github.com/golang/crypto is vulnerable to predictable encryption. In the keystream generation of more than 256 GiB in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa, it can first generate incorrect output and finally cycling back to the previously generated keystream.
bugzilla.redhat.com/show_bug.cgi?id=1691529
github.com/golang/go/issues/30965
go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
lists.debian.org/debian-lts-announce/2019/06/msg00029.html
lists.debian.org/debian-lts-announce/2020/10/msg00014.html
lists.debian.org/debian-lts-announce/2020/11/msg00016.html
lists.debian.org/debian-lts-announce/2020/11/msg00030.html
lists.debian.org/debian-lts-announce/2021/01/msg00015.html