Firmware release notes 4.9.4

This article is a stub. Main article: Firmware release notes 4.9.x.

Release 4.9.4

Release name: "Castor" 4.9.4. Release date: December 16^th, 2025.

Applies to HMP400/W, iBX410/W, iBX440, HMP350, HMP300, DiVA, and third-party DSOS players.
Firmware version number: 4.9.4-1.0.1-8f810071

Applies to all DSOS players, except for HMP350, HMP300, and DiVA.

Added new functions to the power button:
- Press the button 5 times to reboot the player in Recovery mode.
- Press the button 10 times to reset the player to factory default settings and reboot.
- Press timing: each button press should be spaced no more than 1 second apart for the action to register.

Improved the handling of errors when restoring a configuration backup after a firmware update via the Recovery mode (e.g., from 4.8.x to 4.9.x); if the configuration backup cannot be restored, it is attempted again on the next reboot if the player is not yet configured and the failed configuration backup is also included in the player report to allow for manual recovery; all secrets in the configuration backup are encrypted and thus not readable from the report.
The Recovery Console is updated to version 2.26.1.

Applies to all DSOS players, except for HMP350, HMP300, and DiVA.

Added a warning "HTML5 media playback requires KIOSK/SYSTEMS Feature Set" in the player.log when web content is included in a project of type "WIDGETS". This also apply for the Power BI widget, as the dashboard/report is loaded through a web page.

Fix a player crash that could occur with web content, due to a race condition in the HTML5 engine based on Chromium, which may occur when rendering certain dynamic web pages running background tasks.
Configuration backups can have a video mode with a vertical refresh value of 0 (meaning default), but these were rejected when restoring them; the 0 value is now accepted for compatibility. This problem could cause the loss of configuration when updating the firmware from DSOS 4.8.7 or earlier to 4.9.x releases.
Suboptimal usage of storage space could cause transient errors when upgrading the firmware from one 4.9.x to a later 4.9.x version.
URLs with the $ character where incorrectly rejected as invalid in Control Center's saved passwords page.
Fix error decoding 8K AV1 video that was caused by incorrect frame flag parsing and ffmpeg open-GOP bug.
Fixed a crash in the software video decoder on iBX440 (AVX2 path) that could occur when playback fell back from hardware to software decoding.
The IoT daemon did not correctly send the disconnected message to the SpinetiX HUB when shutting down or switching data residency regions, as a consequence the SpinetiX HUB could have stale information about a player.

Applies to all DSOS players.

Updated base libraries and components; the main changes are as follows:

glib-networking: fixed CVE-2025-60019 and CVE-2025-60018, both of which affected DSOS.
openssl: fixed CVE-2025-9230 and CVE-2025-9232, none of which affected DSOS.
busybox: fixed CVE-2025-46394, which did not affect DSOS.
libxml2: fixed CVE-2025-9714, which did not affect DSOS.
curl: fixed CVE-2025-9086, which could affect DSOS.
jq: fixed CVE-2025-9403, which could affect DSOS.
apache2: updated from 2.4.65 to 2.4.66, fixing CVE-2025-65082, which could affect DSOS, and CVE-2025-66200, CVE-2025-59775, CVE-2025-58098 and CVE-2025-55753, none of which affected DSOS.

Applies to all DSOS players, except DIVA, HMP300, HMP350.

Updated base libraries and components; the main changes are as follows:

gstreamer1.0-plugins-bad: fixed CVE-2025-3887, which could affect DSOS.
lz4: fixed CVE-2025-62813, which could affect DSOS.
binutils: fixed CVE-2025-8225, CVE-2025-11081, CVE-2025-11083 and CVE-2025-11082, none of which affected DSOS.
grub2: fixed CVE-2024-56738, which could affect DSOS.
hostapd: fixed CVE-2022-37660 and CVE-2025-24912, none of which affected DSOS.