Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.1 and Go 1.5.4.
We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.6.1).
The issues addressed by these releases are:
On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable to DLL preloading attacks. For instance, if a user runs a Go executable from a Downloads folder, malicious DLL files also downloaded to that folder could be loaded into that executable.
Thanks to Taru Karttunen for identifying this issue.
Go's crypto libraries passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.
Thanks to David Wong for identifying this issue.