Update status for CVE-2018-7440 and CVE-2018-3836

Since the incomplete fix for CVE-2018-3836 was not applied to stretch
and jessie, mark those versions as not affected (with explanation). Add
a note to CVE-2018-3836 to make sure the issue is completely fixed
if/once it's adressed for stretch and jessie.