CVE-2006-5445 is harder to fix, because they applied other patches before which do not have any connection to the security hole. But it also seems that this is not critical, in svn commit #45306 they write
"After some research, we realized that the default behaviour since a long
time was doing the right thing, even though the change optimized a bit
and removed a lot of potential risks.
CVE-2006-5445 is harder to fix, because they applied other patches before which do not have any connection to the security hole. But it also seems that this is not critical, in svn commit #45306 they write
"After some research, we realized that the default behaviour since a long
time was doing the right thing, even though the change optimized a bit
and removed a lot of potential risks.
Conclusion: No need for a configuration option at all." svn.digium. com/view/ asterisk? rev=45306& view=rev
--> http://
So I would suggest to only fix CVE-2006-5444.