go -- multiple vulnerabilities

The Go project reports:

crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a
buffer larger than 1 << 32 - 1 bytes.

crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain
a randomly generated ticket_age_add. This allows an
attacker that can observe TLS handshakes to correlate
successive connections by comparing ticket ages during
session resumption.

os/exec: empty Cmd.Path can result in running unintended
binary on Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or
cmd.CombinedOutput are executed when Cmd.Path is unset
and, in the working directory, there are binaries named
either “…com” or “…exe”, they will be executed.

path/filepath: Clean(.\c:) returns c: on Windows
On Windows, the filepath.Clean function could convert an
invalid path to a valid, absolute path. For example,
Clean(.\c:) returned c:.