CVE-2006-5445 is harder to fix, because they applied other patches before which do not have any connection to the security hole. But it also seems that this is not critical, in svn commit #45306 they write
"After some research, we realized that the default behaviour since a long time was doing the right thing, even though the change optimized a bit and removed a lot of potential risks. Conclusion: No need for a configuration option at all." --> http://svn.digium.com/view/asterisk?rev=45306&view=rev So I would suggest to only fix CVE-2006-5444. -- Asterisk vulnerabilities in chan_skinny.c and chan_sip.c https://launchpad.net/bugs/66912 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs