Update tracking for CVE-2018-11037/exiv2

It is unfortunately not fully clear if this issue only ever affected
experimental. But the printStructure part was dropped in 0.27 upstream.
To play on the safe side consider versions before 0.27 as affected
(better wrongly mark something as affected, than the other way around)
and mark the first version based on 0.27 upstream which entered unstable
as the fixed one.

Furthermore the issue is minor (information leak via crafted file) and
can be considered no-dsa.