Merge openssh 1:9.3p1-1 from Debian unstable

This bug was fixed in the package openssh - 1:9.3p1-1ubuntu1

---------------
openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2025664). Remaining changes:
    - debian/rules: modify dh_installsystemd invocations for
      socket-activated sshd
    - debian/openssh-server.postinst: handle migration of sshd_config options
      to systemd socket options on upgrade.
    - debian/README.Debian: document systemd socket activation.
    - debian/patches/socket-activation-documentation.patch: Document in
      sshd_config(5) that ListenAddress and Port no longer work.
    - debian/openssh-server.templates: include debconf prompt explaining
      when migration cannot happen due to multiple ListenAddress values
    - debian/.gitignore: drop file
    - debian/openssh-server.postrm: remove systemd drop-ins for
      socket-activated sshd on purge
    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
      /run/sshd creation out of the systemd unit to a tmpfile config so
      that sshd can be run manually if necessary without having to create
      this directory by hand.
    - debian/patches/systemd-socket-activation.patch: Fix sshd
      re-execution behavior when socket activation is used
    - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
      activation functionality.
    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
    - Ensure smooth upgrade path from versions affected by LP: #2020474:
      + debian/openssh-server.postint: do not try to restart systemd units,
        and instead indicate that a reboot is required
      + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
      + debian/rules: Do not stop ssh.socket on upgrade

openssh (1:9.3p1-1) unstable; urgency=medium

  * Debconf translations:
    - Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178).
  * Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425).
  * New upstream release (https://www.openssh.com/releasenotes.html#9.3p1):
    - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
      ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
      added in OpenSSH 8.9, a logic error prevented the constraints from
      being communicated to the agent. This resulted in the keys being added
      without constraints. The common cases of non-smartcard keys and keys
      without destination constraints are unaffected. This problem was
      reported by Luci Stanescu (closes: #1033166).
    - [SECURITY] ssh(1): Portable OpenSSH provides an implementation of the
      getrrsetbyname(3) function if the standard library does not provide
      it, for use by the VerifyHostKeyDNS feature. A specifically crafted
      DNS response could cause this function to perform an out-of-bounds
      read of adjacent stack data, but this condition does not appear to be
      exploitable beyond denial-of-service to the ssh(1) client.
    - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
      outputting SSHFP fingerprints to allow algorit...