Move back some fixed version items back to data/CVE/list

The reason we had to split these and not list in the respective DSA was
that the DSA did adress issues in jessie and stretch while beeing
supported by the security-team. The set of CVEs though was not
overlapping for the two suites, having some issues affecting stretch but
not jessie. Thus those for beeing fully correct does not be listed in
data/DSA/list otherwise they appear as to be fixed in the respective
version in the jessie upload as well, which would not be completely
correct.

This situation sometimes arise while the security team supports two
suites, but for a source package only one DSA is issued and the set of
CVEs is not overlapping.