teeworlds logo

Hello tees,

It has been two weeks since 0.6.5 and 0.7.0 were successively released, hastily. This was triggered by the exploit of some vulnerabilities in the Teeworlds servers.

The 0.6 connection protocol has a weakness that allows to occupy slots on any server from a spoofed IP, as well as to use them for a reflection attack. This vulnerability was assigned CVE-2018-18541.

If you are looking to patch modified 0.6 servers, you should apply a263185, aababc6, and f5fa1a9.
In simple terms, this will namely shield them against those "(connecting client)" that fill most 0.6 servers to this date.

In addition to that fix, the 0.7 connection protocol partially fixes the server browser reflection attack, albeit 1:1 reflection is still possible in 0.7.0 with token request packets. Special thanks to heinrich5991 and Oy for all of those quick fixes.

Adding to that, the master servers have been under DDoS attacks, making it sometimes difficult to get any server at all.

In a first time, a temporary workaround to this is to add many servers to your favorite list (to a max of 256), as the servers are still there, only the masterserver fails to broadcast the list.

In order to permanently improve the robustness of the servers, heinrich5991 has been working on an HTTP protection layer for the masterservers. This requires some sizeable code modifications, namely adding a couple of libraries (curl...), but we're expecting the fix to be deployed shortly.