Mark CVE-2019-10086 as no-dsa for stretch and buster

When applying the patch for CVE-2019-10086 the library switches the
default to be secured, and instead one needs to opt-out vs. opt-in and
allow access to the 'class' property.

Might need investigation of affected reverse dependencies for functional
regressions if this is applied for stable releases. This might be safe,
as at least Red Hat and SUSE seem to have done the switch in some of
their products.