Firmware release notes 4.9.8
Appearance
This article is a stub. Main article: Firmware release notes 4.9.x.
Release 4.9.8
Release name: "Castor" 4.9.8. Release date: June 30th, 2026.
Improvements
- Increased JavaScript engine heap size from 8 MB to 32 MB, reducing the risk out of memory failures with complex content.
- Feature Set operations no longer fail if the player's TPM enters DA lockout mode; feature set assignment, removal and suspension are now handled more robustly.
- Improved player enrollment behavior in SpinetiX HUB by implementing smarter retry logic, allowing faster recovery from temporary network or service errors.
- Reduced the amount of reserved space in the root filesystem to avoid spurious firmware update failures due to lack of filesystem space.
- Updated trusted root certificates from version 20211016 to 20260223 to ensure compatibility with services using recently introduced Certificate Authorities.
- HTML5 rendering engine: HTTP URLs are no longer tried as HTTPS first, ensuring web content is loaded using the exact protocol configured in the content; this was a behavior change introduced in DSOS 4.9.0 along with the Chromium update.
Fixes
- The
enable-cloud,disable-cloud,enroll-base-url,debug-enroll, anddebug-iotconfiguration statements were not included in the player configuration backups and thus these configurations could be lost on a firmware update from DSOS 4.8.7 or earlier to DSOS 4.9.x (i.e., when the update is done via the recovery console); note that these configurations are only used in very specialized cases and thus users were rarely affected. - The package DB (rpm DB) space optimization introduced in DSOS 4.9.4 was not always applied before a firmware update, which could prevent firmware updates due to lack of space in the root filesystem; the dependencies have been adjusted so that the optimization is always present before starting a complete firmware update, avoiding the rpm DB from taking too much space.
- Fixed spurious misleading TPM related error messages in the player report.
- Fixed an issue where the player could crash with some screens, when using specific custom CVT video modes and the screen's powered was being cut off. The custom video mode is now applied, even if the display's EDID is invalid.
- The player logs incorrectly reported the display hot-plug support as enabled when it was in fact disabled.
Security
Updated base libraries and components; the main changes are as follows:
- alsa-lib: fixed CVE-2026-25068, which did not affect DSOS.
- apache2: updated to version 2.4.67 which fixed CVE-2026-33523, which could affect DSOS, and CVE-2026-34059, CVE-2026-34032, CVE-2026-33857, CVE-2026-33007, CVE-2026-33006, CVE-2026-29169, CVE-2026-29168, CVE-2026-28780, CVE-2026-24072 and CVE-2026-23918, none of which affected DSOS.
- busybox: fixed CVE-2025-60876, which did not affected DSOS.
- curl: fixed CVE-2026-3784, CVE-2026-1965 and CVE-2025-14524, all of which affected DSOS, and CVE-2026-3783, which did not affect DSOS.
- giflib: fixed CVE-2026-23868, which affected DSOS.
- inetutils: fixed CVE-2026-28372, which did not affect DSOS.
- ncurses: fixed CVE-2025-69720, which did not affect DSOS.
- raptor2: fixed CVE-2020-25713, CVE-2024-57822, CVE-2024-57823, all of which affected DSOS, and CVE-2017-18926, which did not affect DSOS.
- sqlite3: fixed CVE-2025-70873, which did not affect DSOS.
- tzdata: updated from version 2025b to 2026a, affecting Moldova.
- The Linux kernel has been updated from version 5.15.137 to 5.15.209 to fix "Copy Fail" and "Dirty Frag" class vulnerabilities (CVE-2026-31431, CVE-2026-43284 and CVE-2026-46300) as well as numerous other vulnerabilities.