Update notes for CVE-2018-20839/{systemd,xorg-server}

The status is overall not yet fully clear. What is clear is that the
original fix introduces regressions and is not the right approach.

Unclear if the tracking and fixing should happen in xorg-server or in
systemd. For now track both source packages an monitor how the
discussion evolve.