Firmware release notes 4.9.x

DSOS 4.9 availability on main update channel

Important update

On November 18th, DSOS 4.9.3 was released and made available on the main update channel, so players detected it as the latest firmware version. In the next days, we received feedback that some players were experiencing occasional reboots after updating to this version. Our development team investigated and found the root cause: a race condition in the HTML5 engine based on Chromium, which may occur when rendering certain dynamic web pages running background tasks.

To limit the impact, on November 21st (late afternoon CET), we reverted the main update channel back to DSOS 4.8.7, giving the team time to finalize the fix.

For those who wish to test this major firmware update, DSOS versions 4.9.0–4.9.3 remain available on the secondary update channel (links provided below).

Update URLs for DSOS 4.9

DSOS 4.9.0―4.9.3 are not available at the default update locations since they are part of a major release with many changes, which users may want to validate first. It is therefore recommended to update the firmware on one unit, test your content with it, and, if all is fine, then update the rest of your devices. Otherwise, report any backward compatibility issues to SpinetiX Support team.

To update your player to 4.9.x version, connect to Control Center on your player, open Advanced Applications → Firmware, and change the server URI to the one corresponding to your player model:

• iBX440: http://download.spinetix.com/ibx440-next/updates/
• iBX410: http://download.spinetix.com/ibx410-next/updates/
• iBX410W: http://download.spinetix.com/ibx410w-next/updates/
• HMP400: http://download.spinetix.com/hmp400-next/updates/
• HMP400W: http://download.spinetix.com/hmp400w-next/updates/
• HMP350: http://download.spinetix.com/hmp350-next/updates/
• HMP300: http://download.spinetix.com/hmp300-next/updates/
• DiVA: http://download.spinetix.com/diva-next/updates/
• Third-party DSOS players: http://download.spinetix.com/dsos-next/updates/

Known issues

• Players updated to DSOS 4.9.x may experience occasional reboots due to a race condition in the HTML5 engine based on Chromium, which may occur when rendering certain dynamic web pages running background tasks. This will be fixed in the next release.

Release 4.9.3

Improvements

• Improved the display of splash screens during firmware updates to reduce user confusion that may have occurred when updating from versions earlier than 4.9.0, where users might have seen a starting splash screen while the player was actually completing a firmware update.

Fixes

• Perfect Sync was not enabled with projects that contain document layers.
• Under some circumstances, the firmware update process could fail with a "needs more space on the / filesystem" error.

• Sometimes the splash screen changes failed to show on screen when shutting down or initiating a firmware update, and displayed "starting" instead of the intended message.

Security

Updated base libraries and components; the main changes are as follows:

• glib-2.0: fixed CVE-2025-7039, which could affect DSOS.
• libarchive: fixed CVE-2025-5918, which did not affect DSOS.
• mosquito: fixed CVE-2023-28366, which did not affect DSOS.
• php: fixed CVE-2025-1861, CVE-2025-1219, CVE-2025-1217, CVE-2025-1734, CVE-2025-1736 and CVE-2025-1220 which affected DSOS, and fixed CVE-2025-6491 and CVE-2025-1735, none of which affected DSOS.

Updated base libraries and components; the main changes are as follows:

• gstreamer1.0-plugins-base: fixed CVE-2025-47807, CVE-2025-47806 and CVE-2025-47808, none of which affected DSOS.
• gstreamer1.0-plugins-good: fixed CVE-2025-47183 and CVE-2025-47219, which affected DSOS.
• wpa-supplicant: fixed CVE-2022-37660, which did not affect DSOS.

Release 4.9.2

Improvements

• Updated the license texts on the “About” page of Control Center to match the currently shipped software.
• The Recovery Console is updated to version 2.24.0.

Fixes

• Restoring some configuration files resulted in a "Some error occurred: Internal Server Error" error; as a result, some upgrades from DSOS 4.8.x and earlier versions could lose the player configuration.

• The player could crash on content reloads or display power management events when web layers were being used.

Security

Updated base libraries and components; the main changes are as follows:

• tzdata: updated from 2024b to 2025b, affecting Paraguay and Chile
• apache2: updated from 2.4.62 to 2.4.65, fixing CVE-2024-42516, CVE-2024-47252 and CVE-2025-54090, all of which could affect DSOS, and CVE-2024-43394, CVE-2024-43204, CVE-2025-23048, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020, none of which affected DSOS.
• sqlite3: fixed CVE-2025-7458, CVE-2025-6965, all of which could affect DSOS, and CVE-2025-29088 which did not affect DSOS.
• avahi: fixed CVE-2024-52615, which did not affect DSOS.
• binutils: fixed CVE-2025-7545, CVE-2025-7546, CVE-2025-5244, CVE-2025-5245, CVE-2025-1182, CVE-2025-1180, CVE-2025-1182, CVE-2025-1178, CVE-2025-0840, none of which affected DSOS.
• libxml2: fixed CVE-2025-49794, CVE-2025-49796, CVE-2025-6021, CVE-2025-27113 and CVE-2022-49043, all of which could affect DSOS, and CVE-2025-6170, CVE-2025-32415, CVE-2025-32414, CVE-2025-24928 and CVE-2024-56171, none of which affected DSOS.
• ncurses: fixed CVE-2025-6141, which did not affect DSOS.
• gnupg: fixed CVE-2025-30258, which did not affect DSOS.
• iputils: fixed CVE-2025-48964 and CVE-2025-47268, none of which affected DSOS.
• openssl: upgraded from 3.0.16 to 3.0.17 and fixed CVE-2024-41996, which could affect DSOS.
• coreutils: fixed CVE-2025-5278, which did not affect DSOS.
• curl: fixed CVE-2025-0167 and CVE-2024-11053, none of which affected DSOS.
• libsoup-2.4: fixed CVE-2025-4476, CVE-2025-46421, CVE-2025-2784, CVE-2025-32912, CVE-2025-32911, CVE-2025-32913, CVE-2025-32910, CVE-2025-46420 and CVE-2025-32909, none of which affected DSOS, and CVE-2025-4945, CVE-2025-4948, CVE-2025-32907, CVE-2025-4969, CVE-2025-32053, CVE-2025-32052, CVE-2025-32050, CVE-2025-32914, CVE-2025-32906 and CVE-2024-52532, which affected DSOS.
• net-tools: fixed CVE-2025-46836, which did not affect DSOS.
• glibc: fixed CVE-2025-8058, which could affect DSOS, and CVE-2025-4802, which did not affect DSOS.
• glib-2.0: fixed CVE-2025-4373 and CVE-2025-3360, all of which could affect DSOS.
• openssh: fixed CVE-2025-32728 and CVE-2025-26465, none of which affected DSOS.
• busybox: fixed CVE-2023-39810, which did not affect DSOS.
• freetype: fixed CVE-2025-27363, which affected DSOS.
• zlib: fixed CVE-2014-9485, which did not affect DSOS.
• libtasn1: updated from 4.19.0 to 4.20.0, fixing CVE-2024-12133, which affected DSOS.
• libcap: fixed CVE-2025-1390, which did not affect DSOS.
• gnutls: fixed CVE-2024-12243, CVE-2025-6395, CVE-2025-32988, and CVE-2025-32989, all of which affected DSOS, and CVE-2025-32990, which did not affect DSOS.
• jq: fixed CVE-2024-23337, CVE-2024-53427, CVE-2025-48060, all of which affected DSOS.

Updated base libraries and components; the main changes are as follows:

• intel-microcode: updated from version 20250211 to 20250812, fixing CVE-2025-20109, CVE-2025-22839, CVE-2025-22840, CVE-2025-22889, CVE-2025-24305, CVE-2025-32086, CVE-2025-21090, CVE-2024-28956 and CVE-2025-24495.
• grub2: fixed CVE-2025-0690 and CVE-2024-45775, all of which could affect DSOS, and CVE-2025-1118, CVE-2024-45774, CVE-2024-45776, CVE-2024-45777, CVE-2024-45778, CVE-2024-45779, CVE-2024-45780, CVE-2024-45781, CVE-2024-45782, CVE-2024-56737, CVE-2024-45783, none of which affected DSOS.
• gstreamer1.0-rtsp-server: fixed CVE-2024-44331, which affected DSOS.

Release 4.9.1

Fixes

• Custom HTTP headers were not passed to the HTTP request when the data source was CSV.

• Combined multi-screen and multi-output projects would not show correctly on all players.

Known issue

• Updating from DSOS 4.7.0 or earlier will update to DSOS version 4.8.7-3.0, so you need to run the firmware update a second time to update to DSOS version 4.9.1.

Release 4.9.0

New

• Support for obtaining PDF versions of Word, Excel, and PowerPoint files stored on SharePoint and OneDrive, allowing the display of such files on the player.

• Support for perfect display synchronization between multiple players, automatically activated when running a multiscreen project.
• Support for High dynamic range (HDR) decoding and video output. The HDR mode is enabled within the properties of the Elementi project. The player snapshot is also HDR when the video output is in HDR mode.

• Support for AV1 Image File Format (AVIF) and ICC profiles in PNG and JPEG images for wide-gamut color support.
• Support for AOMedia Video 1 (AV1) codec, on platforms that have an AV1 hardware decoder.
• Support for display hot-plug, so that players automatically negotiate the best video mode when the display is connected. By default, the player will use the native resolution of the display.

• Support for using the multi-output display configuration, which Elementi 2025 embeds in the project, for easier setup of multi-output projects.

Improvements

• Improved support for files on SharePoint and OneDrive by obtaining direct URLs, instead of redirect ones, which reduces display latency and supports partial downloads.
• Support for new Unicode CLDR date formatting fields: w (week of year), W (week of month), Y (year in "Week of Year" based calendars), D (day of year).
• The network IP configuration is no longer reinitialized when the network connectivity is recovered after an interruption if the configuration is static; before the static IP address was briefly removed and reinstated, but that could break some existing TCP connections.
• Changed the placeholder URL for jSignage libraries from http to https to avoid false positives from security scanners; the URL is only a placeholder as the libraries are local to Elementi and DSOS.

Operating System
Updated the base Linux distribution to Yocto 4.0 Kirkstone, the major components updated are the following:

• avahi from 0.7 to 0.8
• libcurl from 7.69.1 to 7.82
• replaced dhcp-client 4.4.2 by dhcpcd 9.4.1
• glibc from 2.31 to 2.35
• grub from 2.04 to 2.06
• libmosquitto from 1.6.10 to 2.0.20
• linux-firmware from 20240220 to 20240909
• openssl from 1.1.1w to 3.0.16
• php from 7.4.33 to 8.1.31
• zstd (new) version 1.5.2

Control Center

• The currently used video mode is now shown in the display page.
• Integrated the username and password fields with browser password managers.
• It is now possible to configure 2 stop bits for the serial port.
• Usage of the new "Feature Set" terminology, which replaces "DSOS license".
• The option to disable authentication is now deprecated and will be removed in the next major firmware release.

• Updated the HTML rendering engine to CEF / Chromium 126.
• Updated FFmpeg to version 5.1 for improved HDR video support.
• Support for subtitles encoded directly in the video stream.
• Updated the 2D graphics rendering engine to Skia 119.
• Rate limit the spx.display.webrtc messages as they could fill the logs.

Fixes

• Audio in the background audio playlist would continue to play when the screen is powered off, even if the audio power save option is enabled.
• Using a server certificate with only subject alternative names (SAN) would have misconfigured the redirects on the embedded web server.
• In the exceptional situation that a player started with no network connected and its internal clock was well in the past (several hours or more), the player could hang when network connectivity was resumed due to stepping of the local clock to the NTP reference time after startup. In such cases, the player will no longer freeze, but will instead save the new time and reboot to start afresh with a synchronized clock.
• USB keyboard events could fail to work within a playlist.
• Video streams over HTTP using partial downloads and incorrectly generated ETags could crash the player.

• It was not possible to configure the serial port commands without a serial port device connected.

• Control Center would show 4K video modes, but these players do not support 4K output.
• Variable fonts could crash the player.
• Report can contain legacy `card*-*-edid` files.

Developer

Configuration API

• Support for selecting between “auto” (i.e., negotiated with display) or standard video modes (from HDMI specifications).
• Support for “cvt-R2”, “cbt-R2N”, “cvt-R3”, “cvt-R3L”, “ovt” and “gtf” video modes, while the “cvt-m” and “cvt-Rm” video modes are no longer supported.

Other:

• The HTTP client in the player now supports HTTP/2.
• The SVG uDOM now reports the Feature Set active on the player in the navigator object.