Add CVE-2019-10072 to Apache Tomcat

Advisory for #21 (closed)

To be checked:

• identifier should be the CVE id when it exists.
• package_slug refers to a package listed on Gemnasium.
• title is a short description. It does not contain the package name.
• description must not contain an overview of the package, fixed versions, affected versions, solution or links.  It leverages the Markdown syntax.
• date is the date on which the advisory was made public.
• not_impacted lists old versions that are not impacted, if any, the fixed versions.
• solution tells how to remediate the vulnerability.
• urls must contain URLs specific to the vulnerability, not URLs generic to the package itself.
• uuid must be null or omitted. It's set when publishing the advisory on Gemnasium.