Update CVE-2017-11334, CVE-2018-12617, CVE-2018-15746 for qemu/jessie.

CVE-2017-11334 - marked "no-dsa" (minor issue) for wheezy; the code in
jessie is substantially different from upstream and given the low
severity of the issue it makes sense to follow the path taken for wheezy
rather than try to adapt the upstream patch to jessie

CVE-2018-12617 - marked "postponed" (minor issue) for stretch; it makes
sense to follow the same for jessie

CVE-2018-15746 - marked "no-dsa" (minor issue; only enabled by default
later) for stretch; since the same default configuration exists in
jessie, it makes sense to follow the same