Remove listing of CVE-2019-12384 as workaround

It was fixed already in 2.9.8-3 which was in buster. But it got included
in the stretch-security update. The DSA entry will cross reference for
both codename suites, but then mark 2.9.8-3+deb10u1 as the first version
in buster containing the fix. Thus remove the CVE from the list and keep
the explicit [stretch] tagged entry in data/CVE/list.