Hi Eli et. al.
just wanted to thank you for the background and say that as someone who works in the information security field, I support your decision and reasoning 100%. With a severe security issue, it is much much better to release quickly and have a release which ONLY addresses the security issue. In addition to potentially introducing new issues once you release other changes, bundling more than the security fix can delay adoption as people will tend to be more conservative due to concerns new/changed functionality may impact existing workflows. Limiting the release to just the change necessary to fix the vulnerability reduces concerns and risk and helps to drive more rapid adoption. Thanks to all for their effort.
Tim