener.Close()
 			}
 		}
-		ingressProxyMu.Unlock()
 
 		return nil
 	}
@@ -523,9 +524,7 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error {
 		return err
 	}
 
-	ingressProxyMu.Lock()
 	ingressProxyTbl[portSpec] = l
-	ingressProxyMu.Unlock()
 
 	return nil
 }