RCON password authentication is vulnerable to timing attack

While exposing the RCON server (enabled by setting `enable-rcon=true` and `rcon.password=<password>` in server.properties) to the Internet is obviously insecure due to the protocol, including the password authentication, being entirely plaintext, an administrator may conclude that installing a TLS termination proxy offers sufficient protection, but would be fooled: the RCON server, upon receiving an RCON `SERVERDATA_AUTH` packet, verifies the RCON password from the packet against the configured RCON password using `java.lang.String.equals`. This method short-circuits and may therefore reveal information about the password other than its length to an attacker through its run time.