Distributions backport security fixes without bumping the upstream
OpenSSH version, so a banner like "OpenSSH_9.2p1 Debian-2+deb12u3" was
wrongly flagged for regreSSHion despite carrying the fix.
Thread the banner vendor comment into analyseBannerVulns and add a
per-CVE VendorFixes table recording the earliest patched package
revision per distro/upstream version. Revisions are compared with a
faithful port of dpkg's verrevcmp ordering. Populated for CVE-2024-6387
from DSA-5724-1 (Debian) and USN-6859-1 (Ubuntu).