Update openjpeg status
There were 5 vulnerabilities in openjpeg and 4 of them are fixed.
The current status is described in [1] as follows:
- CVE-2017-17479 and CVE-2017-17480 were fixed in r477112.
- CVE-2018-5785 was fixed in r480624.
- CVE-2018-6616 was fixed in r489415.
- CVE-2018-5727 is not fixed yet.
Though I keep committing fixes and updating the status, it does not show in the
"pkg audit" result. Users have to follow the link but apparently few people
would do that. Therefore, I got mails asking if the CVEs are fixed, etc.
I don't know if there's a better way to handle this condition (partly fixed over
several months). Instead of removing fixed CVEs from vuln.xml, I decided to add
a new entry (5efd7a93-2dfb-11e9-9549-e980e869c2e9) which is split from the old
entry (11dc3890-0e64-11e8-99b0-d017c2987f9a). It should be clearer for users if
they only read the "pkg audit" result.
[1] https://www.vuxml.org/freebsd/11dc3890-0e64-11e8-99b0-d017c2987f9a.html