CVE-2019-6110/openssh: Add note on reasoning of upstream about vulnerability

Upstream states for CVE-2019-6110:

> We don't consider the report relating to stderr to be a vulnerability -
> lots of stuff depends on stderr being present (e.g. login warning
> banners that some people inexplicably love) and it's impractical for
> scp to selectively process them. The machine you just logged into can
> print junk to your screen, so what?