DSOS release notes
From SpinetiX Support Wiki
Contents
- 1 Introduction
- 2 Release 4.8.5
- 3 Release 4.8.4
- 4 Release 4.8.3
- 5 Release 4.8.2
- 6 Release 4.8.1
- 7 Release 4.8.0
- 8 Release 4.7.7 build 2
- 9 Release 4.7.7
- 10 Release 4.7.6
- 11 Release 4.7.5 build 2
- 12 Release 4.7.5
- 13 Release 4.7.4 build 2
- 14 Release 4.7.4
- 15 Release 4.7.3
- 16 Release 4.7.2
- 17 Release 4.7.1 build 2
- 18 Release 4.7.1
- 19 Release 4.7.0 build 2
- 20 Release 4.7.0
- 21 Release 4.6.4 build 2
- 22 Release 4.6.4
- 23 Release 4.6.3
- 24 Release 4.6.2
- 25 Release 4.6.1
- 26 Release 4.6.0
- 27 Release 4.5.3
- 28 Release 4.5.2
- 29 Release 4.5.1
- 30 Release 4.5.0
- 31 See also
Introduction
DSOS™ by SpinetiX™ is a lightweight, secured operating system designed for digital signage players, especially for demands of defense, financial, cruise vessel and other high-availability scenarios. Native to the HMP400/HMP400W players, DSOS also brings embedded system design to the entire Intel ecosystem, ideal for fanless architectures like Intel Goldmont, but scalable to i5, i7 or i9 when maximum performance matters.
See all the supported players running DSOS.
Release 4.8.5
Improvements
- Improved the pairing PIN display in Control Center, used to add a player to ARYA. The PIN is now hidden by default and show button is available, this makes sure the displayed PIN is always current.
- Recovery Console is updated to version 2.20.0.
- Improved the clock skew compensation mechanism added in DSOS 4.8.4 to reduce the number of requests needing to be retried.
Fixes
- Failed requests or requests requiring authentication were mistakenly considered as successful, making Pull Mode operations fail when an HTTP proxy was used.
Security
Updated base libraries and components, the main changes are as follows:
- Apache httpd: update from version 2.4.61 to 2.4.62, which fixes CVE-2024-40725, which affected DSOS, and CVE-2024-40898, which did not affect DSOS.
Release 4.8.4
New
- Added support for retrieving SharePoint news posts, including title, description, header image, and link to full article. This social network channel is available within the advanced data feed widgets of Elementi X.
Improvements
- Control Center
- Added the pairing PIN on the main page to ease adding a player to ARYA.
- The display info box no longer shows the "type" item, as the information was misleading and not useful with current platforms.
- Recovery Console is updated to version 2.19.0.
- The Apache httpd version is no longer returned within the HTTP response headers to avoid misdetection of security vulnerabilities, since often vulnerabilities are fixed by backports without increasing the version number.
- Added capability to select audio track by number, using "#n" syntax in the
spx:audio
attribute. - Added new
spx:rangeRequests
attribute to media layers for disabling the use of HTTP byte range requests for compatibility with servers that do not support it properly. - Added automatic clock skew compensation so that players or computers whose local clock is off by more than 5 minutes can still communicate with the SpinetiX cloud; the compensation is however limited, as very large offsets anyhow break TLS certificate validation.
- Updated EULA to the December 5, 2023, version.
- The Status API now includes information about the present power sources (usb, poe, or poe+usb).
Applies to third-party DSOS players
- Added support for the iQnetiX EMP-III player.
- Added support for the Intel AX101 Wi-Fi module.
Fixes
- SRT streams with multiple audio tracks failed to be decoded.
- Elementi and the player on DSOS did not use the same user HTTP user agent string, now they both use "Mozilla/5.0 (compatible) AppleWebKit/537.36 (KHTML, like Gecko) SpinetiX-resac/1.1".
Applies to iBX440 and third-party players using Gen12 Intel GPUs
- The video output streaming feature did not work
Applies to HMP400, HMP400W, iBX410, iBX410W, iBX440, and third-party players
- The video timings for the 4096x2160@60p-256:135 video mode were incorrect, using 2106 lines instead of 2160 lines, due to a typo.
Applies to HMP300, HMP350, and DiVA
- The "ENERGY_PERF_BIAS set to normal (6)" message was being logged at boot, even if the platform had no ENERGY_PERF_BIAS setting.
Security
Updated base libraries and components, the main changes are as follows:
- curl: fix CVE-2024-2398, which did not affect DSOS.
- httpd: update from version 2.4.58 to 2.4.61, which fixes CVE-2024-24795, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2023-38709, CVE-2024-39573 and CVE-2024-39884 which may affect DSOS and CVE-2024-27316, CVE-2024-38472 and CVE-2024-36387, none of which affect DSOS.
- libxml2: fix CVE-2024-25062, which did not affect DSOS.
- ncurses: fix CVE-2023-50495, which may have affected DSOS.
- openssh: fix CVE-2024-0727, which did affect DSOS.
- shadow: fix CVE-2023-4641, which did not affect DSOS.
- tar: fix CVE-2023-39804, which did not affect DSOS.
Applies to HMP400, HMP400W, iBX410, iBX410W, iBX440, and third-party players.
- linux-firmware: updated from 20231030 to 20240220
- wireless-regdb: updated from 2023.05.03 to 2024.01.23
- intel-microcode: updated from 20230808 to 20240312, fixing CVE-2023-22655, CVE-2023-23583, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368, CVE-2023-43490
Release 4.8.3
Improvements
- Display power schedule changes no longer require a reboot to be applied.
- Recovery console is updated to version 2.18.2.
- It is now possible to configure web page layers to run in secure context, as if they were loaded via HTTPS; this is controlled by the new
spx:secureContext
attribute, which defaults to false for backwards compatibility. Running in a secure context allows access to some restricted HTML APIs, like audio and video capture, but disables loading of content from HTTP sources
Applies to iBX440 only.
- Multi-output configurations now support individual rotation of each display, using per output attributes; no particular license is required, but the resulting display layout should be compatible with the installed DSOS license.
Fixes
- The buffer size used for streaming was too small for high resolutions streams with bursty bitrates, and could cause lost video frames from streaming sources.
- Configuring SNMP as "open to everybody" after having configured it to be open for only some IP addresses resulted in SNMP still being partially restricted to those IP addresses.
- The power_state indicator in the display-info did not always reflect the true value of the display power state set by the player.
- The Control Center wizard did not clear the previous display configuration before applying the new one, which could result in mixed display configurations.
- When disabling a display power schedule not all the related services were disabled, the serial port part remained active.
Applies to iBX440 only.
- Images downloaded from remote servers were downscaled to 4K resolution although decoding 8K images is supported, they are now downscaled to 8K on these players.
Applies to iBX410 and third-party players using Elkhart Lake Intel CPUs
- The video output streaming feature did not work on these players.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players
- The unused grub components removed from DSOS in 4.8.2 were not removed during firmware updates, only on newly installed DSOS.
- Spurious error messages related to the "wlan-cfg" network interface from various network daemons appeared when resetting a device to factory default settings.
Applies to HMP300, HMP350, and DiVA
- A spurious "failed to run licensecheck" error message appeared in the system log, but these player models do not need any license check.
Security
Updated base libraries and components, the main changes are as follows:
- binutils: fixed CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-47011, CVE-2022-48063 and CVE-2022-47695, none of which affected DSOS.
- curl: fixed CVE-2023-46218, which affected DSOS.
- gnutls: fixed CVE-2023-5981 and CVE-2024-0553, both if which may have affected DSOS.
- httpd: update from version 2.4.57 to 2.4.58, which fixes CVE-2023-31122 and CVE-2023-43622, none of which affected DSOS.
- libxml2: fixed CVE-2023-45322, which affected DSOS.
- ncurses: fixed CVE-2023-29491, which did not affect DSOS.
- openssh: fixed CVE-2023-48795 and CVE-2023-51385, none of which affected DSOS.
- sqlite3: fixed CVE-2023-7104, which may have affected DSOS.
- tzdata: updated from version 2023c to 2024a, affecting Ittoqqortoormiit, Vostok, Casey, Palestine, Kazakhstan.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players.
Updated Linux kernel from version 5.15.133 to 5.15.137, which fixes the following vulnerabilities.
- That affected DSOS: CVE-2023-42754, CVE-2023-52501, CVE-2023-52580, CVE-2023-52527, CVE-2023-52523, CVE-2023-52522, CVE-2023-52531, CVE-2023-52477, CVE-2023-52504, CVE-2023-52476 and CVE-2023-5717.
- That did not affect DSOS: CVE-2023-52574, CVE-2023-52484, CVE-2023-4563, CVE-2023-52500, CVE-2023-52482, CVE-2023-52511, CVE-2023-52516, CVE-2023-4244, CVE-2023-52517, CVE-2023-52563, CVE-2023-52578, CVE-2023-5197, CVE-2023-52566, CVE-2023-52573, CVE-2023-34324, CVE-2023-52519, CVE-2024-0641, CVE-2023-31085, CVE-2023-52479, CVE-2023-52513, CVE-2023-52529, CVE-2023-52528, CVE-2023-5158, CVE-2023-52475, CVE-2023-52559, CVE-2023-52509, CVE-2023-52510, CVE-2023-52520, CVE-2023-52507, CVE-2023-52515, CVE-2023-52478, CVE-2023-52503, CVE-2023-52502, CVE-2023-35827, CVE-2023-52499, CVE-2023-46343, CVE-2023-52483 and CVE-2023-46813.
- bluez: fixed CVE-2023-45866, which did not affect DSOS.
- flac: fixed CVE-2021-0561, which may have affected DSOS.
- linux-firmware: updated to version 20231030
Release 4.8.2
New
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players.
- Added support for exFAT filesystems, USB storage formatted as exFAT can now be used like FAT formatted storage.
Improvements
- Recovery console is updated to version 2.17.1
- The display-info file now supports reporting information about multiple displays on the iBX440.
- Expiration of sign in to Control Center is now also applied to endpoints which are directly served by the Apache httpd server; now all endpoints which can be accessed after signing in to Control Center without further authentication, apply the same expiration.
- The value of the bootcount counter is now explicitly logged on each boot for ease of diagnostics.
- Moved the uploader
spx.publish
logs from trace to debug level for ease of diagnostics.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players
- Enabled transparent huge pages for improved performance, in particular on iBX410, iBX440, and recent third-party players.
- Removed some unused grub components from DSOS to optimize storage use.
- Improved the error logging of the Wi-Fi and 802.1x daemon (iwd) to aid in diagnostics.
- The UEFI Secure Boot database is now re-provisioned on boot if it was cleared from the BIOS.
- The logs from the HTML5 rendering engine (CEF) are now rotated when they exceed 800 KB.
Applies to iBX410 and iBX410W.
- Tuned the system parameters to optimize the performance when heavily loaded and make the performance more consistent and predictable.
Applies to iBX440.
- Display power saving is now applied to all displays on the iBX440.
Fixes
- The "Update Now" button normally shown on the firmware version tile of the Control Center main page when there is a new firmware available was not shown. This was a regression introduced in 4.8.0.
- The Scheduled Download settings UI in Control Center sometimes did not reflect the actual settings. This was a regression introduced in 4.8.0.
- Removed unused authentication mechanism in Control Center with per-user API keys which was not exposed and was unused.
- Reports taken on third party players with eMMC based storage were missing the recovery data.
- There was a spurious error about missing NTP peers on each boot.
Applies to HMP400W, iBX410, iBX440, and third-party players
- The Wi-Fi configuration interface would not generate a correct configuration if a certificate in PEM format was provided and had Windows or Mac line endings, or was missing a final newline.
Applies to iBX410, iBX440 and third-party players.
- Make sure the Intel Energy performance bias is set to "normal" on boot, irrespective of what the BIOS sets.
- Some miscellaneous drivers were not enabled.
Applies to HMP400, HMP400W, and third-party players
- Connecting a DisplayPort multi-stream capable display would confuse DSOS, DisplayPort multi-stream is now disabled.
- The counter that limits the number of times the EFI boot manager entries may be re-written was not reset on a reset to factory defaults.
- The Wi-Fi automated BSS blacklist timings were too long, misbehaving or misconfigured networks would often retry only every 24 hours, they are now retried every 10 minutes at most, with the back-off starting at 5 seconds.
Applies to HMP300, HMP350, and DiVA
- It was not possible to adjust content duration in a playlist within the content management interface. This was a regression introduced in 4.8.0.
- Some text animations could lead to a crash and reboot of the player.
- Some 60 Hz stretch displays could report the vertical refresh frequency as 59 Hz instead of 60.
Security
Updated base libraries and components, the main changes are as follows:
- libxml2: fixed CVE-2023-39615, which may have affected DSOS, and CVE-2021-3516, which did not affect DSOS.
- openssh: fixed CVE-2023-38408, which did not affect DSOS.
- bind: fixed CVE-2023-2828 and CVE-2023-3341, which did not affect DSOS.
- php: fixed CVE-2023-3824, which may have affected DSOS, and CVE-2023-3247 and CVE-2022-4900, which did not affect DSOS.
- httpd: fixed CVE-2023-45802, which did not affect DSOS.
- glib-2.0: fixed CVE-2023-29499, CVE-2023-32611, CVE-2023-32636, CVE-2023-32643, CVE-2023-32665, which affected DSOS.
- curl: fixed CVE-2023-28321 and CVE-2023-28322, which affected DSOS, and CVE-2023-38546 and CVE-2023-38545, which did not affect DSOS.
- openssl: updated to version 1.1.1w, fixing CVE-2023-4807, which did not affect DSOS.
- busybox: fixed CVE-2022-48174, which may have affected DSOS.
- dbus: fixed CVE-2023-34969, which did not affect DSOS.
- gawk: fixed CVE-2023-4156, which affected DSOS.
- glibc: fixed CVE-2023-4911 and CVE-2023-4813, which did not affect DSOS.
- binutils: fixed CVE-2023-25584 and CVE-2021-46174, which did not affect DSOS.
- avahi: fixed CVE-2023-1981, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472 and CVE-2023-38473, which may have affected DSOS.
- shadow: fixed CVE-2023-29383, which did not affect DSOS.
- zlib: fixed CVE-2023-45853, which did not affect DSOS.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players.
- flac: fixed CVE-2020-22219, which did not affect DSOS.
- libsndfile: fixed CVE-2021-4156 and CVE-2022-33065, which affected DSOS.
- linux-firmware: updated to version 20230804
- grub: fixed CVE-2023-4692 and CVE-2023-4693, which did not affect DSOS
Applies to iBX410, iBX410W, iBX440, and third-party players.
- Updated the UEFI Secure Boot forbidden signatures list (dbx) to version 2023-05-09 from UEFI.
- Added the 2023 Microsoft UEFI Secure Boot certificates to the signature database (db), "Microsoft UEFI CA 2023" and "Windows UEFI CA 2023".
- Added the "Microsoft Corporation KEK 2K CA 2023" KEK certificate to the UEFI Secure Boot Key Exchange Key (KEK) database.
Developer
- The
<display-video-mode>
configuration element, can now be used without parameters to reset the display video mode for all outputs, thus making it possible to use multiple such tags in an additive way. - The
<hdmi-link-type>
configuration element, supported only on DiVA, HMP300, and HMP350 models, would mess up the display configuration instead of being ignored on the other player models. This was a regression introduced in 4.8.0.
Release 4.8.1
New
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players.
- Added support for High Efficiency Video Coding (HEVC / H.265 / MPEG-H Part 2) streaming sources with SRT, HLS and DASH protocols. This is a Technology Preview Feature.
Improvements
- Recovery Console is updated to version 2.16.2.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players
- All users with admin rights now have access to the Recovery Console; requires recovery console version 2.16.2 or higher and becomes effective when a new user is added or a password is changed.
- The EFI boot manager entries and order (i.e., BIOS boot priorities) for DSOS are now re-created if missing or not in the correct order.
- The bootloader and its configuration used by the BIOS to boot DSOS are now updated during a firmware update.
- The player report now includes the device information for license activation, as well as information about the TPM Endorsement Key (EK) and related certificates, for improved diagnostics.
Fixes
- The release name, "Stecknadelhorn", was not properly set.
- The software watchdog rebooted the system via the hardware watchdog instead of the kernel, which made diagnostics confusing. This was a regression introduced in 4.5.0.
- An innocuous "no such table: WEBSTORAGE" error message, without consequence, could appear during boot.
- Fixed PHP warning about undefined offset.
- Animated GIFs would play at a maximum of 10 fps, any higher fps animated GIF was playing in slow motion.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players
- 4K was proposed as the default resolution in the Control Center wizard, instead of 1080p as in 4.7.7 and earlier versions; this was an unintended change in 4.8.0.
- In some cases, players could crash and reboot due to contention on the GPU memory. This was a regression introduced in 4.8.0.
- Sometimes the temperature from the internal sensor could be reported as "not found".
- The configuration backup included a
portNumber
attribute for serial ports, although it is ignored and useless on players other than DiVA, HMP300 and HMP350. - Color Emojis could sometimes be accidentally rendered in black and white.
Applies to iBX410 and iBX440 players.
- The "DSOS boot menu" boot option did not show the boot menu, instead it booted DSOS directly.
- The DMC firmware for the GPU on iBX410 and third-party players with Elkhart Lake processors was missing.
- Under rare circumstances, the synchronization of the multiple outputs on the iBX440 could be suboptimal due to CPU scheduling.
- Images in 8K would not display for 8K capable players, such as iBX440.
Applies to HMP400, HMP400W, and third-party players
- The hardware watchdog was not available on HMP400, HMP400W, and Intel NUC 8 Chaco Canyon, only the software watchdog was being used. This was a regression introduced in 4.8.0.
Applies to third-party players
- The bootloader would fail to load on systems which failed TPM measurement operations (e.g., due to buggy BIOS), making the system impossible to boot; this was a compatibility problem introduced in 4.7.5; now TPM measurement errors do not prevent booting.
Security
Updated base libraries and components, the main changes are as follows.
- curl: fixed CVE-2023-32001, which could affect DSOS, and CVE-2023-28320, which does not affect DSOS.
- elfutils: fixed CVE-2021-33294, which does not affect DSOS.
- libcap: fixed CVE-2023-2602 and CVE-2023-2603, all of which could affect DSOS.
- libjpeg-turbo: fixed CVE-2020-35538 and CVE-2023-2804, all of which could affect DSOS.
- ntp: fixed CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554, and CVE-2023-26555, none of which affected DSOS.
- openssl: updated to 1.1.1v, fixing CVE-2023-2650, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-3446, and CVE-2023-3817, all of which could affect DSOS.
- procps: fixed CVE-2023-4016, which does not affect DSOS.
- timezone database (tzdata): updated from 2022g to 2023c, affecting Egypt, Morocco, Palestine, Greenland.
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players
- Linux kernel updated from 5.15.119 to 5.15.133 fixing the following security issues:
- That affected DSOS: CVE-2023-1206, CVE-2022-40982, CVE-2023-40283, CVE-2023-42752, CVE-2023-45871.
- That did not affect DSOS: CVE-2023-31248, CVE-2023-38432, CVE-2023-3866, CVE-2023-2898, CVE-2023-44466, CVE-2023-4132, CVE-2023-3611, CVE-2022-48502, CVE-2023-3865, CVE-2023-35001, CVE-2023-3776, CVE-2023-3863, CVE-2023-20593, CVE-2023-3777, CVE-2023-4004, CVE-2023-4015, CVE-2023-4147, CVE-2023-20569, CVE-2023-20588, CVE-2023-4128, CVE-2023-4208, CVE-2023-4206, CVE-2023-4207, CVE-2023-4569, CVE-2023-39194, CVE-2023-4273, CVE-2023-3772, CVE-2023-4921, CVE-2023-4623, CVE-2023-42753, CVE-2023-39189, CVE-2023-4881, CVE-2023-39193, CVE-2023-39192 and CVE-2023-42755.
- dmidecode: CVE-2023-30630, which does not affect DSOS.
- grub: fixed CVE-2020-27749, CVE-2021-20225, CVE-2021-20233, all of which could affect DSOS.
- intel-microcode: updated to version 20230808, fixing CVE-2022-40982, which affects some of the supported platforms, and CVE-2023-23908 and CVE-2022-41804, none of which affects any of the supported platforms.
- linux-firmware: updated to version 20230515
- wireless-regdb: updated to version 2023.05.03
Developer
- The "restarted" RPC notification sent to RPC Concentrators had an empty
bootid
value most of the time, in both the parameter and the property of the "info" object.
Release 4.8.0
New
- Added support for the new SpinetiX player models: iBX410 and iBX440.
- Added support for having multiple, perfectly-synchronized, video outputs on supported devices (e.g., iBX440).
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players.
- Added support for close subtitling/captioning (CC) on video files or streaming media – subtitles can now be displayed on screen in the selected language; supported formats: EIA-708 (Line 21), Teletext, DVB, DVD, Blu-ray, SSA.
- Added support for SRT protocol for streaming sources. This is a Technology Preview Feature.
Applies to third-party players
- Added support for Intel NUC 11 Atlas Canyon
- Added support for Sharp/NEC SDM with Elkhart Lake CPU.
- Added support for platforms using Intel Tiger Lake CPUs.
Improvements
- Improved the Control Center user interface:
- Reworked the info-boxes on the Control Center home page to include the player model, DSOS license details, serial number, player time.
- Added the power source (PoE/USB) and power consumption info-boxes on HMP400 and HMP400W (hardware revision dependent).
- The source of each DSOS license is now shown, it can be either DSOS or content.
- Replaced "Power" with "Status" in the DISPLAY tab popover to avoid ambiguity.
- A warning is shown if the player time is off with respect to the browser time.
- The check for firmware update is now asynchronous to avoid blocking the PHP server.
- A warning dialog is displayed instead of the configuration wizard if no license is activated on a player.
- The name "uploader" and names starting with a period are disallowed when a user is created to avoid conflicts with internal users.
- When manual DNS is used, the DNS suffix is checked to make sure it is a valid domain name.
- Reworked the Output Streaming section for clarity.
- The "Capture stream packets" option is removed on players that do not support streaming, i.e., on the HMP300 and on players that do not have a SYSTEMS license.
- Added a "Web page data" option under the Operations ⇾ Reset section, to clear the HTML rendering engine data (HTTP cache, HTTP web storage, cookies). The "Web storage" option has been renamed to "Shared variables".
- The display power management controls are now available on third party players.
- The net-snmp daemon is no longer started if SNMP is not enabled; previously it was always started but listening on only localhost by default.
- The system report now includes a decoded dump of the EDID from the screen for improved diagnostics.
- Added capability to select a particular audio track within a video file by setting the
spx:audio
attribute to a language code (e.g., "ENG", "FRA", "SPA", etc.), "QAA" (for the original language), or "QAD" (for audio description).
Applies to HMP400, HMP400W, iBX410, iBX440, and third-party players
- Updated the HTML rendering engine to CEF / Chromium 95.
- Updated FFmpeg to version 4.4.3 for subtitles support and other improved video support.
- Updated GStreamer to version 1.20
- Added support for Opus audio codec.
- Updated graphics stack to support Intel CPUs with Gen12 (Xe) GPUs.
- The intel-media-driver hardware acceleration decoders are now used on all Intel platforms, the legacy intel-vaapi-driver decoders have been removed since no longer used.
- The Linux kernel has been updated from version 5.4 to 5.15.
- Support for Thunderbolt / USB 4 devices has been added.
- The packaging of firmware files for Intel GPUs has been reworked so that only the ones necessary for the supported platforms are included in DSOS.
Fixes
- Added a check to prevent restoring a configuration if the passphrase or the secret key used when it was generated does not match the one configured on the player.
- Display power schedules with invalid on/off time configurations are now forbidden.
- When signing in, users with content right only are redirected to the user profile page, which is the only one they can access.
- DHCP was shown when a static address was configured.
- Applying a license would tell that a restart was needed even if the license failed.
- Was not using a private directory for the runtime directory.
- The timeout used to connect to DBus was too long and could cause long interruptions if ever the DBus system malfunctioned.
Others:
- Firmware updates could fail with an out of space error when the update included very large packages (e.g., libcef).
- Limit number of log messages for videos that cannot be decoded.
- Show correct bitstream header names in logs.
- Status API - the snapshotURI now points to the correct endpoint.
- Error message on invalid power off time contained incorrect data.
Applies to HMP400 and HMP400W.
- The daemon that gathers data from the microcontroller would report spurious communication errors due an invalid CRC on some data patterns, this had no effect in the hardware functionality.
Applies to HMP400, HMP400W, and third-party players
- Some of the ancillary filesystems used in DSOS could not store timestamps past 2038 due to limited inode size, and a warning was logged when mounting them; all newly created filesystems are now capable of storing timestamps past 2038.
Applies to third-party players
- The instant messaging service was not announced on Bonjour for these players.
Security
Updated base libraries and components, the main changes are as follows.
- apache2: updated from 2.4.56 to 2.4.57 (fixes minor issues, none security related).
- libxml2: fixed CVE-2023-29469, which could affect DSOS and CVE-2023-28484, which did not affect DSOS.
- freetype: fixed CVE-2023-2004, which could affect DSOS.
- curl: fixed CVE-2023-23916, which affected DSOS, and CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536 and CVE-2023-27538, none of which affected DSOS.
- openssl: fixed CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466, which could affect DSOS.
- ffmpeg: the update from 4.2.4 to 4.4.3 fixed the following security issues, CVE-2019-13312, CVE-2019-13390, CVE-2019-15942, CVE-2019-17542, CVE-2020-12284, CVE-2020-13904, CVE-2020-14212, CVE-2020-20446, CVE-2020-20448, CVE-2020-20450, CVE-2020-20451, CVE-2020-20453, CVE-2020-20891, CVE-2020-20892, CVE-2020-20896, CVE-2020-20898, CVE-2020-20902, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22024, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22038, CVE-2020-22039, CVE-2020-22040, CVE-2020-22041, CVE-2020-22042, CVE-2020-22043, CVE-2020-22044, CVE-2020-22046, CVE-2020-22048, CVE-2020-23906, CVE-2020-24020, CVE-2020-35964, CVE-2020-35965, CVE-2021-30123, CVE-2021-33815, CVE-2021-38090, CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094, CVE-2021-38114, CVE-2021-38171, CVE-2021-38171, CVE-2021-38291, CVE-2021-38291, CVE-2022-1475, CVE-2022-3109 and CVE-2022-48434.
Updated several JavaScript libraries used by the player web interface, such as: jQuery (3.6.0), Bootstrap (3.4.1), Knockout (3.5.1)
- The update of jQuery from 3.2.1 to 3.6.0 fixed CVE-2020-11022 and CVE-2020-11023 (they didn't affect DSOS though).
Applies to HMP400, HMP400W, and third-party players
- Linux kernel updated from 5.4.209 to 5.15.119 fixing the following security issues:
- That affected DSOS: CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-36691, CVE-2021-3669, CVE-2021-3759, CVE-2021-4148, CVE-2021-4150, CVE-2021-4159, CVE-2021-20239, CVE-2021-29155, CVE-2022-1679, CVE-2022-2588, CVE-2022-3169, CVE-2022-3303, CVE-2022-3524, CVE-2022-3534, CVE-2022-3564, CVE-2022-3586, CVE-2022-3623, CVE-2022-3707, CVE-2022-4662, CVE-2022-20166, CVE-2022-20369, CVE-2022-26373, CVE-2022-41222, CVE-2022-41674, CVE-2022-42703, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42895, CVE-2022-42896, CVE-2022-45887, CVE-2022-45934, CVE-2023-0045, CVE-2023-0160, CVE-2023-0266, CVE-2023-0394, CVE-2023-0458, CVE-2023-0459, CVE-2023-0461, CVE-2023-1073, CVE-2023-1077, CVE-2023-1249, CVE-2023-1582, CVE-2023-2002, CVE-2023-2163, CVE-2023-2513, CVE-2023-2860, CVE-2023-3006, CVE-2023-3161, CVE-2023-3268, CVE-2023-3567, CVE-2023-28327 and CVE-2023-34256.
- That did not affect DSOS: CVE-2019-15794, CVE-2019-19449, CVE-2020-16120, CVE-2020-24504, CVE-2020-27835, CVE-2020-29373, CVE-2020-29534, CVE-2020-36310, CVE-2020-36385, CVE-2021-0929, CVE-2021-4023, CVE-2021-4037, CVE-2021-4218, CVE-2021-20177, CVE-2021-32078, CVE-2021-44879, CVE-2022-0168, CVE-2022-1789, CVE-2022-2153, CVE-2022-2327, CVE-2022-2586, CVE-2022-2602, CVE-2022-2663, CVE-2022-2978, CVE-2022-2991, CVE-2022-3028, CVE-2022-3061, CVE-2022-3108, CVE-2022-3176, CVE-2022-3344, CVE-2022-3424, CVE-2022-3521, CVE-2022-3535, CVE-2022-3542, CVE-2022-3545, CVE-2022-3565, CVE-2022-3594, CVE-2022-3621, CVE-2022-3625, CVE-2022-3628, CVE-2022-3629, CVE-2022-3633, CVE-2022-3635, CVE-2022-3643, CVE-2022-3646, CVE-2022-3649, CVE-2022-4095, CVE-2022-4129, CVE-2022-4269, CVE-2022-4382, CVE-2022-4744, CVE-2022-20148, CVE-2022-20421, CVE-2022-20422, CVE-2022-23816, CVE-2022-27672, CVE-2022-29900, CVE-2022-29901, CVE-2022-34918, CVE-2022-36280, CVE-2022-39189, CVE-2022-39842, CVE-2022-40307, CVE-2022-40768, CVE-2022-41218, CVE-2022-41849, CVE-2022-41850, CVE-2022-42432, CVE-2022-43750, CVE-2022-45886, CVE-2022-45919, CVE-2022-47520, CVE-2022-47521, CVE-2022-47929, CVE-2022-47946, CVE-2023-0240, CVE-2023-0386, CVE-2023-0590, CVE-2023-0615, CVE-2023-1074, CVE-2023-1076, CVE-2023-1078, CVE-2023-1079, CVE-2023-1095, CVE-2023-1118, CVE-2023-1281, CVE-2023-1380, CVE-2023-1382, CVE-2023-1513, CVE-2023-1611, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989, CVE-2023-1990, CVE-2023-2124, CVE-2023-2162, CVE-2023-2194, CVE-2023-2248, CVE-2023-2269, CVE-2023-2483, CVE-2023-2985, CVE-2023-3090, CVE-2023-3111, CVE-2023-3117, CVE-2023-3141, CVE-2023-3212, CVE-2023-3220, CVE-2023-3338, CVE-2023-3358, CVE-2023-3390, CVE-2023-3609, CVE-2023-3812, CVE-2023-20928, CVE-2023-23004, CVE-2023-23454, CVE-2023-23455, CVE-2023-23559, CVE-2023-26545, CVE-2023-26607, CVE-2023-28466, CVE-2023-30456, CVE-2023-30772, CVE-2023-31436, CVE-2023-32233, CVE-2023-32269, CVE-2023-33203, CVE-2023-33288, CVE-2023-34255, CVE-2023-35788, CVE-2023-35823, CVE-2023-35824 and CVE-2023-35828.
Developer
- Improved the RSS parsing by adding the support for retrieving the default media of a media object/group, defined with the "isDefault" attribute (used by Fox News RSS feeds, for instance).
- Replaced
setInterval
timer with an SVG timer injSignage.UI.fingerTouchClass
to prevent safe mode when using thefingerTouch
animation within a multiscreen project. Increased the JSignage UI plugin library version to 1.1.2.
- Removed the deprecated tags from the Configuration API, which are not used on models currently supported by DSOS.
- Modified the
get_info
RPC command to report the power inputs data for the HMP400/W players, when thepower
flag is provided.
Release 4.7.7 build 2
Fixes
- Publishing or uploading a file larger than 1 GB failed with a "413 Request Entity Too Large" error. This was a regression introduced in 4.7.7.
Release 4.7.7
Improvements
Applies to HMP400, HMP400W, and third-party players
- Control Center now shows the status (e.g., configured, authenticated) of 802.1X on the Ethernet interface in the Network settings page.
Fixes
- Control Center used low quality pseudo-random number generator in some cases, although they were not used for creating sensitive secrets; now all generated pseudo-random data comes from a cryptographically secure generator.
- Incomplete error handling in Control Center could leave temporary directories, and files within, behind; they are not properly removed when the operation completes, even in case of error.
- The firmware update component could incorrectly report and apply minor component updates when the update source (e.g., USB stick) was for a firmware version lower than already installed.
Applies to HMP400, HMP400W, and third-party players
- Video-in capture was no longer working, this was a regression introduced in firmware 4.7.6.
- Restoring a configuration backup could sometimes fail with a "file extraction of config failed".
- The Wi-Fi configuration wizard would not allow to manually enter a network name (i.e., SSID) if there were no visible networks in range.
- Connecting to a network from the Wi-Fi configuration wizard could fail with a "Connection failed, check password" error, even if the password was correct, in particular if the network is hidden.
Security
Updated base libraries and components, the main changes are as follows.
- apache2: updated to version 2.4.56, fixing CVE-2023-25690, CVE-2006-20001, CVE-2022-37436 and CVE-2022-28614, all of which affected the firmware, and CVE-2023-27522, CVE-2022-36760, CVE-2022-26377, CVE-2022-28330, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556 and CVE-2022-31813, none of which affected the firmware.
- apr: updated to version 1.7.2, fixing CVE-2022-24963 and CVE-2021-35940, both of which affected the firmware, and CVE-2022-28331, which did not affect the firmware.
- apr-util: updated to version 1.6.3, fixing CVE-2022-25147, which affected the firmware.
- curl: fixed CVE-2022-32221, which affected the firmware, and CVE-2022-35260 and CVE-2022-43552, none of which affected the firmware.
- expat: fixed CVE-2022-43680, which affected the firmware.
- glibc: fixed CVE-2021-3999, which affected the firmware, and CVE-2023-0687, which did not affect the firmware.
- grub2: fixed CVE-2022-28735, which may have affected the firmware, and CVE-2022-2601 and CVE-2022-3775, none of which affected the firmware.
- gnutls: fixed CVE-2023-0361, which affected the firmware.
- gstreamer: updated to version 1.18.4, fixing CVE-2021-3497, CVE-2021-3498 and CVE-2021-3522, all of which affected the firmware.
- harfbuzz: fixed CVE-2023-25193, which affected the firmware.
- libarchive: fixed CVE-2022-36227, which affected the firmware.
- libtasn1: fixed CVE-2021-46848, which affected the firmware.
- libxml2: fixed CVE-2022-40304 and CVE-2022-40303, both of which affected the firmware.
- net-snmp: fixed CVE-2022-44792 and CVE-2022-44793, both of which affected the firmware.
- openssl: updated to version 1.1.1t, fixing CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304, all of which affected the firmware.
- php: updated to version 7.4.33, fixing CVE-2022-31628, CVE-2022-31629 and CVE-2022-31630, all of which affected the firmware, and CVE-2022-31625, CVE-2022-31626, and CVE-2022-37454, none of which affected the firmware.
- rpm: fixed CVE-2021-3521, which did not affect the firmware.
- tar: fixed CVE-2022-48303, which did not affect the firmware.
- tzdata: updated to version 2022g.
Applies to HMP400, HMP400W, and third-party players
- bluez: fixed CVE-2022-3637, which was unlikely to affect the firmware.
- dnsmasq: fixed CVE-2023-28450, which affected the firmware.
- linux-firmware: updated to version 20230210.
- linux-microcode: updated to version 20230214, fixing CVE-2022-38090 which may have affected some third part players running DSOS, and CVE-2022-33196 and CVE-2022-21216, none of which affected players compatible with DSOS.
- Linux kernel updated to version 5.4.209, fixing the following security issues:
- That did affect the firmware: CVE-2022-1729, CVE-2022-21499, CVE-2022-1184, CVE-2022-21125, CVE-2022-21166, CVE-2022-21123, CVE-2022-32296, CVE-2021-33656, CVE-2023-2008, CVE-2021-33655, CVE-2022-36123, CVE-2022-1462 and CVE-2022-20566.
- That did not affect the firmware: CVE-2022-28893, CVE-2022-1652, CVE-2023-1838, CVE-2022-20572, CVE-2022-2503, CVE-2022-1012, CVE-2022-1966, CVE-2022-32981, CVE-2022-3577, CVE-2022-32250, CVE-2022-3115, CVE-2022-2318, CVE-2022-33742, CVE-2022-33741, CVE-2022-33740, CVE-2022-26365, CVE-2022-33744, CVE-2022-21505, CVE-2022-36879, CVE-2022-36946 and CVE-2023-2177.
- nss: fixed CVE-2020-25648 and CVE-2023-0767, both of which affected the firmware.
- pixman: fixed CVE-2022-44638, which affected the firmware.
- wireless-regdb: updated to version 2023.02.13.
Release 4.7.6
Improvements
- The DSOS license data is now included in the response of the
get_info
command of the RPC API and in the Status API. - The player configuration file is now included in the report when the report is uploaded to a server, via Pull Mode.
- The SNMP functionality is now available on all device models and no longer requires a DSOS license.
- Recovery Console is updated to version 2.13.0 which includes the same core libraries and component updates as firmware 4.7.6-1.0.1.
Applies to HMP400, HMP400W, and third-party players
- Any fatal machine check exception (MCE) messages that cause an immediate reboot are now logged and decoded in the following boot to improve diagnostics.
Fixes
- The player would reboot when the content referenced the player's own hostname, for instance to trigger an RPC command.
- Synchronization of audio and video could be off by a noticeable amount, in particular for streaming sources which use long-delay codecs.
- Fixed an issue where streaming sources which used MPEG-2 Transport Stream (TS) could freeze momentarily every few seconds, this occurred when the MPEG-2 TS only included PCR values every few seconds (violating MPEG-2 TS requirements) and the stream had variable bitrate; this is now avoided by using a more robust stream clock estimator.
- Streams with an incomplete description in their SDP could make the player reboot.
- In some particular conditions (unreliable network connections and feeds with large amounts of data) the jSignage feed cache could fill up resulting in an unhandled exception that would prevent retrying retrieving the feed.
Applies to HMP400, HMP400W, and third-party players
- 802.1x and Wi-Fi enterprise authentication methods using client certificates with a private key (e.g., EAP-TLS) did not work due to a missing component needed to parse the certificates.
Security
Updated base libraries and components, the main changes are as follows.
- dbus: upgrade to 1.12.24, solving CVE-2022-42010, CVE-2022-42011, CVE-2022-42012, all of which could potentially have affected the firmware.
- dhcp: solved CVE-2022-2928, CVE-2022-2929, none of which affected the firmware.
- bind: solved CVE-2022-2795, CVE-2022-38177, CVE-2022-38178, none of which affected the firmware.
- expat: solved CVE-2022-40674, which affected the firmware.
- sqlite3: solved CVE-2020-35527, CVE-2020-35525, CVE-2022-35737, all of which could potentially have affected the firmware.
- binutils : solved CVE-2022-38533, which could potentially have affected the firmware.
- gnutls: solved CVE-2021-4209, which affected the firmware.
- curl: solved CVE-2022-35252, which affected the firmware.
- tzdata: updated from 2022b to 2022c, which does not affect any timezone.
Applies to HMP400, HMP400W, and third-party players
- linux-firmware: updated from 20220708 to 20220913.
- dnsmasq: CVE-2022-0934, which did not affect the firmware.
- bluez: solved CVE-2022-39176, which did not affect the firmware.
Developer
- jSignage API updated to version 1.7.1 following the jSignage feed cache filling up fix.
Release 4.7.5 build 2
Fixes
- Cross-origin requests to RPC API or Web Storage REST API using the API key returns CORS errors as if the API key was wrong, due to a build error. This is a regression introduced in 4.7.5.
Release 4.7.5
Improvements
- Control Center now enforces password complexity to improve security, replacing the previous dictionary based password strength check. All passwords must now be at least 8 characters long, and have one upper case letter, one lower case, one digit and one special character. The password complexity check can no longer be disabled.
- Control Center and RPC now recognize licenses distributed via the content, in addition to the traditional DSOS license installed out of band.
- The Enable ARYA / Disable ARYA button in Control Center's Operations page has been removed, as it is a duplicate of the one in Control Center's main page and did not always reflect the current state of the player.
- Accounting logs now have an extended mode which have extra fields, including UTC timestamps and an on/off indicator in the "close" event which tells if the screen was on during all the time the media was played or if the screen was off during all or part of the time the media was played. This extended information is used by ARYA for improved proof of play reports.
- The DSOS license data in the report now includes the source of the license (e.g., content or license file), to facilitate diagnostics.
- Recovery Console is updated to version 2.12.1 which includes the same core libraries and component updates as firmware 4.7.5-1.0.0.
- The endpoints used for weather and feeds widgets can now be updated from the SpinetiX cloud, to support varying endpoints.
- Added support for Google Calendar event attachments.
- Added support for modern variations of RSS format, in particular the "isDefault" attribute used by FOXnews RSS feeds.
Applies to HMP400, HMP400W, and third-party players.
- mcelog is now included to decode Machine Check Exception data for improved diagnostics.
Fixes
- Enabling or disabling ARYA from Control Center or via the RPC API would reset the enrollment configuration, instead of just changing the ARYA enablement state.
- Audio was desynchronized from video, up to 100 to 200 milliseconds depending on the display; this is a regression introduced in 4.7.1.
- Calendar widgets - inline images from Exchange Online calendar events were discarded.
- Yammer widgets - URLs in Yammer posts were no longer detected in some Yammer installations.
- A crash would occur when adding an image layer with its URL pointing to an online PDF file.
Applies to HMP400, HMP400W, and third-party players.
- The graphics driver no longer loads on hardware for which are only experimentally supported, to avoid confusion.
Applies to HMP400 and HMP400W.
- Repeated power events could crash the spxucd daemon and reboot the player.
Applies to third-party players.
- Probing of the installed Recovery Console version failed on systems using SATA storage, as a consequence the Recovery Console was not updated on these players during firmware update.
Security
Updated base libraries and components, the main changes are as follows.
- openssh: fixed CVE-2021-41617, which should not affect the firmware.
- grub: fixed CVE-2020-14372, CVE-2020-27779, CVE-2020-25632, CVE-2020-25647, CVE-2021-3981, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734 and CVE-2022-28736, plus many other fixes.
- expat: fixed CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2021-45960, CVE-2021-46143, CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314 and CVE-2022-25315, all of which could potentially have affected the firmware.
- glibc: fixed CVE-2022-23218 and CVE-2022-23219, which may have affected the firmware.
- util-linux: fixed CVE-2021-3995, CVE-2021-3996 and CVE-2022-0563; none of which should have affected the firmware.
- binutils: fixed CVE-2021-45078.
- openssl: updated from version 1.1.1l to 1.1.1q, fixing CVE-2022-0778, which affected the firmware, and CVE-2021-4160, CVE-2022-1292, CVE-2022-2097 and CVE-2022-2068, none of which affected the firmware.
- bind: fixed CVE-2021-25219 and CVE-2021-25220, none of which affected the firmware.
- libxml2: fixed CVE-2022-23308, CVE-2022-29824 and CVE-2016-3709, all of which affected the firmware.
- gzip: fixed CVE-2022-1271, which did not affect the firmware.
- zlib: fixed CVE-2018-25032 and CVE-2022-37434, both of which could have affected the firmware.
- xz: fixed CVE-2022-1271, which did not affect the firmware.
- fribidi: fixed CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310, all of which could have affected the firmware.
- busybox: fixed CVE-2022-28391, which did not affect the firmware.
- curl: fixed CVE-2022-27775, CVE-2022-27776, CVE-2022-27774, CVE-2022-27782 and CVE-2022-32206, all of which affected the firmware, and CVE-2022-22576, CVE-2022-27781, CVE-2022-32207 and CVE-2022-32208, none of which affected the firmware.
- freetype: fixed CVE-2022-27404, CVE-2022-27405 and CVE-2022-27406, all of which affected the firmware.
- ncurses: fixed CVE-2022-29458, which could have affected the firmware.
- e2fsprogs: fixed CVE-2022-1304, which affected the firmware.
- php: updated from 7.4.21 to 7.4.28, fixing CVE-2021-21703, CVE-2021-21707 and CVE-2021-21708, all of which affected the firmware, and CVE-2021-21706, which did not affect the firmware.
- gnupg: fixed CVE-2022-34903, which should not have affected the firmware.
- libjpeg-turbo: fixed CVE-2021-46822, which did not affect the firmware.
- gnutls: fixed CVE-2022-2509, which could have affected the firmware.
Applies to HMP400, HMP400W, and third-party players.
- bluez: fixed CVE-2021-0129, CVE-2021-3658 and CVE-2022-0204, none of which affected the firmware.
- speex: fixed CVE-2020-23903, which could have affected the firmware.
- libinput: fixed CVE-2022-1215, which could have affected the firmware.
- tpm2-tools: fixed CVE-2021-3565, which did not affect the firmware.
- intel-microcode: updated from version 20210608 to 20220809, fixing CVE-2021-33117, CVE-2022-21151, CVE-2021-0146, CVE-2021-0127 and CVE-2022-21233, which affect the firmware depending on the CPU model used by the player hardware.
- linux-firmware: updated from 20211027 to 20220708.
- iwd: updated from 1.20 to 1.29; solving some compatibility issues with Wi-Fi access points and 802.1x enterprise authentication.
- wireless-regdb: updated from 2021.08.28 to 2022.08.12.
- Linux kernel from 5.4.170 to 5.4.193, fixing the following security issues.
- That could have affected the firmware: CVE-2022-0185, CVE-2022-0330, CVE-2022-0617, CVE-2022-0492, CVE-2022-1055, CVE-2022-20008, CVE-2022-0001, CVE-2022-0002, CVE-2022-20368, CVE-2022-1158, CVE-2022-30594, CVE-2022-2977, CVE-2021-4197, CVE-2022-1048, and CVE-2022-0494.
- That did not affect the firmware: CVE-2021-45095, CVE-2021-4155, CVE-2021-43976, CVE-2022-22942, CVE-2022-24448, CVE-2022-24959, CVE-2022-2938, CVE-2022-0435, CVE-2022-0487, CVE-2022-25375, CVE-2022-2964, CVE-2022-25258, CVE-2022-25636, CVE-2022-27223, CVE-2022-26966, CVE-2022-24958, CVE-2022-23038, CVE-2022-23039, CVE-2022-23960, CVE-2022-23041, CVE-2022-23036, CVE-2022-23037, CVE-2021-26401, CVE-2022-23040, CVE-2022-23042, CVE-2022-1199, CVE-2022-1011, CVE-2022-20158, CVE-2022-26490, CVE-2022-28356, CVE-2022-1016, CVE-2022-27666, CVE-2022-28390, CVE-2022-2380, CVE-2022-1353, CVE-2022-1198, CVE-2022-3202, CVE-2022-28389, CVE-2022-3239, CVE-2022-1204, CVE-2022-29581, CVE-2022-2639, CVE-2022-28388, CVE-2022-33981, CVE-2022-1836, CVE-2022-1975, CVE-2022-1734, and CVE-2022-1974.
Developer
- jSignage API updated to version 1.7.0 to include a single common version with the one used on ARYA, for consolidation.
- JSignage Social plugin updated to 1.4.0 - events attachments from Google calendars are now returned in the same way as events from Exchange Online.
- Touch events on web page layers did not bubble up to the SVG content - a "touch" event can now be added to the window object to catch such events within the SVG content.
- The
virtualKeyboardRequest
event was not generated when focus changed from one web page layer to another, causing problems with virtual keyboards across multiple web layers.
Release 4.7.4 build 2
Fixes
- Cross-origin requests to RPC API or Web Storage REST API using the API key returns CORS errors as if the API key was wrong, due to a build error. This is a regression introduced in 4.7.4-1.0.1.
Security
- Fixed a security vulnerability which could allow mounting an XSS attack for escalation of privileges (CVE-2022-38483).
Release 4.7.4
Improvements
- Accessing Control Center's custom HTML interface pages by users which are not signed in to Control Center no longer causes a confusing browser authentication dialog to pop-up, users are now redirected to the Control Center sign in instead and then redirected to the custom HTML interface after successfully signing in. A new /uiauth/ path in the web server space is introduced to support this.
- USB storage is now available in Control Center on HMP400, HMP400W and third party players running DSOS regardless of the DSOS license installed. When no DSOS license is installed USB storage can only be used as storage extension, when a DSOS license is installed it can also be used to play content externally copied to the USB storage (e.g., from Elementi).
- Calendar widgets using Exchange online as data source now support showing images attached to the calendar event.
- Improved support for showing images from Yammer feeds.
- Projects using DarkSky as provider for weather information are now transparently redirected to the default provider since DarkSky no longer makes the data available.
- Redirect responses to HTTP requests from the content could be dropped if the body of the redirect was over more than one network packet.
- Recovery console is updated to version 2.11.0 which includes the same core libraries and component updates as firmware 4.7.4-1.0.1.
Fixes
- The manual date and time menu in Control Center had the year drop-down limited to 2021.
- Pull mode would parse the response of a failed HTTP request to a server instead of ignoring it, possibly leading to stopping pull mode actions after a failed HTTP request (e.g., 502 error).
- The status API would show an error about a /srv/raperca/interface/public/index.svg file on HMP400, HMP400W and third party players; although there was no real error.
- The player could crash and reboot when changing the timezone configuration, depending on the newly selected timezone (Moscow would trigger it).
- The player could crash and reboot after publishing a project referencing some special timezones, like Moscow.
- Video streams with URLs ending in .sdp would not play, this is regression introduced in 4.7.0.
- HMP400, HMP400W and third party players only
- iwd from version 1.9 to 1.20.
- Solves 802.1x compatibility with switches using 802.1x version 2010 (a.k.a. EAPoL version 3) by default.
- Solves Wi-Fi issues with WPA3 authentication, roaming, scanning, authentication timeouts, and many other reliability issues.
- linux-firmware: upgrade from 20210511 to 20211027
- iwd from version 1.9 to 1.20.
- HMP400, HMP400W and third party players only
- HMP400 and HMP400W only
- The spxucd daemon was not watched by the watchdog daemon.
- Third party players only
- Ignore more patterns of dummy / uninitialized serial numbers in BIOS data, they could cause a failure to enroll in the SpinetiX cloud.
Security
Updated base libraries and components, the main changes are as follows.
- busybox: fixed CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42384 and CVE-2021-42385 which did not affect the firmware.
- libgcrypt: fixed CVE-2021-33560, CVE-2021-40528 and CVE-2021-33560 which could affect the firmware.
- ncurses: fixed CVE-2021-39537, which could affect the firmware.
- glib-2.0: fixed CVE-2021-2721, CVE-2021-27219, CVE-2021-28153, which could affect the firmware.
- glibc: fixed CVE-2021-38604, CVE-2021-33574 and CVE-2021-35942, which could affect the firmware.
- curl: fixed CVE-2021-22897, CVE-2021-22945, CVE-2021-22946 and CVE-2021-22947, which did not affect the firmware.
- openssh: fixed CVE-2021-28041, which did not affect the firmware.
- squashfs-tools: fixed CVE-2021-40153, which could affect the firmware.
- nettle: fixed CVE-2021-3246, CVE-2021-20305 and CVE-2021-3580, which could affect the firmware.
- apr: fixed CVE-2021-35940, which could affect the firmware.
- dbus: fixed CVE-2020-12049, which could affect the firmware.
- openssl: fixed CVE-2021-3711 and CVE-2021-3712, which could affect the firmware.
- rpm: fixed CVE-2021-20266, which could affect the firmware.
- gnupg: fixed CVE-2020-25125, which did not affect the firmware.
- util-linux: fixed CVE-2021-37600, which did not affect the firmware.
- nss: fixed CVE-2021-43527, CVE-2020-12403 and CVE-2022-22747, which did not affect the firmware.
- apache2 (updated to 2.4.53): fixed CVE-2022-22720, which could affect the firmware, and CVE-2022-23943, CVE-2022-22721, CVE-2022-22719, CVE-2021-44790 and CVE-2021-44224, which did not affect the firmware.
- p7zip: fixed CVE-2016-9296 and CVE-2018-5996, which could affect the firmware.
- tzdata: updated from version 2021a to 2021e, which affects Jordan, Samoa, Fiji and Palestine timezones.
- ca-certificates: updated from version 20210119 to 20211016, which updates the list of trusted certificate authorities, matching that of Firefox 90.
- HMP400, HMP400W and third party players only
- Linux kernel from 5.4.143 to 5.4.170, fixing the following security issues.
- That could affect the firmware: CVE-2022-20141, CVE-2021-20322, CVE-2021-34556, CVE-2021-35477, CVE-2021-3764, CVE-2021-4203, CVE-2021-3744, CVE-2021-41864, CVE-2022-0644, CVE-2021-3752, CVE-2021-3640, CVE-2021-39686, CVE-2021-4002, CVE-2021-4083, CVE-2022-20132 and CVE-2021-39698.
- That did not affect the firmware: CVE-2021-39633, CVE-2021-3753, CVE-2021-3739, CVE-2021-40490, CVE-2021-42252, CVE-2021-20320, CVE-2020-16119, CVE-2021-37159, CVE-2021-20321, CVE-2021-38300, CVE-2021-3894, CVE-2021-4149, CVE-2022-0322, CVE-2021-3896, CVE-2021-43056, CVE-2021-3760, CVE-2021-43389, CVE-2021-3772, CVE-2021-42739, CVE-2021-45868, CVE-2021-4202, CVE-2020-27820, CVE-2021-43975, CVE-2021-39685, CVE-2021-28715, CVE-2021-28714, CVE-2021-28713, CVE-2021-28712, CVE-2021-28711, CVE-2021-4135, CVE-2021-45469, CVE-2022-1195, CVE-2022-20154 and CVE-2021-44733.
- Linux kernel from 5.4.143 to 5.4.170, fixing the following security issues.
Release 4.7.3
Fixes
- Control Center immediately logged out a user when the player clock was not synchronized and more than 8 hours in the past, making it unusable and difficult to recover. This was a regression introduced in firmware 4.7.2
- The SNMP user configuration was not correctly processed, which had the following consequences:
- If the community string was left at its default "public" value, then only the system MIB subtree was readable.
- Changing the community string to anything else than "public" left the system MIB subtree still readable with the "public" community string, while the complete MIB tree was readable with the configured community string.
- Limiting access to specific IP networks or addresses did not have an effect of the "public" community string.
- The SNMPv2-MIB reported a bogus value for contact and location instead of the empty value, which means "unknown".
- The processes and disk configuration of the UCD-SNMP-MIB was outdated, so some entries in the process table were being flagged in error, some other important ones were missing and some file systems (i.e. disks) were not being listed.
- The custom interface link in Control Center was not displayed if its title was longer than 20 bytes.
- The "Start Recovery Mode" button in the corrupted firmware message was non-functional.
- Corrected minor typos in Control Center messages.
Applies to HMP400 and HMP400W.
- The daemon that reports information from the power management microcontroller was not started on the latest hardware revision (i.e. revision C); this did not have any functional consequence.
Security
Updated core libraries and components, the main changes are as follows:
- apache2: updated to version 2.4.51
- This fixes the following security vulnerabilities which affected the firmware: CVE-2021-40438 and CVE-2021-34798
- This fixes the following security vulnerabilities which did not affect the firmware: CVE-2021-31618, CVE-2020-13938, CVE-2019-17567, CVE-2021-39275, CVE-2021-36160, CVE-2021-33193, CVE-2021-41773, CVE-2021-41524 and CVE-2021-42013
- Note that the following security vulnerabilities were already fixed in firmware 4.7.2 with backported fixes: CVE-2021-30641, CVE-2021-26690, CVE-2021-26691, CVE-2020-35452 and CVE-2020-13950
- nss: fixed CVE-2020-6829 and CVE-2020-12400
- dnsmasq: fixed CVE-2021-3448
Applies to HMP400, HMP400W, and third-party players.
- Updated kernel to version 5.4.143
- This fixes the following security vulnerabilities which affected the firmware: CVE-2021-33624, CVE-2021-3732, CVE-2021-3679 and CVE-2020-3702
- This fixes the following security vulnerabilities which did not affect the firmware: CVE-2020-36311, CVE-2021-3609, CVE-2021-3655, CVE-2021-38160, CVE-2021-38199, CVE-2021-37576, CVE-2021-38198, CVE-2021-38205, CVE-2021-38204, CVE-2021-3653, CVE-2021-3656 and CVE-2021-42008
- Note that the security vulnerability CVE-2021-33909 was already fixed in firmware 4.7.2 with a backported fix.
Unresolved
- The player goes to Safe mode when using clock widgets or date widgets set to Moscow timezone. The workaround is to set the time zone to UTC+03:00 instead.
- The date and time of the player can be manually set after disabling the "Automatic time from Internet (NTP)" option from System → Date & Time, however, the year dropdown is limited to 2021. The workaround is to boot the player into Recovery mode, click the "Diagnostics" button at the top left, set the system date and time, and then reboot the player back to the normal operating mode.
Release 4.7.2
Improvements
- The session duration has been changed to 8 hours (measured from sign-in) to ease usage, and a dialog is shown when the session expires.
- When more than one user exists in Control Center, the player web interface sign-in page no longer unconditionally redirects to ARYA, even if the player is registered in ARYA.
- Power save scheduling options are no longer shown when display power management is disabled, to avoid confusion.
- The advanced configuration of loggers for diagnostics and debugging has been simplified and is now controlled via configuration backup files. The respective page was removed from Control Center.
Recovery Console updated to version 2.10.1
- Includes same core libraries and component updates as firmware 4.7.2-1.0.
- A "firmware update" splash screen is shown during a firmware update via the recovery console (required during an update from firmware 4.6.x or older), instead of the "Recovery mode" default one, to avoid confusion.
Other improvements:
- The locale database (CLDR) was updated to release 39 for improved internationalization.
Applies to HMP400, HMP400W, and third-party players.
- The output volume of audio devices is now adjustable in Control Center's Display & Audio page, with 100% being the default.
- The list of Wi-Fi networks is now shown in Control Center's Network page, with signal quality and connected status.
- The Wi-Fi configurator now checks that the password length is valid for Wi-Fi.
- Improved compatibility of USB video capture devices (Sandberg USB2, Elgato Cam Link 4K, AverMedia ExtremeCap UVC, ATEN CamLive Uc3020) and extended the HDMI capture to support RAW mode. This remains a Technology Preview Feature.
Changes
- The maximum rendering latency is now limited to 1 second. A higher maximum rendering latency of 1500ms could be specified in earlier firmware versions, although the effective limit was often 1 second or less due to hardware constraints and in the cases where a higher latency was possible it interfered with the stream out feature. Any maximum rendering latency value higher than 1 second is now capped, and Control Center no longer proposes higher values; this applies to all player models to ensure consistency.
Fixes
- When doing a firmware update from a USB stick and the firmware update required two passes, the second pass would update from the server and not the USB stick.
- Control Center generated a 500 internal error when the network logs of the uploader were enabled.
- Control Center could show some strings in languages other than English, although only English is supported.
- Literal IPv6 link-local addresses used in the NTP, DNS, default network API server, etc., were not working when the network was configured to use Wi-Fi instead of Ethernet.
- Configuration files that mixed Ethernet and Wi-Fi configuration could leave the network configuration in a wrong state, applying Ethernet configurations to Wi-Fi and vice-versa.
- Enrollment did not follow HTTP redirects received from the enrollment server, now 307 and 308 redirects are followed as expected.
- Double-clicks on an interactive widget inside a document were not correctly detected.
Applies to HMP400, HMP400W, and third-party players.
- Control Center allowed configuring stream out in 4K but not all players are powerful enough to do it, 4K is thus no longer proposed on HMP400, HMP400W and third-party players like Chaco Canyon and ECS Liva Q2.
- The Output Streaming section was showing a "C:\fakepath\" string when uploading a custom XML file; only the base filename is shown now.
- The video stream from the stream out feature stuttered when stream out was configured at a lower resolution than the display and the display was configured at 4K (e.g., 1080p stream out with a 4K display).
- Some USB audio devices would not output audio because their default volume was too low, now all USB audio devices have their volume set to 100% by default.
- Taking a snapshot could briefly pause rendering, snapshots are now taken asynchronously to avoid this effect.
- Windows Hello compatible cameras could appear as two video input devices.
Security
Let's Encrypt certificate chain compatibility
- Removed the expired root certificate "DST Root CA X3" used by Let's Encrypt for cross-signing its own root certificate. Having this certificate caused web page layers to stop rendering on HMP350 and HMP300 on 2021-09-30 for sites with certificates delivered by Let's Encrypt; other player models and other parts of the system were briefly affected by this issue.
Updated core libraries and components, the main changes are as follows:
- tar: fixes for CVE-2021-20193, which should not affect the firmware.
- openssh: fixes for CVE-2020-14145, which should not affect the firmware.
- libxml2: fixes for CVE-2021-3517, CVE-2021-3518 and CVE-2021-3541, which can affect the firmware, and CVE-2021-3537, which should not affect the firmware.
- gnutls: fixes for CVE-2021-20231 and CVE-2021-20232, which can affect the firmware.
- bind: fixes for CVE-2021-25214, CVE-2021-25215 and CVE-2021-25216, none of which should affect the firmware.
- dnsmasq: fixes for CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686, none of which should affect the firmware.
- expat: fixes for CVE-2013-0340, which can affect the firmware.
- rpm: fixes for CVE-2021-3421, which should not affect the firmware.
- glibc: fixes for fixes CVE-2021-35942, which can affect the firmware.
- busybox: fixes for CVE-2021-28831, which should not affect the firmware.
- dhcp: fixes for CVE-2021-25217, which can affect the firmware.
- bluez: fixes for CVE-2021-3588, which should not affect the firmware.
- avahi: fixes for CVE-2021-3468, which should not affect the firmware.
- curl: fixes for CVE-2021-22898, CVE-2021-22924 and CVE-2021-22925, none of which should affect the firmware.
- apache2: fixes for CVE-2020-35452 and CVE-2021-26690, which can affect the firmware, and CVE-2020-13950, CVE-2021-26691 and CVE-2021-30641, which should not affect the firmware.
- php: upgrade to 7.4.21, which fixes CVE-2021-21705, which can affect the firmware, and CVE-2021-21704, which should not affect the firmware.
Applies to HMP400, HMP400W, and third-party players.
- Updated kernel to version 5.4.129 to fix the following security issues:
- These could potentially affect the firmware: CVE-2021-29154, CVE-2021-31829, CVE-2021-33034, CVE-2021-32399, CVE-2020-26558, CVE-2021-0129, CVE-2020-24587, CVE-2020-24586, CVE-2020-24588, CVE-2020-26139, CVE-2020-26145, CVE-2020-26147, CVE-2020-26141, CVE-2021-3564, CVE-2021-3573, CVE-2020-26541, CVE-2021-35039
- These do not affect the firmware: CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28688, CVE-2021-29264, CVE-2021-31916, CVE-2021-29650, CVE-2021-29647, CVE-2021-3483, CVE-2020-25672, CVE-2020-25673, CVE-2020-25670, CVE-2020-25671, CVE-2021-22555, CVE-2021-23133, CVE-2021-3506, CVE-2021-38208, CVE-2021-3587, CVE-2021-34693, CVE-2021-3743, CVE-2021-22543
- Updated core libraries and components, the main changes are as follows:
- cairo: fixes for CVE-2020-35492, which can affect the firmware.
- linux-firmware: upgrade from 20210208 to 20210511, fixes CVE-2020-26555, CVE-2020-26558 and CVE-2021-0105, which affected the firmware on some platforms.
- intel-microcode: upgrade from 20210216 to 20210608, fixes CVE-2021-24489, CVE-2020-24511, CVE-2020-24512 and CVE-2020-24513, which affected the firmware on some platforms.
- Added backported fix for CVE-2021-33909 (sequoia), the functions necessary to exploit it are not exposed on DSOS, so it is unlikely that DSOS was affected.
Applies to HMP350, HMP300, DiVA players.
- Although not accessible, the root account was not locked; it is now completely locked for increased security.
Developer
- RPC communication was non-functional when the "Password protect RPC admin" option was disabled, affecting communications with Cockpit, ARYA and any third-party RPC concentrator. This is a regression introduced in 4.7.1.
- This option is enabled by default, and disabling it is strongly discouraged (as it removes all security for player administration access).
- Users running firmware 4.7.1 that have disabled this option need to either update the firmware or re-enable the option from Control Center to recover the RPC functionality before updating the firmware.
- The firmware_update ignored the
repo_uri
parameter whenrepo_id
was not specified. - A new parameter,
web-page-data
, added to thereset
command, allowing to clear the web content related data (HTTP cache, HTTP web storage, cookies).
Release 4.7.1 build 2
Improvements
- Added the capability to block specific firmware versions from installation via pkg files when delivered via firmware update.
- The update to firmware 4.7.1-1.0.1 and recovery console 2.9.5 are now blocked on HMP350, HMP300 and DiVA players.
- Updated recovery console to version 2.9.6 with the following changes:
- Added the capability to block specific firmware versions from installation via pkg files.
- Installation of firmware 4.7.1-1.0.1 and recovery console 2.9.5 packages are blocked on HMP350, HMP300 and DiVA players.
Fixes
Fixed the following regressions introduced by the migration of HMP350, HMP300 and DiVA players to the common software base of other player models in 4.7.1-1.0.1; the other players are not affected.
- The serial port was not working properly.
- Security vulnerability which could allow local user escalation (CVE-2021-38301).
Release 4.7.1
New
The HMP400, HMP400W, and third-party players now support the playback of content generated by audio/video capture devices connected through USB.
- These devices are accessible in the content using
videoin://
andaudioin://
scheme URIs. - When multiple USB audio/video capture devices are plugged, they can be referenced through identifiable indexes in the URIs above, assigned to them from Control Center ⇾ Peripherals settings or by using a configuration backup file.
- High-bandwidth Digital Content Protection (HDCP) protected video-in signal is not supported.
Changes
Applies to HMP350, HMP300, and DiVA.
- The firmware for these player models is now built using the same software base (Yocto), as the HMP400/W players, so they benefit from all the security improvements and base services available on newer models.
- All the features and fixes added in 4.7.0 which are not marked as being specific to other player models now apply to HMP350, HMP300 and DiVA players as well.
- If an older version of the Recovery Console is present, it will be updated through the regular firmware update process.
- The HTML rendering engine used on these players, PhantomJS, is now deprecated and may be removed in a future release as it is no longer maintained upstream. See SpinetiX-SA-21:01 for more details.
- HMP350 and HMP300 players have ARYA enabled by default and maintain a connection to the SpinetiX cloud even when ARYA is not enabled, as it was already the case for DiVA players.
Improvements
- Added support to update the firmware using a package file (.pkg) found among the update files.
- The player will automatically boot in Recovery mode to perform the update and will boot afterwards back in normal mode using the new firmware, the same configuration as before, and with all user data and previous logs preserved.
- The firmware update process decides whether to use the pkg file or the normal update method based on firmware update compatibility requirements from the update files' metadata.
- During the firmware update, the Recovery Console gets updated to version 2.9.5, featuring:
- Added support for an automated firmware upgrade using a pkg file that preserves player configuration and user data, it is used to by the main firmware to do firmware updates that cannot be done using the normal method.
- Added a Link-Local Multicast Name Resolution (LLMNR) responder so that Windows systems can find the IP address of the player without registering the players in DNS.
- SDP / UPnP announcements now use the hostname instead of the IP address when the LLMNR responder is not disabled.
- AJAX requests to the recovery console's web server without authentication now return a 403 Forbidden message to avoid unexpected password prompt popups on browsers.
- Updated the iCalendar implementation library (libical) to version 3.0.7 (from 2.0.0).
- Control Center
- Setting a user password which is in a dictionary of known passwords or that contains the username is now refused, unless the user consents to low security passwords, to protect against password spraying attacks; passwords in configuration backup files or set via RPC are not affected by these checks.
- A single "invalid username or password" error is now displayed for both bad password and bad username, to avoid username probing attacks.
- Widgets
- The Yammer widget has been reworked to better reflect how message selection currently works on Yammer.
- Requests for weather data using the Yahoo Weather provider are now re-routed to the default provider to ensure continuity of service, since Yahoo is discontinuing its weather service.
- Percent encoding is now applied to all unreserved characters in URI query strings for better browser compatibility; for instance, this problem prevented some Twitter feed from being displayed.
Applies to HMP400, HMP400W, and third-party players.
- Motion-JPEG videos are now decoded with the hardware accelerator when possible, reducing the CPU load for high resolution MJPEG videos.
- Audio echo cancellation in the HTML engine (disabled by default) can be enabled from Control Center ⇾ Advanced applications settings and/or via a configuration backup file.
Fixes
- A focus event for text input would not be generated if no physical keyboard was connected, making the use of virtual keyboards difficult.
- No caret is showed inside an editable text area.
- The title of an RSS feed was not shown if the title was multi-line and the first line was empty; now the first non-empty line is shown.
- The player can crash when a referenced image is missing from the content.
- Some types of H.264 interlaced videos could crash the player.
Applies to HMP400, HMP400W, and third-party players.
- Firmware update from 4.5.0 directly to 4.7.0 breaks network name resolution after the first update step, effectively disconnecting players from any network services in most cases, and the second update step can never be completed (unless done from a USB stick); updates from firmware 4.5.1 or later to 4.7.0 are not affected. A workaround is now included that makes updating from 4.5.0 directly to 4.7.1 or later possible. A workaround was also put in place in SpinetiX's firmware update server on 2021-05-18 so that players with firmware 4.5.0 are first updated to 4.5.2 and only after that is 4.7.0 proposed for updates.
- Firmware update from a 4.5.0 beta version (4.5.0-0.7, 4.5.0-0.8 or 4.5.0-0.9) directly to 4.7.0 failed due to unsatisfied dependencies; this did not affect the 4.5.0 release version (4.5.0-1.0) nor any later firmware versions.
- Changing the screen rotation configuration could make regular text become italics and vice-versa. Regression introduced in 4.7.0.
- Activation of a TPM bound license could fail due to a race condition with TPM bound license verification in other components.
- HTML rendering engine:
- Solved bad quality and garbled audio when using WebRTC on HMP400 and other devices with similar CPU power, Webcams with integrated echo canceling are required for good audio quality.
- Web pages that open new tabs following user interaction now navigate to the location of the new tab.
- Detection of installed external apps to handle custom URL schemes used in HTML pages did not work as expected and left a blank page.
- When attempting to navigate to non-http URLs (e.g., mailto) the HTML layer would become blank, such navigation requests are now ignored and only navigation within http URL scheme is allowed.
- The player can crash if the web page in an HTML layer closes itself via JavaScript.
- If the HTML engine rendering process crashed, it was not automatically restarted.
- When the HTML engine's GPU rendering process restarted it would fall back to software rendering, decreasing rendering performance.
- Mixing multi-touch interfaces in HTML layers with input elements in SVG layers would not work correctly.
- The logs from the HTML rendering engine (CEF) were not included in the report.
- Streaming:
- RTMP streaming would not start if it was the only stream-out protocol enabled.
- The video output could stutter when stream-out was enabled.
Applies to HMP350, HMP300, and DiVA.
- The player would hang during boot if a custom video mode had width larger than 1920 or height larger than 2047, which is not supported by the hardware; such custom video modes are now refused.
- Some custom video modes with widths not multiple of 8 would fail due to a rounding error.
- The surfaces behind opaque videos could be painted even though they are not visible, resulting in a slightly reduced rendering performance.
- A surround sound option was shown in Control Center, when there is no support for surround sound or multi-channel audio in these players.
Applies to third-party players.
- The name of the main storage device was incorrectly identified when firmware was newly installed from pkg file (regression introduced in 4.7.0-1.0.1-47e24bd6).
Security
- Solved improper RPC user privilege verification; fixes CVE-2021-32034 and CVE-2021-32035.
- Strict mode for PHP sessions cookies was not enabled and made Control Center vulnerable to session fixation attacks (referenced as CWE-384), fixes CVE-2021-33817.
- Control Center did not correctly escape command arguments in some cases, which could potentially have been exploited by malicious configuration files or RPC calls, although no attack vectors are currently known.
- The directory where the APIs security keys are stored had too wide permissions, they have been narrowed to the strict minimum.
Updated kernel from version 5.4.90 to 5.4.106 to fix the following security issues:
- These could potentially affect the firmware: CVE-2021-3347, CVE-2021-3444 and CVE-2021-30002
- These do not affect the firmware: CVE-2021-3178, CVE-2021-3348, CVE-2021-26930, CVE-2021-26931, CVE-2021-26932, CVE-2020-25639, CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28375, CVE-2021-33033, CVE-2021-29265, CVE-2021-28660
Updated core libraries and components, the main changes are as follows:
- Updated linux-firmware from version 20201218 to 20210208.
- Updated Intel microcode to from version 20201118 to 20210216, fixing CVE-2020-8698 and CVE-2020-8696 which do not affect HMP400 nor HMP400W hardware but may affect some third party players.
- curl: fixes for CVE-2020-8231, CVE-2020-8286, CVE-2021-22876 and CVE-2021-22890 which affected the firmware and CVE-2020-8284 and CVE-2020-8285, which did not affect the firmware.
- glibc: fixes for CVE-2020-29573, CVE-2019-25013, CVE-2021-3326, CVE-2020-27618 and CVE-2020-29562 which affected the firmware and CVE-2021-27645 which did not affect the firmware.
- ca-certificates: update from version 20190110 to 20210119.
- p11-kit: update from version 0.23.20 to 0.23.22; fixes CVE-2020-29361, CVE-2020-29362 and CVE-2020-29363, none of which affected the firmware.
- openssl: update from version 1.1.1i to 1.1.1k; fixes CVE-2021-3450, CVE-2021-3449, CVE-2021-23841 and CVE-2021-23840, which affected the firmware.
- bind: fix for CVE-2020-8625, which does not affect the firmware.
- wpa-supplicant: fixes for CVE-2021-0326, CVE-2021-27803 and CVE-2021-30004, none of which affected the firmware.
- giflib: fix for CVE-2019-15133, which affected the firmware.
- hostapd: fixes for CVE-2019-5061, CVE-2021-0326, CVE-2021-27803 and CVE-2021-30004, which affected the firmware.
Developer
- The firmware updater now includes an
X-spinetix-firmware
header in all its HTTP requests, with the version of the running firmware as the value. - The embedded web server has a new
/getconfig
HTTP endpoint that returns the complete configuration backup like Control Center's "Get Config" button. - RPC API
- Calls that modify the configuration or player state were previously accepted during a firmware update, potentially leading to an inconsistent configuration or state; now a
FirmwareUpdateInProgress
exception is returned when an update is ongoing and should be retried later; other RPC calls are not affected. - The
firmware_update_status()
command returns a new boolean property "applied_on_reboot" that is set to true when the update is actually applied during reboot and thus the reboot can take much longer than usual; also "done" property is set to true after the reboot following a firmware update completes, to ease chaining of RPC calls with firmware updates.
- Calls that modify the configuration or player state were previously accepted during a firmware update, potentially leading to an inconsistent configuration or state; now a
- jSignage API updated to version 1.6.1
- Updated the log messages from
checkCacheData
andupdateCacheData
to improve expiration information.
- Updated the log messages from
Applies to HMP400, HMP400W, and third-party players.
- When the user clicks on an editable field on a webpage, a
virtualKeyboardRequest
event is generated in the parent SVG content so that a virtual keyboard widget can be shown.
Unresolved
- The serial port is not working properly on HMP350 and HMP300; deployments using the COM port should wait until a fix is made available before updating.
- The first access to Control Center on a DiVA, HMP300, or HMP350 after a reboot could take up to 20 seconds; subsequent accesses are not affected.
Release 4.7.0 build 2
Fixes
- The player could reboot during a firmware update, which results in a corrupted firmware requiring reinstallation via the recovery console (regression introduced in 4.7.0); the probability of this occurring was high if a restart was initiated while a firmware update was in progress, it could also occur if a restart was not requested, but it was much less likely.
- Static IPv4 address configurations did not work, the duplicate address detection was faulty and concluded that the same IP address was already in use on the network (regression introduced in 4.7.0).
- Static IPv4 address configurations did not always detect when the IP address was already in use on the network.
- The built-in analog audio output for HMP400/HMP400W was not functional. This regression was introduced in 4.7.0.
Unresolved
- When using vertical CW screen orientation, regular SVG text is displayed formatted as italic. The vertical CCW orientation is not affected. This regression was introduced in 4.7.0.
Release 4.7.0
New
- Support for multi-touch touchscreens, including multi-touch handling in HTML layers.
- Streaming of the video output (requires a SYSTEMS license):
- Supports IPTV mode (MPEG2-TS unicast or multicast, with or without RTP headers), with H.264 video and MPEG1 Layer 2, AAC or AC-3 audio.
- Supports RTSP/RTP in unicast, multicast or TCP mode, with H.264 video and MPEG1 Layer 2, AAC, AC-3 or Opus audio.
- RTSP basic authentication is supported but the RTSP server is not over TLS.
- Supports RTMP/RTMPS upstream with H.264 video and AAC audio.
- Supports WebRTC with WebSocket signaling (H.264 constrained baseline + Opus only), peer to peer mode with STUN only.
- Simple configuration is done via Control Center, advanced configuration via the Configuration API.
- Multicast support is still deemed experimental.
- Support for Webcams (USB video class devices), including generic audio input devices, to support WebRTC and similar HTML APIs.
- Support for the WebRTC API in HTML5.
- Support for audio surround (5.1 and 7.1).
- Support for web radio streaming using the ICY, HLS or DASH protocols.
- Experimental support for adaptive video streaming with HLS and DASH.
- Support for bitmap color OpenType / TrueType fonts. Also, the Noto Color Emoji, with support for Unicode 13.1, is now included in the firmware for color emoji support.
Improvements
- Predefined video modes are now available for 4K low-refresh rates (24, 25 and 30 Hz) compatible with HDMI 1.3.
- DisplayPort and DVI style display power management is now supported in addition to CEC.
- Players now respond to network name queries via LLMNR (Link-Local Multicast Name Resolution) in addition to the already existing support for Bonjour (mDNS), easing integration with Windows systems. LLMNR support can be disabled via Control Center and Configuration API.
- Added IPv6 support to UPnP / SSDP discovery.
- Improved the firmware updater to handle very large firmware updates.
- Add transportException property to JSON-RPC error responses generated by uploader.
- Add a log entry when opening a web page resource.
- Cache HTTP redirect answers.
- Improve caching of video files from an HTTP server when the bitrate of the connection is less than the bitrate of the video.
- Support for error resilient and SBR AAC audio.
- Improved the performance of cursor rendering in jSignage UI plugin.
- Add an error log entry when proxy password in incorrect for HTML5.
- Added support for the Shared Variables JavaScript API and the JavaScript COM API within the web page layers. These APIs are disabled by default, and the new "
allow
" attribute is required to enable them. - Support loading the Widevine DRM module, pending agreement to redistribute the module from Google.
Applies to third-party players
- Added support for Intel Wi-Fi 6 802.11ax adapters AX101, AX200, AX201, 22560, Killer AX1650 i/s, Killer AX1650 x/w (Cyclone Peak and Harrison Peak).
- Added support for new Intel Wi-Fi AC-9560 / AC-9462 / AC-9461 (Jefferson Peak) variants.
Changes
- The configuration for NTP and stream/HTTP packets capture are now available in Control Center and via Configuration API for all models and irrespective of DSOS licenses.
Fixes
- Display power saving schedules could be mishandled at startup, leading to an incorrect display power save state at boot.
- The snapshot shown in Control Center overflowed over other page elements with certain custom resolutions.
- Custom splash screens were not working, attempting to set one would return an error.
- MPEG-2 video with open GOP or MPEG-2 interlaced video would crash the player.
- Simultaneous video playback could freeze the player.
- MPEG-1 video was not decoded correctly.
- Some content-related warnings were no longer in the player.log.
- The SNMP daemon had a TCP listening socked open on port 199 (smux) although no smux connections are supported, smux support is now completely disabled to avoid this.
- Notifications of the status of content update from ARYA could fail due to lack of credentials when the content update took long.
- Actions triggered from the SpinetiX cloud (e.g., content updates) could be theoretically delayed by 60 seconds in exceptional circumstances.
- Uploader did include the necessary access token in retry queries to the SpinetiX cloud RPC concentrator when the first access failed.
- Uploader did not apply retry timeout with exponential backoff when there is a problem reaching the RPC concentrator.
- Firmware updater was too aggressive in cleaning oversize logs and useful logs were being lost on firmware updates.
- The report was missing display manager configuration.
- Underline might not show in some conditions in text areas.
- Minor fixes for iframe preview in browsers (removed borders and added configurable width and height)
- Player may crash under some circumstances due to JavaScript garbage collection.
- A minor memory leak occurred during video decoding with H.264 videos
- Audio on some web video services shown in HTML layers (e.g., Zattoo) was distorted.
Security
Updated kernel from 4.19.127 to 5.4.90 to fix the following security issues:
- These could potentially affect the firmware: CVE-2018-20669, CVE-2019-5489, CVE-2019-12378, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381, CVE-2019-14615, CVE-2019-15222, CVE-2019-19037, CVE-2019-19072, CVE-2019-19073, CVE-2019-19074, CVE-2019-19078, CVE-2019-19252, CVE-2019-19447, CVE-2019-19462, CVE-2019-19602, CVE-2019-19767, CVE-2019-19768, CVE-2019-19769, CVE-2019-19770, CVE-2019-19947, CVE-2019-19965, CVE-2019-20636, CVE-2019-20812, CVE-2019-20908, CVE-2020-0305, CVE-2020-0427, CVE-2020-0431, CVE-2020-0465, CVE-2020-0466, CVE-2020-0543, CVE-2020-7053, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-8694, CVE-2020-8992, CVE-2020-10690, CVE-2020-10732, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-11565, CVE-2020-12351, CVE-2020-12352, CVE-2020-12464, CVE-2020-12768, CVE-2020-12826, CVE-2020-13974, CVE-2020-14314, CVE-2020-14331, CVE-2020-14351, CVE-2020-14356, CVE-2020-14381, CVE-2020-14386, CVE-2020-14390, CVE-2020-14416, CVE-2020-15436, CVE-2020-15437, CVE-2020-16166, CVE-2020-24490, CVE-2020-25285, CVE-2020-25641, CVE-2020-25656, CVE-2020-25668, CVE-2020-25704, CVE-2020-25705, CVE-2020-27068, CVE-2020-27786, CVE-2020-28588, CVE-2020-28915, CVE-2020-28974, CVE-2020-29369, CVE-2020-29370, CVE-2020-29374, CVE-2020-29660, CVE-2020-29661, CVE-2020-35508, CVE-2021-20239
- These do not affect the firmware: CVE-2019-2181, CVE-2019-3016, CVE-2019-3874, CVE-2019-10220, CVE-2019-11191, CVE-2019-12455, CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901, CVE-2019-15291, CVE-2019-16229, CVE-2019-16230, CVE-2019-16232, CVE-2019-18660, CVE-2019-18683, CVE-2019-18786, CVE-2019-18808, CVE-2019-18809, CVE-2019-18814, CVE-2019-18885, CVE-2019-19036, CVE-2019-19039, CVE-2019-19043, CVE-2019-19046, CVE-2019-19050, CVE-2019-19053, CVE-2019-19054, CVE-2019-19056, CVE-2019-19057, CVE-2019-19061, CVE-2019-19062, CVE-2019-19063, CVE-2019-19064, CVE-2019-19066, CVE-2019-19067, CVE-2019-19068, CVE-2019-19070, CVE-2019-19071, CVE-2019-19082, CVE-2019-19332, CVE-2019-19338, CVE-2019-19377, CVE-2019-19448, CVE-2019-20810, CVE-2019-19813, CVE-2019-19815, CVE-2019-19816, CVE-2019-20810, CVE-2020-0009, CVE-2020-0041, CVE-2020-0067, CVE-2020-0110, CVE-2020-0543, CVE-2020-0404, CVE-2020-0423, CVE-2020-0432, CVE-2020-0444, CVE-2020-1749, CVE-2020-2732, CVE-2020-4788, CVE-2020-9383, CVE-2020-9391, CVE-2020-10711, CVE-2020-10751, CVE-2020-10757, CVE-2020-10781, CVE-2020-10942, CVE-2020-11494, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11884, CVE-2020-12465, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12655, CVE-2020-12656, CVE-2020-12657, CVE-2020-12659, CVE-2020-12769, CVE-2020-12770, CVE-2020-12771, CVE-2020-12888, CVE-2020-13143, CVE-2020-14385, CVE-2020-15393, CVE-2020-15780, CVE-2020-24394, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25643, CVE-2020-25645, CVE-2020-25669, CVE-2020-26088, CVE-2020-27673, CVE-2020-27675, CVE-2020-27777, CVE-2020-27815, CVE-2020-27830, CVE-2020-28374, CVE-2020-28941, CVE-2020-29368, CVE-2020-29371, CVE-2020-29568, CVE-2020-29569, CVE-2020-36158, CVE-2021-0342, CVE-2021-0448
Updated core libraries and components, the main changes are as follows:
- PHP updated from 5.6.38 to 7.4.4; fixes CVE-2018-19395, CVE-2018-19396, CVE-2018-19935, CVE-2019-6977, CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024, CVE-2019-9637, CVE-2019-9638, CVE-2019-9639, CVE-2019-9641, CVE-2020-11579.
- Updated base Linux distribution to OE-Core / Yocto 3.1 (dunfell).
- Apache HTTPd updated from 2.4.41 to 2.4.46; fixes CVE-2020-1927 which affected the firmware and CVE-2020-1934, CVE-2020-11993, CVE-2020-11984 and CVE-2020-9490, none of which did not affect the firmware.
- libcurl updated from 7.61.0 to 7.69.1 plus backported patches; fixes CVE-2020-8177, CVE-2019-5481, CVE-2019-5482, CVE-2019-5443, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2018-16842, CVE-2018-16840, CVE-2018-16839, CVE-2018-14618
- dhcp-client from 4.4.1 to 4.4.2
- glibc updated from 2.28 to 2.31 plus backported patches; fixes CVE-2018-19591, CVE-2019-6488, CVE-2016-10739, CVE-2019-7309, CVE-2018-20796, CVE-2019-9169, CVE-2019-9192, CVE-2019-19126, CVE-2020-1751, CVE-2016-10739, CVE-2020-29562, CVE-2020-10029, CVE-2020-6096, CVE-2020-1752
- iNet wireless daemon (iwd) from 1.7 to 1.9; fixes CVE-2020-17497
- OpenSSL updated from 1.1.1b to 1.1.1i; fixes CVE-2020-1971, CVE-2020-1967, CVE-2019-1551, CVE-2019-1563, CVE-2019-1549, CVE-2019-1547, CVE-2019-1552, CVE-2019-1543
- Mesa 3D updated from 19.0.8 to 20.0.2
- expat updated from 2.2.6 to 2.2.9; fixes CVE-2018-20843, CVE-2019-15903
- FreeType updated from 2.9.1 to 2.10.1 plus backported patches; fixes CVE-2020-15999
- GnuTLS updated from 3.6.4 to 3.6.14 plus backported patches; fixes CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2018-16868, CVE-2019-3829, CVE-2019-3836, CVE-2020-11501, CVE-2020-13777, CVE-2020-24659
- SQLite from 3.23.1 to 3.31.1; fixes CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2019-8457, CVE-2019-16168, CVE-2019-19645, CVE-2019-19646, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358, CVE-2020-9327, CVE-2019-19242
- libtasn1 updated from 4.13 to 4.16.0; fixes CVE-2018-1000654
- libxml2 updated from 2.9.8 to 2.9.10; fixes CVE-2019-19956, the other vulnerabilities CVE-2018-14567, CVE-2018-14404, CVE-2018-9251 were already fixed with backports.
- nettle updated from 3.4 to 3.5.1 ; fixes CVE-2018-16869.
- NSS updated from 3.39 to 3.51.1; fixes CVE-2018-12404, CVE-2019-17006, CVE-2019-17007
- NTP updated from 4.2.8p13 to 4.2.8p15; fixes CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868.
- OpenSSH updated from 7.8p1 to 8.2p1; fixes CVE-2018-15919, CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2019-16905.
- Pango updated from 1.42.4 to 1.44.7; the vulnerability CVE-2019-1010238 was already fixed with backports.
- libjpeg-turbo updated from 2.0.0 to 2.0.4 plus backported patches; fixes CVE-2018-19664, CVE-2018-20330, CVE-2018-20330, CVE-2019-13960, CVE-2020-13790
- HarfBuzz updated from 1.8.8 to 2.6.4
- Intel microcode updated from 20190514a to 20201118; updated mitigations for processor vulnerabilities CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2020-0548, CVE-2020-0549, CVE-2020-8694, CVE-2020-8695, CVE-2020-8698, CVE-2020-8696
- Intel Media Driver updated from 19.2.1 to 20.1.1
- Intel vaapi driver updated from 2.2.0 to 2.4.0
- timezone database (tzdata) updated from 2019a to 2020f.
- linux-firmware updated from 20190213 to 20201218.
- Updated libmosquitto from 1.4.15 to 1.6.10
- FFmpeg from 4.0.2 to 4.2.4; fixes CVE-2018-12458, CVE-2018-12459, CVE-2018-12460, CVE-2018-13300, CVE-2018-13301, CVE-2018-13302, CVE-2018-13303, CVE-2018-13304, CVE-2018-13305, CVE-2018-14394, CVE-2018-14395, CVE-2018-15822, CVE-2018-1999010, CVE-2018-1999011, CVE-2018-1999012, CVE-2018-1999013, CVE-2018-1999014, CVE-2018-1999015, CVE-2020-13904, CVE-2019-12730, CVE-2019-13390, CVE-2019-17539, CVE-2019-17542, CVE-2019-9718, CVE-2019-9721, CVE-2019-11339, CVE-2018-15822, CVE-2019-1000016, CVE-2019-9718, CVE-2019-9721, CVE-2019-11339, CVE-2019-11338, CVE-2019-12730, CVE-2019-13390, CVE-2019-17539, CVE-2019-17542, CVE-2020-12284, CVE-2020-13904, CVE-2019-9718, CVE-2019-9721, CVE-2019-11338, CVE-2019-11339, CVE-2019-12730, CVE-2019-17539, CVE-2019-17542, CVE-2019-1000016, CVE-2019-13390, CVE-2019-15942, CVE-2019-13312, CVE-2020-12284, CVE-2020-13904.
More security fixes:
- Control Center sessions are now limited to 1 hour to improve security.
- Hardened parsing of XML in components (spxiot, spxenroll, spxdispmanager, updater) to avoid all possibility of XEE attacks.
- Added mitigation for UPnP protocol vulnerability CVE-2020-12695 (CallStranger).
Unresolved
- Setting a static IP configuration fails and the player picks an IP from 169.254.*.* range. Regression introduced in 4.7.0.
- There is a potential issue with firmware update that on some circumstances may result in a corrupted firmware.
Release 4.6.4 build 2
- HMP400, HMP400W, third-party players: 4.6.4-2.0.0-5b7b83ec
Fixes
- The default content contained a time-limited license expiring on 2021-07-31; the player would thus display a black screen when booted in factory defaults after this date.
Release 4.6.4
Fixes
- A problem with garbage collection of JavaScript objects could sometimes crash the player, this was more likely to occur with content that uses JavaScript heavily and the QR code generator.
- MPEG-2, MPEG-4 ASP and VC1 videos at 60 fps could freeze while playing.
Applies to HMP400 and HMP400W.
- Revocation of a DSOS license resulted in the revoked license being reinstalled from the copy in the persistent data store, this created no functional issue as the license is anyhow invalid and thus ignored but was confusing.
Applies to HMP400, HMP400W, and third-party players.
- Some content combinations (video plus an animated widget on a solid background plus a fade transition on the entire layout) caused rendering errors.
Release 4.6.3
Improvements
- In Control Center > Advanced Applications, the "Webstorage API" and "RPC Security" sections have been merged into a single section named "APIs Security" to better convey their current use. Also, the "Enable RPC request using AJAX (CORS)" option has been renamed to "Enable CORS requests".
Applies to HMP400 and HMP400W.
- DSOS licenses now persist across a reset to factory default settings or firmware installation from the Recovery Console. Also, they can now be bound to the TPM and can be revoked before their expiration date.
Fixes
- The firmware updater would not retry downloading update packages when the source server indicates a temporary failure (e.g., an HTTP 503 service unavailable status), erroring out the firmware update request, it now retries several times after a delay.
- The firmware updater incorrectly included the device serial number in the user agent header of its HTTP requests, it now uses the same dedicated header as other firmware components.
- In some cases an HTTP request that received a redirect response could fail to follow the redirect
- Synthetized italic / oblique text was not slanted, regression introduced 4.5.0.
Applies to HMP400, HMP400W, and third-party players.
- The player snapshot could sometime fail to be shown in Control Center.
- Changes to the "Use external USB drive to store content" setting did not trigger a player restart, although it is required for the change to take effect.
- The CEC engine could send an "on" command instead of "off" after the first two attempts for "off" failed.
Applies to HMP350, HMP300, and DiVA.
- The Certificate Signing Request (CSR) sent by the player to enroll to the SpinetiX cloud had an incorrect DER encoding for the version number, which beginning December 2020 is no longer accepted by the cloud infrastructure (an "Invalid CSR format" error is returned); as a result new HMP350, HMP300 and DiVA players could not be registered in ARYA. The correct encoding is now used and new players of these models can be registered in ARYA again.
Security
- The embedded web server did not protect against abuse of the Proxy header in requests (i.e., httpoxy vulnerabilities), although no vector of exploit is known.
Developer
- The jSignage
applyFormatDateNumber
function would crash if called withnull
.
Release 4.6.2
Improvements
Applies to HMP400 and HMP400W.
- Added support for analog audio output (using the SpinetiX USB-C analog audio cable SX-HW-UCAUD). This appears as "Built-in Audio Analog Output" in Control Center.
Applies to HMP400, HMP400W, and third-party players.
- Known audio output options (e.g., audio over HDMI) are listed in Control Center even if the output is not currently available, to ease the player configuration.
- The installation of the firmware from the Recovery Console can now automatically recover from corruption in the environment blocks used to store boot parameters.
Fixes
- Players could enter a reboot loop in some rare cases with very unstable networks due to timeouts on the ntp daemon handling logic.
- In some rare cases the QR code generation in jSignage could fail with an exception.
Applies to HMP400 and HMP400W.
- HDMI 2.0 displays could show no image if the HMP was rebooted while the display had no power.
- Communication errors with eMMC could generate I/O errors on the internal storage marking some filesystems as corrupted and cause unexpected reboots; the problem has been fixed and devices with filesystems marked as corrupted are automatically repaired after a firmware update.
- Removed the bogus error message about missing /usr/share/raperca/recipes.json.
- Removed the focus frame rendered around HTML layers.
- Use of images in HTML could result in inconsistent image caching.
Applies to HMP400, HMP400W, and third-party players.
- Power failures could leave uninitialized or old data in some files in the internal storage due to mishandling of the eMMC write cache.
- When installing the firmware from the Recovery Console, the installation did not clear existing boot settings (although none are set by any previous firmware version).
Release 4.6.1
Improvements
- Display power saving can now be configured independently per day of the week.
- Animated playlist widgets are now compatible with multiscreen projects.
- The HTML engine has been updated to Chromium 84.3.10.
Applies to HMP400 and HMP400W.
- Added support for audio output from HTML layers.
Applies to third-party players.
- Added support for Intel NUC Austin Beach with NUC 8 Element (Chandler Bay).
Fixes
- Players could fail to be enrolled in the SpinetiX cloud in some regions of the world due to an incompatibility with TLS 1.3 in the enrollment process. The incompatibility has been fixed in the firmware and the enrollment endpoints in the cloud have been limited to TLS 1.2 until incompatible firmware versions are phased out.
- The firmware updater failed to pull new packages into install set when the dependency was a file path, which prevented new firmware updates from being applied.
- The player would crash when the audio output is enabled, along with "Enable display power management" and "Disable audio when screen is turned off" options.
- Some types of streaming would log errors when audio was on mute.
- The Pull Mode agent (uploader) could crash with servers that incorrectly returned a 206 HTTP status code for non-range requests.
- Control Center would show an incorrect serial number in the certificate list due to a wrong decoding procedure, the correct serial number was shown in the certificate details.
- Some name length validations done by Control Center were ineffective.
- The player.log could incorrectly report usage peaks of 100%.
- Calendar widgets may not show data from Google Calendar.
- Column stacked graphs could fail to render correctly due to an incorrect automatic min / max calculation.
- Parsing of udp and rtp pseudo-urls for unicast streams was broken.
- The meaning of spx:audioDelay and spx:buffering attributes were inverted, setting one was actually setting the other. Regression introduced in 4.5.0 release.
Applies to HMP400, HMP400W, and third-party players.
- Rendering latency changes due to interactivity could cause distorted audio.
- The periodical logging of CPU package temperature was not enabled.
- A crash could occur with some types of content due to a shader compilation failure.
Applies to HMP400 and HMP400W.
- Secure Shared Variable Network API was not working.
- The Web Storage REST API was not returning the value of variables.
- User added trusted certificates were not taken into account in Web page layers as the HTML engine did not use the same list of trusted root certificates.
- The option to ignore certificate validation errors did not apply to HTML content.
- Rendering of web content could freeze after several days.
- Some types of HTML content caused an important memory leak.
- Scan and maintenance operations on the internal storage (eMMC) was not enabled.
Applies to HMP400W and third-party players.
- During Wi-Fi setup, the configuration QR code and AP information would be shown twice when the power/blue button was pressed.
Developer
The following JavaScript libraries have been updated:
- jSignage updated to version 1.6.0
- jSignage Graph plugin updated to version 1.0.4
- jSignage Custom Effects plugin updated to version 1.1.0
Added PURGE method to Web Storage REST API.
Added new parameters on the display-power-schedule
tag of the Configuration API for the days of the week.
Release 4.6.0
New
Applies to HMP400 and HMP400W.
- Support for HDMI CEC.
- This can be used on the HDMI output or on the DisplayPort Alt-mode output with a DP to HDMI adapter cable supporting the DP 1.3 "CEC tunneling over AUX" protocol.
- HMP Control Center will show a warning message when the selected video output does not support CEC
- The display power management can be enabled from Control Center > Display & Audio page.
- Note that some players from the first production batches, could lack the hardware support for CEC - this information can be found in Control Center.
- Support for rendering PDF files.
Applies to HMP400W and third-party players.
- Wi-Fi connections can now be easily configured from a smartphone, tablet or computer without any other network connection, nor USB stick, by connecting directly to the player over the air. See Wi-Fi setup page for more details.
Improvements
Applies to HMP400 and HMP400W.
- HTML rendering engine:
- Performance got improved by adding texture sharing.
- Added support for using the proxy configuration.
- Updated to Chromium 79.
- The DSOS license status (license type, missing license, or expired license) is shown on Control Center home page and on the OSD that appears when the blue button is pressed.
- The configuration backup file now includes an indication of the DSOS license active at the time the backup file is generated. This allows displaying a clean error to the user if he tries to restore a configuration backup containing features not supported by the DSOS license currently activated on the player.
Applies to HMP400, HMP400W, and third-party players.
- The audio connectors' names shown in Control Center are hardware-dependent.
- The embedded web server now supports TLS 1.3.
- The IP addresses and other information are shown only for the active interface on the OSD that appears when the blue button is pressed.
- The welcome splash screen shows a specific error message when the device is not enrolled in SpinetiX cloud services, aiding in diagnosis.
- Support for new image codecs (webp, dng).
- Support for hardware motion-adaptive deinterlacing with past and/or future references.
- Updated timezone database from version 2018i to 2019a; it affects Palestine and Metlakatla.
Fixed
- Daily power saving schedule feature.
- Players would stop communicating with ARYA until next reboot when reconfigured.
- Interlaced videos could show green frames.
- URLs with empty components in path (i.e., doubled slash) were not interpreted correctly.
- Minor changes within the player report.
Applies to HMP400, HMP400W, and third-party players.
- The dropdown listing the time zones in Control Center is empty. This is a regression introduced in 4.5.3 release.
Applies to third-party players.
- Incorrect serial number shown on the OSD that appears when the power button is pressed.
Security
Applies to HMP400, HMP400W, and third-party players.
Updated Linux kernel from 4.19.80 to 4.19.127 to fix security issues.
- These could potentially affect the firmware: CVE-2019-17133, CVE-2019-19532, CVE-2019-18282, CVE-2019-0155, CVE-2019-0154, CVE-2019-19922, CVE-2019-11135, CVE-2019-19767, CVE-2019-19252, CVE-2019-19447, CVE-2019-20812, CVE-2020-0305, CVE-2019-20636, CVE-2019-14615, CVE-2019-19059, CVE-2019-19058, CVE-2019-5108, CVE-2020-8428, CVE-2019-16234, CVE-2020-8647, CVE-2020-8649, CVE-2020-8648, CVE-2020-11565, CVE-2020-12826, CVE-2019-19768, CVE-2020-12464, CVE-2020-10732, CVE-2019-19462
- These do not affect the firmware: CVE-2019-19075, CVE-2019-17075, CVE-2019-19060, CVE-2019-19065, CVE-2019-17666, CVE-2019-15098, CVE-2019-19048, CVE-2020-10773, CVE-2019-19526, CVE-2019-16233, CVE-2019-19049, CVE-2019-19045, CVE-2019-19052, CVE-2019-18813, CVE-2019-19529, CVE-2018-12207, CVE-2019-16231, CVE-2019-19534, CVE-2019-19524, CVE-2019-18660, CVE-2019-15291, CVE-2019-18683, CVE-2019-12614, CVE-2019-19062, CVE-2019-19227, CVE-2019-19071, CVE-2019-19079, CVE-2019-19332, CVE-2019-18786, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947, CVE-2019-16230, CVE-2019-16232, CVE-2019-16229, CVE-2020-10690, CVE-2019-18809, CVE-2019-19965, CVE-2019-14901, CVE-2019-14895, CVE-2019-19066, CVE-2019-19068, CVE-2019-19056, CVE-2019-9445, CVE-2019-20096, CVE-2019-15217, CVE-2019-19077, CVE-2020-12652, CVE-2019-19046, CVE-2019-20806, CVE-2019-14896, CVE-2019-14897, CVE-2020-14416, CVE-2020-12769, CVE-2019-3016, CVE-2020-12653, CVE-2020-12654, CVE-2020-9383, CVE-2020-2732, CVE-2020-0009, CVE-2020-10942, CVE-2020-12465, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11494, CVE-2020-12657, CVE-2020-11669, CVE-2020-12659, CVE-2020-1749, CVE-2020-0067, CVE-2020-11884, CVE-2020-10751, CVE-2020-13143, CVE-2020-10711, CVE-2020-12770, CVE-2020-12768, CVE-2019-18814, CVE-2020-10757
More security fixes:
- openssl: CVE-2019-1543
- bluez5: CVE-2018-10910
- libsndfile1: changed fix for CVE-2017-14245 and CVE-2017-14246, fixed CVE-2017-12562, CVE-2018-19758, CVE-2019-3832
- glibc: CVE-2019-9169, CVE-2016-10739, CVE-2018-19591, CVE-2019-6488, CVE-2019-7309; fix for incomplete CVE-2016-10739
- elfutils: CVE-2019-7146, CVE-2019-7149, CVE-2019-7150, CVE-2019-7664, CVE-2019-7665
- busybox: CVE-2018-20679, CVE-2019-5747
- sqlite3: CVE-2018-20505, CVE-2018-20506, CVE-2019-8457
- cairo: CVE-2018-19876, CVE-2019-6461, CVE-2019-6462
- tar: CVE-2019-0023, CVE-2018-20482
- glib2: CVE-2019-12450, CVE-2019-9633, CVE-2019-13012
- curl: CVE-2019-5435, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2019-5482
- bzip2: CVE-2019-12900
- expat: CVE-2018-20843
- dbus: CVE-2019-12749
- gcc: CVE-2019-14250
- bind libraries: updated from 9.11.4 to 9.11.5-P4, CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465
- pango: CVE-2019-1010238
- gnutls: CVE-2019-3829 and CVE-2019-3836
- libgcrypt: CVE-2019-12904
- apache httpd: update from 2.4.34 to 2.4.41, fixes CVE-2018-17189, CVE-2018-17199, CVE-2019-0190, CVE-2019-0220, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0211, CVE-2019-10081, CVE-2019-9517, CVE-2019-10098, CVE-2019-10092, CVE-2019-10097, CVE-2019-10082
Applies to HMP350, HMP300, and DiVA.
- The fix for CVE-2020-15809 in 4.5.3 was incomplete, URI validation in the rssProxy.php missed a few possible cases.
Developer
Applies to HMP400, HMP400W, and third-party players.
- RPC API - new commands for Wi-Fi:
wifi_scan
,wifi_connect
,wifi_disconnect
, andwifi_get_info
. - JavaScript - extended the
deviceInfo
global object with two new methods, mostly relevant for Wi-Fi:.getMainNetworkInterface()
and.getActiveNetworkInterface()
.
Unresolved
- Calendar widgets do not show data from Google.
- HMP400 serial number doesn't work as Multiscreen ID
- When associating players to screens from Elementi, the player' serial number is used as Multiscreen ID - this doesn't work for HMP400/HMP400W, so you need to manually configure the multiscreen ID (for instance screen-1-1) on the player.
Release 4.5.3
Improvements
- CORS requests are now allowed for endpoints other than RPC, provided the RPC API key is used.
- Changed the display message when the player license expires or is missing, now a black screen is shown instead of the "no valid license" floating text.
Fixed
- The content server was not disabled when a player was added to ARYA, leading to confusing errors in Elementi if a publish was attempted.
- Importing X.509 server certificates with unknown extensions would make the network page display an error and be unusable until the certificate was removed.
- RTP (not MPEG2TS) streaming will stop after a few minutes.
- AJAX POST requests would use chunked transfer encoding since firmware 4.5.0, but many simple devices do not support them, which broke communications; now chunked transfer encoding is not used in AJAX requests.
- HTTP requests to server whose name started with vN, N being an integer, would be modified to be within square brackets, breaking the request
Applies to HMP400, HMP400W, and third-party players.
- Video modes could be incorrectly programmed when the attached display did not return a valid EDID, due to an internal DisplayPort link rate being incorrectly programmed.
- The hardware watchdog would not fire if the system hung during shutdown, as it got disabled when the software watchdog exited, now the hardware watchdog never disables.
- The unused rssProxy.php, i18njs.php and timezones.php were incorrectly included in the firmware image, which increases the attack surface, they are no longer included.
Applies to HMP350, HMP300, and DiVA.
- Visual stutter could occur with looping videos.
- Player could hang after video playback.
Security
- Fixed CVE-2020-15809, the spxmanage component would allow requests that access unintended resources because of SSRF and Path Traversal.
Unresolved
- The dropdown listing the time zones in Control Center is empty for HMP400, HMP400W, and third-party players.
- The workaround is to use the
<timezone>
configuration tag. This is a regression introduced in 4.5.3 release.
- The workaround is to use the
- No proxy support in HTML rendering engine.
Release 4.5.2
Improvements
Applies to HMP400 and HMP400W.
- The RTC is now calibrated for improved time accuracy while the player is powered off.
Fixed
Applies to all models.
- Facebook widgets were no longer working due to a Facebook API change.
- The default gateway in static IPv6 configurations conflicted with IPv6 routes added from router advertisements resulting in unpredictable routing, the default gateway now uses a lower metric and has precedence.
- Fixed various minor presentation problems in Control Center, such as:
- IPv6 addresses would appear truncated on the NTP statistics.
- The reason for the player reboot would appear as "unknown reason".
- Removed the MAC address and CPU's ARM & DPS references from player status information boxes.
- Removed the MAC address from IP Configuration section.
Applies to HMP400, HMP400W, and third-party players.
- Configurations deployed via USB sticks including a reboot directive could cause a reboot loop.
- Recovery Console updated to version 2.8.1, fixing the player rebooting after a couple of minutes when a reset to factory defaults operation was pending.
- On HMP400W, the local link IPv6 addresses in static DNS configurations would get the wrong interface identifier when Wi-Fi was the selected interface.
Developer
- Enabling capturing the HTTP traffic for Pull Mode would generate no or incomplete capture files.
- HTTP PUT requests with an empty body where incorrectly done as GET requests.
Release 4.5.1
New
Applies to HMP400, HMP400W, and third-party players.
- Enabled Wi-Fi connections with support for personal (pre-shared key) and enterprise authentication, as well as open/unauthenticated networks. Wi-Fi is enabled from Control Center, and the configuration is done via a configuration backup file.
- Configurations can now be deployed via USB sticks - inserting a USB stick with a configuration backup file on a not-yet configured player will automatically apply the configuration; this feature is automatically disabled once the player has been fully configured for security reasons.
- Added support for 802.1x authentication on Ethernet; configuration is done via the configuration backup file.
Improvements
Applies to HMP400, HMP400W, and third-party players.
- The Recovery Console has been updated to version 2.8.0, to support Wi-Fi connections and 802.1x authentication on Ethernet. The Recovery Console is now updated during the regular firmware update, if an older console version is installed on the player; also, it can now be installed via a .pkg file, just as the firmware.
- The player report includes more readable license data to aid in diagnostics.
Applies to third-party players.
- Names corresponding to the labels on the device are now shown in Control Center's video and audio output selectors.
Changes
Applies to HMP400 and HMP400W.
- Licenses were incorrectly included in the configuration backup, which can invalidate a valid license received from the license server when restoring the configuration backup at a later time; licenses are no longer included in the configuration backup as they are distributed directly by the license server. Configuration backups saved from firmware 4.5.0 for units which had a license should be manually edited to remove the license before restoring.
Fixed
Applies to all models.
- Streaming was not working properly with some sources.
- An HTTP proxy on port 80 could not be used. This was a regression introduced in 4.5.0.
- Some web services, like RSS feeds, behave differently when the referrer is about:blank, a full URL is now used to avoid problems.
- Solved incompatibility with myDrive.ch file storage service.
- Webp images could crash the player causing a reboot.
- RPC responses to failed calls were not returned to the RPC concentrator (regression introduced in 4.5.0); in addition any HTTP level RPC call errors are also returned to the RPC concentrator.
- The player could reboot during network state changes due to races in the restart of the NTP daemon.
- Credentials to access resources on AWS could be renewed just after they expired, instead of a few minutes before, causing temporary problems with ARYA.
- The license texts in Control Center's about page were not properly tagged as UTF-8 plain text and could display garbled.
- EULA and third-party licenses updated to reflect current ones.
Applies to HMP400, HMP400W, and third-party players.
- On full HD deinterlaced videos, the bottom of the 1088 coded lines were outputted instead of the top 1080.
- The player was not restarted when the audio configuration changed, although a restart was required.
- Network default routes installed by the DHCP client may conflict with existing default routes and not become effective, they are now replaced.
- The NTP daemon no longer restarts on IP address changes as it is no longer necessary.
- The report did not properly dump the TPM2 public data of persistent handles.
Developer
Applies to all players.
- Configuration API new tags:
wired-auth-add
andwired-auth-reset
for Ethernet 802.1x authentication.
Applies to HMP400, HMP400W, and third-party players.
- Configuration API new tags:
wifi-dhcp
,wifi-static
,wifi-v6-none
,wifi-v6-static
,wifi-ap-add
, andwifi-ap-reset
. - RPC API - the
get_info
command has been extended to support Wi-Fi. - Status API - the
info
endpoint has been extended to support Wi-Fi.
Release 4.5.0
New
- Added DSOS support for the new hardware models: HMP400/HMP400W and selected 3rd-party players.
- Added support for the DSOS activation licenses; the player license information is displayed on the Control Center home page and included within the configuration backup.
- New HTML5 rendering engine, based on Chromium 74, with support for hardware accelerated video decoding and WebGL. Applies only to players with DSOS Kiosk and DSOS Systems licenses.
- New Web Robot engine to support forms-based authentication on websites, using credentials stored under Saved passwords. The engine can be extended to navigate, scroll, zoom on content of interest and/or click through consent popups on HTML5 pages.
- New Pull Mode engine that supports faster downloads, end-to-end content integrity checking with SHA-256, and processing of RPC commands.
- JPEG images are now automatically rotated and flipped according to EXIF data.
- Added support merging multiple calendars on the same view for Google calendar and Outlook online.
- Added support for underlined text.
- HTTP traffic capturing can be enabled from Control Center or RPC, for improved diagnostics. The captures are also included in the player report. Credentials are masked in the captures.
Improvements
- Added video and audio output selectors in Control Center and Configuration Wizard for players with multiple video/audio outputs.
- Added support Hyperlink and Picture columns in SharePoint lists.
- Firmware updater now checks that update source is compatible with product's model before applying any updates.
- Bonjour and SSDP announcements now include additional serial numbers for the benefit of the newly supported models.
- JS locale files are now compressed, reducing the firmware size.
- Updated some internal libraries:
- ffmpeg to version 4.0.2 (was 3.4.5)
- libical to version 2.0.0 (was 1.0.1)
- Yii PHP framework to version 1.1.21 (was 1.1.17)
Changes
- Removed support for Instagram widgets because Instagram has discontinued the Legacy API.
- Session cookies now expire after 2 days (used to never expire before).
Fixed
- Pull Mode with ICS executed after being disabled.
- Cookies for public top level domains were incorrectly allowed in the Pull Mode daemon (uploader).
- Crash when pressing blue button when playing a project with asynchronous audio player event handlers.
- Events widget - long event titles were not showing correctly.
- JSignage Graph plugin: Axis grid were not shown in some cases because of missing min and max values.
- If there is any text in an editable text area, editing was broken.
Security
- Enrollment to SpinetiX cloud services now uses the TPM to authenticate third-party devices.
- Protected from XEE attacks in XML files.
- Use HTTPS protocol for the ECB exchange rate data source.
- CORS violations and other errors in HTML5 content are reported in the log.
Developer
- Credentials can now be used on AJAX requests to the player from web pages not hosted on the player (i.e., the authorization headers are now allowed for CORS).
- Uploader process logs more messages at trace level to diagnose replication issues in Pull Mode.
- New tags for the Configuration API:
-
<video-output-selector>
to select the video output connector on DSOS devices. -
<pullmode-http-capture-log>
to capture HTTP traffic for the uploader process. -
<http-capture-log>
to capture HTTP traffic for the player.
-
- New options for the
get_info
RPC command:-
videoConnectors: true
to report the list of attached screens -
audioConnectors: true
to report the list of attached audio connectors
-
- The JavaScript libraries have been updated.
- JSignage Social plugin is updated to version 1.3.0
- JSignage Graph plugin is updated to version 1.0.3