I'm going to wait at most 1 hour to get feedback on this update as we don't want it going out too long afer the releases. It has already been reviewed by those working on the security release.

Published to the nodejs-sec mailing list so going to go ahead and land. We can always tweak afterwards

Landed as 5a6ae96

Is it possible to get a link added to this announcement that explains the vulnerability and what sort of code might be exploitable by an attacker? Linking to a set of slides that can't be understood without a lot of missing context filled in doesn't seem adequate.

This thread is a great explanation: https://twitter.com/mathias/status/884856878722842629

Discussion is happening in this thread: nodejs/node#14171

@hashseed also did a great writeup of it here