add notes to CVE-2019-10906/jinja2 entry

This issue is the exact same issue as the one addressed in jinja 2.8.1,
except it is affecting str.format_map instead of str.format. The previous
issue did not receive a CVE number which explains why it is still affecting
jessie and stretch.

Both issues should be addressed together or not at all.