Join GitHub today
CVE: Remote denial-of-service fixed in 0.6.5 #1536
No CVE was requested as far as I know.
The fixing commits for 0.6 are:
(not the ones you specified) plus some dependencies (md5 support).
The vulnerability is the following: Since there was no challenge-response involved in the connection build up, you could send the connection packets from a spoofed IP address and occupy a server slot or even use it for a reflection attack using map download packets.
The reflection problem still exists in 0.6.5 for the server info packets. I don't know about the state of the server info packets in 0.7.0, but I think a 1:1 reflection is still possible.
It is usually up to you or everyone else to decide whether a specific programming error can be deemed a security vulnerability. You can request a CVE at https://cveform.mitre.org/. As a rule of thumb I would always request a CVE when you think that a bug might affect the integrity of a user's system (arbitrary file write, buffer overflows, reading unrelated memory that should never be read, bypassing access controls, etc.), deceiving a user (e.g. XSS attacks) or making a system/application unusable (denial-of-service) like in this case. This question has also been answered here: https://cve.mitre.org/about/faqs.html#what_is_vulnerability.
I only noticed this bug because my own server was attacked only a week ago. It could be mitigated by changing the server port of teeworlds but obviously this wasn't a real solution. The requested CVE id makes sure that all major vendors and distributors will know about this issue. Most of them will now upgrade to your latest upstream release but some might prefer to backport the fixing commits. In any case this raises awareness and will ensure that this issue will be fixed more quickly.
Thanks for providing the links to your fixing commits. I believe this bug report can be closed now. It will then just serve as a reference for others.