Mark CVE-2018-15746/qemu as no-dsa

Eventually we can as well just mark it as <ignored>. The seccomp support
is only enabled later, sourcwise we would be affected already before.

Note to reviewers: I would tend to prefer to mark correctly the
source-wise status and have it marked as affected, but make clear no DSA
is needed. So we could change <no-dsa> to <ignored> instead.