diff --git a/contrib/src/pjproject/0017-CVE-2020-15260.patch b/contrib/src/pjproject/0017-CVE-2020-15260.patch
new file mode 100644
index 0000000000000000000000000000000000000000..350bb402a4fbe2d00f9c63f1a6dd18a008e0a815
--- /dev/null
+++ b/contrib/src/pjproject/0017-CVE-2020-15260.patch
@@ -0,0 +1,129 @@
+ pjsip/include/pjsip/sip_dialog.h |  1 +
+ pjsip/src/pjsip/sip_dialog.c     | 15 +++++++++++++++
+ pjsip/src/pjsip/sip_transport.c  | 17 +++++++++++++++--
+ pjsip/src/pjsip/sip_util.c       | 11 ++++++++---
+ 4 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h
+index a0214d28c..e314c2ece 100644
+--- a/pjsip/include/pjsip/sip_dialog.h
++++ b/pjsip/include/pjsip/sip_dialog.h
+@@ -165,6 +165,7 @@ struct pjsip_dialog
+     pjsip_route_hdr	route_set;  /**< Route set.			    */
+     pj_bool_t		route_set_frozen; /**< Route set has been set.	    */
+     pjsip_auth_clt_sess	auth_sess;  /**< Client authentication session.	    */
++    pj_str_t		initial_dest;/**< Initial destination host.  	    */
+ 
+     /** Session counter. */
+     int			sess_count; /**< Number of sessions.		    */
+diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
+index 27530e4f2..9571b5a35 100644
+--- a/pjsip/src/pjsip/sip_dialog.c
++++ b/pjsip/src/pjsip/sip_dialog.c
+@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
+ 
+     /* Save the remote info. */
+     pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp);
++    
++    /* Save initial destination host from transport's info */
++    pj_strdup(dlg->pool, &dlg->initial_dest,
++    	      &rdata->tp_info.transport->remote_name.host);
+ 
+ 
+     /* Init remote's contact from Contact header.
+@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg,
+ 	    return status;
+     }
+ 
++    /* Copy the initial destination host to tdata. This information can be
++     * used later by transport for transport selection.
++     */
++    if (dlg->initial_dest.slen)
++    	pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest);
++
+     /* Done. */
+     *p_tdata = tdata;
+ 
+@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata)
+      * transaction as the initial transaction that establishes dialog.
+      */
+     if (dlg->role == PJSIP_ROLE_UAC) {
++    	/* Save initial destination host from transport's info. */
++    	if (!dlg->initial_dest.slen) {
++    	    pj_strdup(dlg->pool, &dlg->initial_dest,
++    	      	      &rdata->tp_info.transport->remote_name.host);
++    	}
+ 
+ 	/* Ignore subsequent request from remote */
+ 	if (msg->type != PJSIP_RESPONSE_MSG)
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 784bd069f..2780bd822 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2289,6 +2289,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 	int key_len;
+ 	pjsip_transport *tp_ref = NULL;
+ 	transport *tp_entry = NULL;
++	unsigned flag = pjsip_transport_get_flag_from_type(type);
+ 
+ 
+ 	/* If listener is specified, verify that the listener type matches
+@@ -2317,7 +2318,20 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 		transport *tp_iter = tp_entry;
+ 		do {
+ 		    /* Don't use transport being shutdown */
+-		    if (!tp_iter->tp->is_shutdown) {
++		    if (!tp_iter->tp->is_shutdown &&
++			!tp_iter->tp->is_destroying) {
++			if ((flag & PJSIP_TRANSPORT_SECURE) && tdata) {
++			    /* For secure transport, make sure tdata's
++			     * destination host matches the transport's
++			     * remote host.
++			     */
++			    if (pj_stricmp(&tdata->dest_info.name,
++				  	   &tp_iter->tp->remote_name.host))
++			    {
++			    	tp_iter = tp_iter->next;
++			    	continue;
++			    }
++			}
+ 			if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ 			    sel->u.listener)
+ 			{
+@@ -2336,7 +2350,6 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ 	    }
+ 	}
+ 
+-        unsigned flag = pjsip_transport_get_flag_from_type(type);
+ 	if (tp_ref == NULL &&
+ 	    (!sel || sel->disable_connection_reuse == PJ_FALSE))
+ 	{
+diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c
+index d10a6fa30..b235b0ea0 100644
+--- a/pjsip/src/pjsip/sip_util.c
++++ b/pjsip/src/pjsip/sip_util.c
+@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt,
+      */
+     if (tdata->dest_info.addr.count == 0) {
+ 	/* Copy the destination host name to TX data */
+-	pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host);
++	if (!tdata->dest_info.name.slen) {
++	    pj_strdup(tdata->pool, &tdata->dest_info.name,
++	    	      &dest_info.addr.host);
++	}
+ 
+ 	pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data,
+ 			     &stateless_send_resolver_callback);
+@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt,
+ 	}
+     } else {
+ 	/* Copy the destination host name to TX data */
+-	pj_strdup(tdata->pool, &tdata->dest_info.name, 
+-		  &res_addr->dst_host.addr.host);
++	if (!tdata->dest_info.name.slen) {
++	    pj_strdup(tdata->pool, &tdata->dest_info.name, 
++		      &res_addr->dst_host.addr.host);
++	}
+ 
+ 	pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host, 
+ 			    send_state, &send_response_resolver_cb);
diff --git a/contrib/src/pjproject/0018-CVE-2021-21375.patch b/contrib/src/pjproject/0018-CVE-2021-21375.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b9283f126b54817d101ae1e823c8aac92bd00e36
--- /dev/null
+++ b/contrib/src/pjproject/0018-CVE-2021-21375.patch
@@ -0,0 +1,42 @@
+From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Mon, 8 Mar 2021 16:09:34 +0700
+Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp
+
+---
+ pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c
+index f4838f75d..9f76b5200 100644
+--- a/pjmedia/src/pjmedia/sdp_neg.c
++++ b/pjmedia/src/pjmedia/sdp_neg.c
+@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ {
+     pjmedia_sdp_session *new_offer;
+     pjmedia_sdp_session *old_offer;
+-    char media_used[PJMEDIA_MAX_SDP_MEDIA];
+     unsigned oi; /* old offer media index */
+     pj_status_t status;
+ 
+@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+     /* Change state to STATE_LOCAL_OFFER */
+     neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
+ 
++    /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE,
++     * it means that the previous initial SDP nego must have been failed,
++     * so we'll just set the local SDP offer here.
++     */
++    if (!neg->active_local_sdp) {
++	neg->initial_sdp_tmp = NULL;
++	neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
++	neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
++
++	return PJ_SUCCESS;
++    }
++
+     /* Init vars */
+-    pj_bzero(media_used, sizeof(media_used));
+     old_offer = neg->active_local_sdp;
+     new_offer = pjmedia_sdp_session_clone(pool, local);
+ 
diff --git a/contrib/src/pjproject/package.json b/contrib/src/pjproject/package.json
index ab5b30fd09e8d661885285e37d314ba70665f07b..fe6585f405300c7af1194693a26975a4811a8aaf 100644
--- a/contrib/src/pjproject/package.json
+++ b/contrib/src/pjproject/package.json
@@ -19,10 +19,12 @@
         "0014-Add-new-compile-time-setting-PJ_ICE_ST_USE_TURN_PERM.patch",
         "0015-update-local-preference-for-peer-reflexive-candidate.patch",
         "0016-use-addrinfo-instead-CFHOST.patch",
+        "0017-CVE-2020-15260.patch",
+        "0018-CVE-2021-21375.patch",
         "0001-win-config.patch",
         "0002-win-vs-gnutls.patch",
         "0003-win-vs2017-props.patch"
-],
+    ],
     "project_paths": [
         "pjlib-util/build/pjlib_util.vcxproj",
         "pjmedia/build/pjmedia.vcxproj",
diff --git a/contrib/src/pjproject/rules.mak b/contrib/src/pjproject/rules.mak
index 7b7544aee020ad6fe20a4dc6ad7aef4941a3cca1..330f9c410e8a07c2237358f5be993d183b2b40ec 100644
--- a/contrib/src/pjproject/rules.mak
+++ b/contrib/src/pjproject/rules.mak
@@ -61,6 +61,8 @@ pjproject: pjproject-$(PJPROJECT_VERSION).tar.gz .sum-pjproject
 	$(APPLY) $(SRC)/pjproject/0014-Add-new-compile-time-setting-PJ_ICE_ST_USE_TURN_PERM.patch
 	$(APPLY) $(SRC)/pjproject/0015-update-local-preference-for-peer-reflexive-candidate.patch
 	$(APPLY) $(SRC)/pjproject/0016-use-addrinfo-instead-CFHOST.patch
+	$(APPLY) $(SRC)/pjproject/0017-CVE-2020-15260.patch
+	$(APPLY) $(SRC)/pjproject/0018-CVE-2021-21375.patch
 ifdef HAVE_ANDROID
 	$(APPLY) $(SRC)/pjproject/0001-android.patch
 endif