remove qemu and libvirt from the tracker, while they are needing changes

  (and will receive updates), they are not directly vulnerable (same
  procedure as for previous cpu vulnerabilities
some poppler issues ignored for stretch