* SECURITY UPDATE: ProxyCommand/ProxyJump features allow injection of malicious code through hostname - debian/patches/CVE-2023-6004-pre1.patch: move common parser functions to config_parser.c - debian/patches/CVE-2023-6004-pre2.patch: prevent possible segmentation fault - debian/patches/CVE-2023-6004-02.patch: allow multiple '@' in usernames - debian/patches/CVE-2023-6004-03.patch: simplify the hostname parsing in ssh_options_set - debian/patches/CVE-2023-6004-04.patch: add function to check allowed characters of a hostname - debian/patches/CVE-2023-6004-05.patch: add test for ssh_check_hostname_syntax - debian/patches/CVE-2023-6004-06.patch: check for valid syntax of a hostname if it is a domain name - debian/patches/CVE-2023-6004-07.patch: add test for proxycommand injection - debian/patches/CVE-2023-6004-08.patch: add test for ssh_is_ipaddr - debian/patches/CVE-2023-6004-09.patch: add ipv6 link-local check for an ip address - debian/patches/CVE-2023-6004-10.patch: add tests for ipv6 link-local - debian/patches/CVE-2023-6004-regression1.patch: fix regression in IPv6 addresses in hostname parsing - debian/patches/CVE-2023-6004-regression2.patch: increase test coverage for IPv6 address parsing as hostnames - CVE-2023-6004 * SECURITY UPDATE: Unchecked return values for digests may cause DoS - debian/patches/CVE-2023-6918-1.patch: systematically check return values when calculating digests - debian/patches/CVE-2023-6918-2.patch: detect context init failures - debian/patches/CVE-2023-6918-3.patch: code coverage for ssh_get_pubkey_hash() - CVE-2023-6918