Go had a security vulnerability that affects us.
The impact is “just” high CPU if someone attacks you, specifically. As such I consider it quite low risk/impact. The next binary release (v1.0.1) will be built with Go 1.11.5 (fixed).
We’ll include a relay / discovery server release with that, as those are potentially more vulnerable (being more public). Still though, the effect of a DoS isn’t noticed by the public at large so this is mostly an issue if someone holds a grudge against you personally and thinks you’ll be negatively affected by spent CPU cycles.