Merge version 2.2.9-2+rpi1+deb11u5 and 2.2.9-2+deb11u6 to produce 2.2.9-2+rpi1+deb11u6

diff --cc debian/changelog
index fc0adc680cf14f85091e1c93e8ac2599230d9317,02e61b5df685819daf6cecd875af9c20b9edc77c..817432dfca82428ddee63f71ddf64d4b8719677d
--- 1/debian/changelog
--- 2/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,21 +1,28 @@@
- haproxy (2.2.9-2+rpi1+deb11u5) bullseye-staging; urgency=medium
++haproxy (2.2.9-2+rpi1+deb11u6) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 1.8.19-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 14 Mar 2019 20:25:01 +0000]
 +  * Link with libatomic on armhf too.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Sat, 13 May 2023 11:21:57 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Fri, 05 Jan 2024 18:45:26 +0000
++
+ haproxy (2.2.9-2+deb11u6) bullseye-security; urgency=high
+ 
+   * Non-maintainer upload by the Security Team.
+   * BUG/MAJOR: http: reject any empty content-length header value
+     (CVE-2023-40225) (Closes: #1043502)
+   * MINOR: ist: add new function ist_find_range() to find a character range
+   * MINOR: ist: Add istend() function to return a pointer to the end of the
+     string
+   * MINOR: http: add new function http_path_has_forbidden_char()
+   * MINOR: h2: pass accept-invalid-http-request down the request parser
+   * BUG/MINOR: h1: do not accept '#' as part of the URI component
+     (CVE-2023-45539)
+   * BUG/MINOR: h2: reject more chars from the :path pseudo header
+   * REGTESTS: http-rules: verify that we block '#' by default for
+     normalize-uri
+   * DOC: clarify the handling of URL fragments in requests
+ 
+  -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 23 Dec 2023 11:02:19 +0100
  
  haproxy (2.2.9-2+deb11u5) bullseye-security; urgency=high