Mark CVE-2017-1001001/pluxml as fixed via unstable upload

Upstream has not yet properly fixed it, but the Debian package with the
5.6-1 uploads adds a mitigation for CVE-2017-1001001 and sets explicitly
session.cookie_httponly to true.

Details: https://github.com/pluxml/PluXml/issues/253