SSH ProxyCommand == unexpected code execution (CVE-2023-51385)

From the OpenSSH update:<p>“Although we believe it is the user&#x27;s responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands.” --<a href="https:&#x2F;&#x2F;www.openssh.com&#x2F;txt&#x2F;release-9.6" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.openssh.com&#x2F;txt&#x2F;release-9.6</a><p>It&#x27;s not quite a “root can do things as root” CVE, but honestly it&#x27;s not far off that level of “well, duh”. You can&#x27;t inject untrusted input (a hostname in this case) into a general purpose command stream (i.e., the arguments to bash -c or an exec call), and not expect to have trouble.

Wow, this is a security vulnerability potentially affecting me. I&#x27;m using ProxyCommand because GitHub is randomly blocked by the China GFW.