Update entries for CVE-2019-20168 and CVE-2019-20169

As the "PoC does not crash" cannot as sole argument be taken for a
not-affected but there was quite some effort put in triaging those I did
not want to revert to unfixed state based on that.

I tried to dig further into the issues to try to find out where exactly
the issue was introduced.

For CVE-2019-20168 the PoC makes the vulnerability visible at least
starting in v0.8.0, the use_dump_mode still was already introduced
earlier (in v0.7.0).

For CVE-2019-20169 the PoC makes at least the issue immediately visible
with the 9ea1fb398916 ("made isobmf dump use source box order") and the
fix applied by upstream directly refers to it. This was verified by
directly bisecting the git repository with telp of the PoC and further
checking the affected code paths.

The end-result is still not fully satisfactory, so further reviewers
take it from here please. CVE-2019-20169 seem good covered,
CVE-2019-20168 might want to need some additional verifications.