Index: /branches/rel_ag_9_4_5/openssh/ssh_config
===================================================================
--- /branches/rel_ag_9_4_5/openssh/ssh_config	(revision 20534)
+++ /branches/rel_ag_9_4_5/openssh/ssh_config	(working copy)
@@ -44,3 +44,13 @@
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 PreferredAuthentications publickey,password
+
+# --- CVE-2025-61984 mitigation: ensure %r is quoted in ProxyCommand ---
+# This mitigates username injection via ProxyCommand (%r expansion).
+# If you use ProxyCommand in any Host block, quote the %r token like this:
+#
+ProxyCommand ssh -W %h:%p '%r'@%h
+#
+# This prevents the shell from interpreting control characters in usernames.
+# If you do not use ProxyCommand, you can ignore this section.
+# --- end mitigation block --