As MITRE will not go to reject the CVE entry as clarified on a request
done by Sylvain Beucler, track explicitly the source package and use the
same fixed versions as for CVE-2018-10754.

The duplication was earlier already confirmed by Sven Joachim back in
2018 and lead us to mark it as a duplicate. As MITRE won't reject the
CVE, let's track the source package explicitly.

Thanks: Sylvain Beucler for prodding again MITRE CNA on clarification
for possible rejection.