CVE-2019-9942,twig: Mark as no-dsa for Jessie.

The sandbox is not enabled by default. Workaround is to blacklist __toString().
We could upgrade to a newer upstream release of the 1.x branch but since the
package is not widely used in general and not by any sponsor I consider this to
be low priority.