Glowstone 2017.8.1

1st September 2017  —  Comments

Hi everyone, we are releasing Glowstone 2017.8.1, which is the first official release to support 1.12.1. Not much has happened since 2017.8.0, but here's the changelog nonetheless:

Additions

• Added support for 1.12.1
• Implemented Experience Orbs
• Implemented Leashes (#538)
• Implemented /effect command (#555)
• Added ambient and death sounds for Ender Dragon
• Added network code for Craft Recipe Response and Crafting Book Data packets
• Started implementation of the Recipe Book, including I/O and network code
• Implemented API methods related to Lightning (#546)
• Added burn-time for all burnable items
• Added option to verify and validate incoming connections (#553)

Changes and Fixes

• Fixed animals not spawning at all due to a mistake
• Optimized function storage using Map instead of List (#537)
• Fixed some issues with library management, and updated some libraries (#540 and #544)
• Fixed an issue with player head-rotation not being sent (#551)
• Fixed an issue with /tp player toplayer not doing anything (#554)
• Fixed shift-clicking in containers, again (#557)

Other Updates

We've had a slow schedule this month, mostly due to everyone being busier than usual.

I have personally stepped down as project lead and have given this responsibility back to mastercoms because I will have much less time to give to this project due to college and other stuff.

Also, I'd like to welcome Postremus to our development team. He has been working a lot on this project recently and has implemented a lot of major features, including leashes this month.

That's it for now, we'll see you guys later! :^)

Glowstone 2017.8.0

4th August 2017  —  Comments

Hello again. Today we are releasing Glowstone 2017.8.0, which is the last release to support Minecraft 1.12. Since 1.12.1 was released, we will now bump our version to 2017.8.1 which will be released at the end of August (unless Mojang pushes another protocol update).

Since we released 2017.7.0 less than a week ago, not much has changed. Here is the changelog since that release:

New Features

• Added Ender Crystals to the end-pillar generation in The End
• Added support for 17w31a clients

Fixes

• Properly handle generators with null spawns (#536)

We are now working on updating Glowstone to 1.12.1, which will be officially supported in the next monthly release (2017.8.1).

Glowstone 2017.7.0

30th July 2017  —  Comments

Hello again! The time has come for us to publish this month's release for Glowstone, 2017.7.0. We have plenty of new features this time around, including boats and paintings, as well as many bug fixes since 2017.6.1.

There has been a total of 40 commits by 8 contributors in July, with 4,491 additions and 730 deletions in 122 files.

New Features

• Implemented some more vanilla commands (FlorrentClarret)
  • /banlist
  • /defaultgamemode
  • /me
  • /playsound
  • /seed
  • /setidletimeout
  • /setworldspawn
  • /spawnpoint
  • /toggledownfall
  • /xp
• Began work on caves (surface caves specifically)
• Added support for multiple passengers (Postremus)
• Better support for off-hand item usage
• Added optional GPGPU surface noise generation (mastercoms)
  • Allows for surface noise generation to be executed by a GPU instead of the CPU
  • See pull-request for more details
• Implemented boats, ender crystals and paintings (Postremus)

Bug Fixes

• Fixed furnaces not showing as 'burning' when smelting items (#474)
• Fixed incorrect argument-length check for /tell
• Fixed players spawning above the map when respawning (#460)
• Fixed player's internal last damage cause not being updated (#456)
• Check for cancelled events in some missing cases (#516)
• Fixed explosions wrongly destroying certain blocks (#515)
• Fixed armor/shield slots not being excluded when sending container contents, causing client errors (#481)
• Fixed /tellraw command parsing
• Fixed errors when loading horses from NBT, including spawn eggs
• Fixed horse babies not being the same color as their parent
• Fixed player entity-interaction being wrongly duplicated in some cases
• Fixed exception when getting tameable entity's owner internally
• Fixed 1.12 parrots-on-shoulders functionality
• Fixed shift-clicking for crafting slots (#525)
• Fixed crafting result slot not being updated in certain cases (#526)

Other Updates

• JavaDocs are now automatically deployed every build
  • You can view the Glowstone JavaDocs here, and Glowkit's here.
• We have continued updating the new Beta site
  • The Beta site is a completely open-source initiative.
  • More information can be found in the official announcement.
• Important: Due to a possible intrusion of our forums database, we recommend you reset your account password on the forums
  • Multiple issues with our Redis database and Proxmox virtualization system have lead to a complete external exposure of its contents (including email addresses and bcrypt-hashed passwords).
  • All data between June 18 and July 25 has been lost due to a technical failure.
  • Please read our report on the intrusion. Feel free to contact us if you have any questions or concerns about this.

Coming Soon

I have personally been working on implementing pathfinding for Entity AI. After several months of on-and-off work on this issue, I have found an efficient solution to implement it, and I am aiming to have it all functional for the next release (2017.8).

We are continuously updating our Beta site with new features, and we are looking forward to your feedback. We are planning to have a complete 'Download Center' for Glowstone on there in the near future!

Intrusion Report (Forums)

28th July 2017  —  Comments

This is a post to notify everyone of a possible intrusion relating to the forum. I have provided a full report in an effort to be as transparent as possible.

Report

Tuesday, 25th July 2017

Momo noticed that the forums were down. I was asleep at the time, and did not get the message until the morning - it was late at night.

Wednesday, 26th July 2017

I got Momo's message, and investigated the problem. I assumed that Redis was down, so I restarted it and updated and restarted the forums, and everything appeared to be working just fine. I noticed that the plugins we had installed were removed, and so I reinstalled them. No configuration data was lost. I also noticed that a couple of posts I had made a day or two before that were missing.

Thursday, 27th July 2017

I noticed that a Nextcloud install on a different VM (my personal install) was using the same database server as a memory cache, despite being configured not to. I reconfigured Nextcloud and removed all of its cached data from the database. Nextcloud did not touch any actual NodeBB data, so that wasn't the cause of the issue.

At this point, we realised that data going back around a month and a half had been lost. Fearing further data loss, I set up some cron tasks to force Redis to save its data and save a backup every hour. I checked the Redis logs and there was nothing abnormal in them, so I assumed the problem was with NodeBB and continued investigating with Momo.

After reading over NodeBB logs, events and errors, we found nothing of interest.

Friday, 28th July 2017

At around 4AM BST, Momo became available again and continued his investigation. He discovered two things:

• Redis was accessible (without a password) from outside of the network
• Redis was failing to save any data due to an error, thus disabling the forums

At around 8:30AM BST, I came online and restarted my investigation.

Due to an issue with Proxmox (the hypervisor I use to manage containers and VMs and keep things compartmentalised), it turned out that the firewall I had configured was not doing its job - instead of dropping all disallowed traffic as it was meant to, it was simply allowing everything. I fixed this problem by setting up a firewall directly on the storage container and this secured it from the outside.

I noticed that Redis was attempting to save data to /var/spool/cron, which is not its usual location. It did not have permission to write there - which is why it was failing to save data. Upon further investigation, I noticed that it was able to overwrite the crontab I had set up earlier - and had done so with the entire contents of the database. At this point, I took down both Redis and NodeBB so that I could fix things up.

I wiped all of the cron storage directories and reinstalled cron. I double-checked the Redis configuration and found nothing unusual, so I restarted that as well. It started up correctly and did not attempt to write to /var/spool/cron again.

I used a GUI tool to inspect the Redis data, and I noticed that the data I had removed previously (from Nextcloud) was still present. I removed it again, and I noticed an extra key that I hadn't seen earlier: It was a randomized key, containing a crontab entry. This crontab was configured to download a shell script from an IP address and execute it.

I grabbed a copy of the script myself and took a look at it, and it simply downloaded a cryptocurrency miner and ran it. Upon investigation, it was clear that this crontab had never been run, and that the attack was supposed to play out as follows:

• Search for compromisable Redis servers
• Add a key with a crontab entry to run the script
• Use the CONFIG SET command to overwrite the crontab with the database
• Wait for the cryptocurrency miner to start

The cron daemon I'm using performs very strict syntax checks and did not run the crontab - as soon as it realised there were invalid "entries" in the file, it errored out.

I removed the key from the database and made sure the forum was running correctly.

Exposure

While there was absolutely no evidence that this attack targetted NodeBB or even Glowstone specifically, precautions should always be taken. As NodeBB stores its entire database in Redis, all of the data therein was exposed. It's impossible to say what the attackers may have taken - if anything - but as always, users should take all of the necessary precautions.

NodeBB stores passwords using bcrypt. This is an industry standard and currently considered very secure, but we still advise users to change their passwords - both on the forums, and on any accounts they own elsewhere that may be using the same password as their forum account. Note that any other data provided during registration and profile modification will have been accessible as well - for example, email addresses.

I have revoked all the user tokens from GitHub OAuth, and reset the client secret, to protect users' GitHub accounts.

I'd like to apologise for this intrusion personally - it definitely shouldn't have happened, and while I'm amazed that it did, it is my responsibility. Please don't attack or bug any of the other staff members - they don't have direct access to any of this stuff.

As far as I am aware, everything is now secure and in working order, but I'm going to continue monitoring and testing throughout the day. Feel free to contact me if you have any questions.

Glowstone 2017.6.1

30th June 2017

Hello! We are releasing Glowstone 2017.6.1 today, the first release which officially supports Minecraft 1.12. This release consists mostly of the update to 1.12, some extra fixes to the server software and some community updates.

1.12

• API and networking updates
• Implementation of some new features
  • Knowledge book (NBT — Basic)
  • New note block sounds
  • Advancements / Advancement manager
  • Command functions (/function)
  • @s command target selector
  • Concrete block
  • Updated beds
  • Basic implementation for parrots
  • Re-implementation of major commands which were removed by the Spigot team (details)

Fixes

• Fixed bug with storage of server UUID (metrics)
• Fixed RCON server startup
• Fixed RCON packet decoding
• Fixed bug with explosion packet only being sent to players that get damaged by the explosion

Changes

• Add "blast resistance" block property for all materials
• TNT explosions are more consistent with Vanilla

Other News

• We are working on a new website! (details)
• Moved CI (building and deployment) to CircleCI, dropping Bamboo
• Glowstone (server software) now has a Contributor License Agreement (details)

Project Lead

Due to recent personal life events, Jessica (otherwise known as mastercoms) has decided to step down as project lead of Glowstone, after 3 years of continuous devotion for this awesome project. I would like to personally thank her for her immense help and love for this community over the past months and years.

The "core" Glowstone project team consists of Jessica, myself and Gareth (a.k.a. gdude2002). This will remain, as Jessica will continue to contribute to Glowstone, but she has decided to let go of her lead responsibilities to focus on other projects and ventures. Since the project still needs a leading entity, I will be taking this responsibility starting this month, and Gareth will continue helping as the project's community lead — he is far more active with the community than I can be.

If you have questions or concerns considering this transition, please feel free to let us know on the forums, Discord, IRC, or privately at your own wish.

Community Updates

In April, satoshinm posted a rather interesting project named WebSandboxMC, which is a WebGL-based in-browser client powered by a Glowstone-compatible Bukkit plugin — essentially allowing you to browse and interact with a Minecraft server directly in the browser.

Over the past month, satoshi has been running a test server to find bugs and missing features in WebSandboxMC and since he's accomplished his goal, the server has been closed. If you're interested in the statistics, you can read all about it in his recent post on the subject.

WebSandboxMC is certainly a very interesting project, and is definitely worth a look by any server admin interested in this kind of interaction!

We now have a CLA

24th June 2017

This is an announcement to let everyone know that we have come up with a CLA, otherwise known as a Contributor License Agreement. It's something we've been thinking about doing for a while, but decided that it deserved extra attention in light of the swift movement on Bountysource.

CLAs can look a bit scary, but every contributor submitting a pull request to Glowstone will be required to sign it. We've attempted to make that process as easy as possible - going forward, any new pull requests will automatically get a comment from the CLA helper. To sign the CLA, simply click the button in that comment and sign in with GitHub on the CLA helper site.

In short, by signing the Glowstone CLA, you confirm that:

• Anyone can use your contributions anywhere, for free, forever
• Your contributions do not infringe on anyone else's rights, including Mojang's

If you'd like to read the CLA yourself, it's available here.

Note that we are not requiring previous contributors to sign the CLA, but if you do sign it, it applies retroactively.

If you would like to sign off your own bat before you make any further contributions or do any more work on your forks, feel free to do so here.

New Site (Beta)

20th June 2017

Hello, fellow Glowstone... ers...?

Welcome to the beta version of the new site! We've decided that the site could use a small facelift and the addition of some much-needed functionality, and this is a preview of what's to come. Some of the things you can look forward to include:

• Better syndication for news
  • Currently, news posts are notified on the forum and across Twitter and Discord, and more can be added easily as required
  • We also have RSS and ATOM feeds available here
• A proper downloads center for everything Glowstone
  • We haven't done tons of work on this yet, but it'll be coming over the following couple of weeks
• A central location to learn about our community and how you can help with the project, as well as better sourcing for documentation

Currently the beta site is in a relatively early stage, and not everything works. We would appreciate if you are able to give us feedback on this - you can do so on GitHub, on the forums, or on Discord.

We want to make sure this site will work well for everyone, so don't be afraid to speak up if there's something you don't like!