Some bug fixes did not happen to have a CVE number in the NEWS file.
Added also NEWS-security.md to aggregate the security fixes in Evince
across branches. For example, CVE-2017-1000083 affected only until
version 3.24, which was already branched. Therefore, it does not
appear in the NEWS file from master. Sometimes, people want to have
a quick look if CVE are fixed in a product. By adding this file, we
hope we can cope with that need.
Fixes#864