In addition to having security vulnerability fixes reported within each
release note page, consolidate all of them in a new vulnerabilities
document.
This gives us two advantages: 1. The vulnerabilities can easily be
referenced in a single place, which is useful for someone trying to
cross reference against CVE lists, and 2. It allows a release to be made
with just CVE numbers when issues are under embargo, and the details can
be added to this vulnerabilities page. The release notes will be locked
to a tag, and updates will not be visible.
Signed-off-by: David Brown <david.brown@linaro.org>