Add CVE-2019-3685/osc (mark for now as undetermined)

The issue might affect src:osc only starting from upstream 0.165.0 but
the Red Hat report at
https://bugzilla.redhat.com/show_bug.cgi?id=1737797 does not provide
enough information to be sure on it. For now mark it as undetermined and
try to find out more on the issue.