Update openjpeg status

There were 5 vulnerabilities in openjpeg and 4 of them are fixed.
The current status is described in [1] as follows:

• CVE-2017-17479 and CVE-2017-17480 were fixed in r477112.
• CVE-2018-5785 was fixed in r480624.
• CVE-2018-6616 was fixed in r489415.
• CVE-2018-5727 is not fixed yet.

Though I keep committing fixes and updating the status, it does not show in the
"pkg audit" result. Users have to follow the link but apparently few people
would do that. Therefore, I got mails asking if the CVEs are fixed, etc.

I don't know if there's a better way to handle this condition (partly fixed over
several months). Instead of removing fixed CVEs from vuln.xml, I decided to add
a new entry (5efd7a93-2dfb-11e9-9549-e980e869c2e9) which is split from the old
entry (11dc3890-0e64-11e8-99b0-d017c2987f9a). It should be clearer for users if
they only read the "pkg audit" result.

[1] https://www.vuxml.org/freebsd/11dc3890-0e64-11e8-99b0-d017c2987f9a.html