Firmware release notes 4.x

Release 4.7.1 or later

Release 4.6.5 build 3

Version: "Punta Giordani" 4.6.5-3.0.37966. Release date: August 9, 2021.

Improvements

• Added the capability to block specific firmware versions from installation via pkg files when delivered via firmware update.
• The update to firmware 4.7.1-1.0.1 and recovery console 2.9.5 are now blocked on HMP350, HMP300 and DiVA players.
• Updated recovery console to version 2.9.6 with the following changes:
  • Added the capability to block specific firmware versions from installation via pkg files.
  • Installation of firmware 4.7.1-1.0.1 and recovery console 2.9.5 packages are blocked on HMP350, HMP300 and DiVA players.

Release 4.6.5 build 2

Version: "Punta Giordani" 4.6.5-2.0.37853. Release date: June 2, 2021.

Improvements

• Added support to update the firmware using a package file (.pkg) found among the update files.
  • The player will automatically boot in Recovery mode to perform the update and will boot afterwards back in normal mode using the new firmware, the same configuration as before, and with all user data and previous logs preserved.
  • The firmware update process decides whether to use the pkg file or the normal update method based on firmware update compatibility requirements from the update files metadata.
• During the firmware update, the Recovery Console gets updated to version 2.9.5, featuring:
  • Added support for an automated firmware upgrade using a pkg file that preserves player configuration and user data, it is used to by the main firmware to do firmware updates that cannot be done using the normal method.
  • Added a Link-Local Multicast Name Resolution (LLMNR) responder so that Windows systems can find the IP address of the player without registering the players in DNS.
  • SDP / UPnP announcements now use the hostname instead of the IP address when the LLMNR responder is not disabled.
  • AJAX requests to the recovery console's web server without authentication now return a 403 Forbidden message to avoid unexpected password prompt popups on browsers.

Fixes

• When applying a firmware update, Control Center reported any reboot as the end of the update process, telling the user that the device was ready to use even if the reboot was to the Recovery mode. Control Center now waits for the reboot in normal mode.

Developer

• The embedded web server has a new /getconfig HTTP endpoint that returns the complete configuration backup like Control Center's "Get Config" button.
• The firmware_update_status() RPC command returns a new boolean property "applied_on_reboot" that is set to true when the update is actually applied during reboot and thus the reboot can take much longer than usual.

Release 4.6.5

Version: "Punta Giordani" 4.6.5-1.0.37607. Release date: March 11, 2021.

Fixes

• Display power saving schedules could be mishandled at startup, leading to an incorrect display power save state at boot.
• Player may crash under some circumstances due to JavaScript garbage collection.
• Notifications of the status of content update from ARYA could fail due to lack of credentials when the content update took long.
• Actions triggered from the SpinetiX cloud (e.g., content updates) could be theoretically delayed by 60 seconds in exceptional circumstances.
• Some content-related warnings were no longer in the player.log.
• A minor memory leak occurred during video decoding with H.264 videos.
• Underline might not show in some conditions in text areas.
• Uploader did include the necessary access token in retry queries to the SpinetiX cloud RPC concentrator when the first access failed.
• Uploader did not apply retry timeout with exponential backoff when there is a problem reaching the RPC concentrator.

Releases 4.5.0 to 4.6.4

Release 4.4.5

Version: "Mont Blanc du Tacul" 4.4.5-1.0.35285. Release date: December 12, 2019.

Improvements

• HMP350 players accept custom display settings with a width / height up to 4094 pixels (these were previously limited to 1920 and 1200, respectively), subject to the limitation that the pixel clock must not exceed 165 MHz.
• Added option for filtering out the post replies in Yammer widgets.

Fixed

• Network cable detection not working properly on DiVA default content.
• Memory allocation problems with some videos when using a crossfade transition could result in not decoding the video or even the player going into safe mode.
• Removed "unknown protocol" and "error at end of file" warning messages from the player.log.
• Crash when using an MPEG2 Transport Stream file with AAC audio in the program table but no AAC audio packets.
• Missing labels when rendering some pie / doughnut widgets.

Release 4.4.4

Version: "Mont Blanc du Tacul" 4.4.4-1.0.34917. Release date: August 19, 2019.

Improvements

• Added parsing of width and height attribute of media:content tags in RSS feeds.

Fixed

• Player could reboot following a request to upload a snapshot to a server using a POST request. This would cause DiVA players to reboot in some cases when connected to ARYA.

Release 4.4.3

Version: "Mont Blanc du Tacul" 4.4.3-1.0.34875. Release date: August 5, 2019.

Improvements

• Improved information box in the factory screen for DiVA players.

Fixed

• The JavaScript Image object could respond that the image was not found if the image was not in the cache because of incorrect mime type detection.
• jSignage Graph plugin: Line chart not shown when all points' values are equal.

Security

• Fixed Linux kernel vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, and CVE-2017-11176, which all affected the firmware.
• Increased the minimum allowed TCP MSS value to 536 to resolve CVE-2019-11479.

Release 4.4.2

Version: "Mont Blanc du Tacul" 4.4.2-1.0.34735. Release date: June 11, 2019.

Improvements

• The database of trusted root certificates for SSL / TLS has been updated. Data sources on mainstream sites which previously failed with a "Server certificate verification failed: issuer is not trusted" error should no longer fail.
• Added an RPC call to control the fallback RPC concentrator polling times.
• DiVA specific
  • Automatic firmware updates can now be enabled via the configuration backup.
  • The NTP server configuration can now be customized via the configuration backup.
• The JavaScript libraries have been updated.
  • jSignage.js updated to version 1.5.2
  • jSignage.Social.js is updated to version 1.3.0
• The timezone database has been updated to version 2018g (was 2018e). Changes affect Volgograd, Fiji and Chile.
• Add support for the <content> tag in Atom RSS feeds.
• Improved location search for the weather widgets and updated the list of providers.
• Improved availability of data for finance widgets.
• Support SharePoint document libraries in the media widgets and spreadsheet widgets.
• Sort Facebook events by start time in the calendar widgets.
• Display videos attached to post in the Yammer widgets.
• Support Outlook online "shared room" calendars in the calendar widgets.
• Support Google Team drives in the media widgets and spreadsheet widgets.
• Optimized the refresh rate of some clock widgets.

Fixed

• Player may reboot and end up in safe mode if none of the media are valid in a playlist.
• Schedule interface may failed to load when the device has been used for a long time, because past event where kept forever. Removing event older than a month to solve this issue.
• RSS app - the RSS source URI is now trimmed.
• USB multi-touch displays using parallel reporting mode did not work.
• A player used as NTP server (i.e. master) did not provide time to its clients during the first five minutes after boot, instead of the documented 50 seconds, degrading time synchronization in video wall setups.
• On the first boot after firmware installation the system time was initialized to 1970 if the RTC battery was discharged and no NTP server was reachable, it is now initialized to the firmware creation time which is closer to reality.
• Configuration file changes were not always comitted to storage and could result in a loss of configuration if a power loss occured shortly after some configuration changes.
• Text color could be incorrect right-to-left text if more than one color is used.
• Columns names with a space inside the name would cause errors in data feeds widgets if used in conditional expression or formulas. Invalid characters in the context of the Javascript expression are now replaced with an underscore.
• Playing background audio did not work.
• Empty rows could be returned at the bottom of a Google spreadsheet.
• The last point in an SVG polyline was discarded.
• Excel data feeds will now return date object for date cells, so date formatting can be applied.
• The minimum refresh time can be set lower for weather widgets. Down to one hour if using the default provider, and to one minute if using a custom API key.
• Version of Facebook REST API updated to 3.2.
• The RSS parser now returns all medias for a news item. It also tries to guess which one offers the best resolution and image quality.
• Interactive buttons will now reliably trigger on the entire area of the button, not just the part that has text.
• OneDrive uses mimetype video/avi instead of video/x-msvideo for avi files.
• Spreadsheet widgets - the column names are now trimmed.

Security

• Fixed the following security vulnerabilities.
  • ntp: CVE-2018-12327, which does not affect the firmware
  • net-snmp: CVE-2018-18065 and CVE-2018-18066, which affect the firmware
  • php: CVE-2018-12882, CVE-2018-14851, CVE-2018-14883, CVE-2016-10712, which affect the firmware, and CVE-2015-9253 and CVE-2018-17082, which do not affect the firmware
  • binutils: CVE-2017-15022, CVE-2017-15020, CVE-2017-15021, CVE-2017-12452, CVE-2017-12456, CVE-2017-12448, CVE-2017-9038, CVE-2017-9039 and CVE-2017-5715, none of which affect the firmware
  • openssl: CVE-2018-0732, which does affect the firmware, and CVE-2018-5407, which does not affect the firmware
  • file: CVE-2018-10360, which does not affect the firmware
  • libsoup: CVE-2018-12910, which does not affect the firmware
  • dhcp: CVE-2018-5732, which does affect the firmware, and CVE-2018-5733, which does not affect the firmware
  • busybox: CVE-2015-9261, which does not affect the firmware
  • util-linux: CVE-2017-2616, which does not affect the firmware
  • libxml2: CVE-2018-14404, which does affect the firmware, and CVE-2018-9251, CVE-2018-14567, CVE-2017-8872, CVE-2017-15412 and CVE-2017-18258, which do not affect the firmware
  • procps: CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125 and CVE-2018-1126, none of which affect the firmware
  • shadow: CVE-2016-6252, which does not affect the firmware
  • elfutils: CVE-2018-16062, CVE-2018-18310, CVE-2018-18520 and CVE-2018-18521, none of which affect the firmware
  • openssh: CVE-2018-15473, which does not affect the firmware
  • curl: CVE-2018-14618 and CVE-2018-16842, none of which affect the firmware
  • avahi: CVE-2017-6519, which affects the firmware.
• A rogue program could escalate its privileges to root due to a missing configuration, this could only be exploited by first exploting another vulnerability allowing to execute an arbitrary program.
• The IoT daemon could crash if the AWS credentials provider returned an error including a prinf-like format string.
• The advanced log configuration could accept log files outside the log directory.

Release 4.4.1

Version: "Mont Blanc du Tacul" 4.4.1-1.0.34124. Release date: December 20, 2018.

Improvements

• Changing the timezone is now immediately effective, a player reboot is no longer required.
• Improved the responsiveness of players connected to ARYA but which cannot establish an MQTT connection due to network policy.

Fixed

• The "Create" and "Schedule" links were missing from the top menu in the content management interface, this was a regression introduced in 4.4.0.
• The order of info and restarted notifications used by players connected to ARYA was backwards, although it had no functional impact.
• If an SSL / TLS error occurred while establishing the initial MQTT connection to ARYA, no retry occurred and the ARYA connection operated in degraded mode (i.e. fallback to periodic polling) till the player rebooted.
• The enrollment daemon could fail to properly reset a retry timeout.
• The IoT services daemon could mishandle some retry timeouts in some rare occasions, potentially resulting in retries being disabled.
• The IoT services daemon would not cancel the automatic refresh of cloud credentials when no longer needed.

Unresolved

• Media app : When creating media sets with no valid media inside, the player reboots and ends up in Safe mode.
• When using Google Drive as channel and searching for a target folder, the list shows all folders, including those located into the trash folder.

Release 4.4.0 build 2

Version: "Mont Blanc du Tacul" 4.4.0-1.0.33984. Release date: November 21, 2018.

Fixed

• DiVA players which were initially installed with firmware 4.0.2 or earlier and then updated could not be used with ARYA as they failed to enroll.

Unresolved

• Media app : When creating media sets with no valid media inside, the player reboots and ends up in Safe mode.

Release 4.4.0

Version: "Mont Blanc du Tacul" 4.4.0-1.0.33975. Release date: November 21, 2018.

New

• DiVA players are now compatible with SpinetiX ARYA (web interface based on SpinetiX cloud infrastructure).
  • The on-screen wizard has been modified to redirect user to ARYA. Default screen after player setup has been modified as well.
  • Added option in DiVA Control Center to choose between ARYA Cloud and built-in web interface.
• Added support for real-time bidirectional communication with the SpinetiX cloud infrastructure, using the MQTT over TLS protocol. The players can automatically and securely enroll to SpinetiX cloud infrastructure when first connected to the Internet. This is currently enabled only on DiVA players.

Improvements

• The player serial number is shown in Control Center home page in addition to the device name (which by default is the serial number, but usually gets changed).
• The player now starts up in the highest possible resolution supported by the attached display before it is configured.
• Added support for using the web page layer within data-driven widgets.

Fixed

• The firmware update splash screen may not be shown and the screen may remain black during a firmware update. Likewise, the shutdown splash screen may not be shown. This issue became more common in firmware 4.3.0, but potentially existed before.
• The NTP statistics page in Control Center shows a bogus server named "=".
• The NTP daemon kiss-of-death packet and rate limiting was not effective due to a misconfiguration; other HMPs using as NTP server an HMP running this firmware and running firmware version earlier than 3.4.3 will not be able to to the initial time synchronization at boot.

Security

• Updated ffmpeg to version 3.4.5, fixing the following security issues: CVE-2018-7557, CVE-2018-7751, CVE-2018-10001, CVE-2018-12458, CVE-2018-13300, CVE-2018-13302, CVE-2018-14394, CVE-2018-14395, CVE-2018-15822.
• The secure random number may have had low entropy in the first few minutes after a firmware re-install, it is now seeded with additional secure material before it is first used for improved security in generating initial security keys.

Developer

Configuration API

• New configuration tags to reset the player content (including cache and web storage data), NTP data, and logs.
• New configuration tags to enable and to reset the ARYA enrollment status for DiVA players.

RPC API

• New "reset" command for the above functionality, with an additional flag to reset to factory default settings.
• Added additional flag "status" in get_info command to obtain the current status of the player (config = unconfigured | wizard | normal), plus the ARYA enrollment status (aryaStatus = unknown | yes | no).
• The pull_status notification following a successful content pull is delayed until that content has been saved into stable storage (thus a power failure would not have any consequences).
• Fixed: Indirect RPC calls may get blocked if there are multiple commands to be sent and one of them is triggering an error. In this case no further commands can be sent. This can be triggered if a pull_status() is not supported by the RPC concentrator, in this case no ready() commands will be sent anymore until the pull_status() is accepted by the concentrator.

Player report

• Added detailed information into system logs about: cloud enrollment (useful in case of enrollment issues at client sites), video modes supported by the attached display, and why the NTP daemon automatically restarts in case of malfunction.

Unresolved

• Media app : When creating media sets with no valid media inside, the player reboots and ends up in Safe mode.

Release 4.3.1 build 2

Version: "Picco Luigi Amedeo" 4.3.1-2.0.33718. Release date: October 18, 2018.

New

• Added support for hardware revision 2. Updated the hwwatchdog component to support new SanDisk eMMCs used for internal storage in hardware revision 2.
• The internal temperature of SanDisk eMMCs used in hardware revision 2 is monitored and periodically logged.
• Firmware packages now explicitly encode the range of supported hardware revisions.
• The internal storage (eMMC) is now permanently protected against unintentional write protect, locking or boot configuration changes (on hardware revision 1 and 2).

Fixed

• A reformat of the content partition on the internal storage would not finish within the boot time limit and put the unit into recovery mode; this was a regression introduced in firmware 4.3.0.
• Handling of some I/O errors on the internal storage (eMMC) was incorrect and could result in a hung system and subsequent reboot.

Unresolved

• Media app : When creating media sets with no valid media inside, the player reboots and ends up in Safe mode.

Release 4.3.1

Version: "Picco Luigi Amedeo" 4.3.1-1.0.33411. Release date: August 20, 2018.

Improvements

• Updated the timezone database to version 2018e (from 2017c) - changes affect São Tomé and Príncipe, Brazil and Palestine.
• Improved crash logs for better diagnostics.

Fixed

The following regressions introduced in 4.3.0 firmware:

• Projects using many fonts could make the player reboot, leading to safe mode.
• Player rebooted when making requests to an HTTP server with NTLM authentication enabled.
• Player could reboot when a time step occurred due to NTP at the moment a display buffers was being dequeued.

Other fixes:

• Clearing the cache or web storage from HMP Control Center > Operations > Reset was not clearing the cache or web storage of the HTML renderer.
• Programs using glib to do HTTPS requests had no access to the CA root certificates database.
• The hardware watchdog component would occasionally log an input/output error message on the mmcblk0rpmb, without any consequence; the root cause for the error message has been fixed.
• On very rare occasions, if ever, the C library may return non-zero'ed memory on calloc(), leading to possible crashes.

Security

The following security vulnerabilities have been fixed:

• CRLF injection vulnerability: URLs with an embedded, non-escaped, carriage return and/or line feed could be used to inject malicious HTTP headers in requests done by the player or Elementi. URLs are now always checked for non-escaped control characters and spaces (including but not limited to carriage returns or line feeds) and escaped when safe to do so or the URLs are otherwise rejected.
• ntp: CVE-2018-7185, CVE-2018-7183, CVE-2018-7184, CVE-2018-7170 and CVE-2018-7182, none of which affects the firmware
• kernel: CVE-2016-0821. SpxJIRA:GEN-1240
• php: CVE-2018-5711, CVE-2018-5712, CVE-2018-7584, CVE-2018-10546, CVE-2018-10547, CVE-2018-10549, which may affect the firmware and CVE-2018-10545 and CVE-2018-10548, which do not affect the firmware.
• glibc: CVE-2017-16997, CVE-2017-1000409, CVE-2017-1000408, CVE-2015-5229; none of which affect the firmware.
• libcurl: CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000300, CVE-2018-1000301; none of which affect the firmware
• dhcp: CVE-2017-3144, which does not affect the firmware
• ncurses: CVE-2017-13733 and CVE-2018-10754; none of which affect the firmware
• openssh: CVE-2016-10708, which does not affect the firmware
• gnutls: CVE-2015-0282, which does not affect the firmware
• openssl: CVE-2018-0737, which does not affect the firmware
• libsoup: CVE-2017-2885, which affects the firmware
• libxml2: CVE-2016-9318, CVE-2017-7375 and CVE-2017-5130, which may affect the Elementi; CVE-2017-7376, which does not affect the firmware.

Unresolved

• Media app : When creating media sets with no valid media inside, the player reboots and ends up in Safe mode.

Release 4.3.0 build 2

Version: "Picco Luigi Amedeo" 4.3.0-2.0.33118 . Release date: June 11, 2018.

Fixed

The following regressions introduced in 4.3.0 firmware:

• Activating serial port automation, in simple or advanced mode, causes the player to restart in safe mode.
• The CPU load indicator in the main Control Center page always shows "UNKNOWN".
• Changing settings in Control Center may incorrectly show "audio config change" as the reboot reason.

Unresolved

The following regressions were introduced in 4.3.0 firmware:

• Media app : When creating media sets with no valid media inside, the player reboots and ends up in safe mode.
• Projects using many fonts could make the player reboot, leading to safe mode.
• Player reboots when making requests to an HTTP server with NTLM authentication enabled.

Release 4.3.0

Version: "Picco Luigi Amedeo" 4.3.0-1.0.33060. Release date: June 1, 2018.

Unresolved

• Enabling Serial Port Automation (simple or advanced) causes the HMP to reboot in Safe mode. We are actively working on a solution for this regression introduced in the 4.3.0 firmware - in the meantime, the only workaround is to disable the Serial Port Automation.

Major features

• New secure shared variable network API based on RFC8323 (CoAP REST API over TLS-PSK).

Control Center and configuration

• The web server now supports TLS-SRP authentication from capable HTTP clients, the username and password are the same as for regular HTTP authentication.
  • When updating from firmware 4.2.3 or earlier, or after restoring a configuration backup made on firmware 4.2.3 or earlier, the user passwords need to be reset for TLS-SRP to be activated.
  • The configuration backup syntax has been extended to save the TLS-SRP verifier for users, in addition to the normal password hash.
  • The 3072-bit group from the TLS-SRP RFC 5054 is used for all users.
• The WebDAV over plain HTTP on port 81 is now disabled by default. When upgrading from previous firmware versions it will be left open to ensure backwards compatibility. This can be adjusted from Control Center.
• New simplified process to set up Shared Variable server in multi screen environment using a configuration file generated by a wizard in Control Center, this file can then be simply applied on all clients.
• New "default" Shared Variable server setting enabling multi-screen content to be easily deployed on multiple sites.
• Added a REST-like HTTP API for accessing Web Storage and Shared Variables for better compatibility with third party systems.
  • This allows external systems to easily push, update, retrieve and delete variable values on the HMP via HTTP POST, PUT, GET and DELETE requests.
  • It supports HTTP basic and bearer authentication, as well as TLS-SRP authentication.

Embedded content management interface

• New smart parsing of user input for the location to support city ID, ZIP code and GPS coordinates in the weather app.

Widgets

• Added support for the new and improved widgets in Elementi 2018.

Minor features / improvements

Security

• Strengthened secure HTTP (i.e., HTTPS, SSL / TLS) configuration on embedded web server.
  • TLSv1.0 and TLSv1.1 are no longer supported, minimum version is TLSv1.2. Note that the SSLv3 and earlier protocols were already disabled.
  • Forward secrecy is now always required.
  • Triple-DES (subject to the Sweet32 TLS vulnerability) and Camellia encryption algorithms are no longer supported.
  • Diffie-Hellman Ephemeral key exchange (DHE) is no longer supported, only Elliptic Curve Diffie-Hellman Ephemeral key exchange (ECDHE) is supported.
  • The list of enabled ciphers mostly matches the "modern" list from Mozilla recommendations, with the addition of some AES ciphers from the "intermediate" list for increased compatibility.
  • The minimum required versions for HTTP clients for using secure HTTP are as follows.
    • Firefox 27 (Windows XP SP2 or later, Windows Server 2003 SP1 or later, Mac OS X 10.6 or later, Linux)
    • Chrome 30 (Windows Vista or later, Windows Server 2008 or later, Mac OS X 10.6 or later)
    • IE 11 (Windows 7 and later, Windows Server 2008 R2 or later, Windows Phone 8.1 or later)
    • Edge (Windows 10 - all versions)
    • Opera 17 (Windows Vista or later, Windows Server 2008 or later, Mac OS X 10.6 or later)
    • Safari 7 (Mac OS X 10.9 or later)
    • Android 5 or later
    • iOS 5 or later
    • Java 8
    • Java 7 if TLS 1.2 support is manually enabled (it is disabled by default)
• Updated many of the JavaScript libraries used in the embedded web interface.
• Password hashes compatible with HTTP digest authentication are now saved when setting a user password, they are now also included in the configuration backup.
• Bonjour and UPnP advertisements now include information about TLS-SRP being enabled or not.
• The hash of user passwords in now encrypted in the configuration backup for increased security, using the same mechanism as other configuration secrets.
• Support for "catch all" saved password (i.e. saved passwords with an empty Server URI) has been removed for improved security.
  • If present from a previous configuration, they will be ignored and no longer used.
  • If present, they should be replaced by entries with the appropriate Server URIs or removed entirely.
  • Control Center no longer accepts saved passwords with an empty Server URI, if any such entries are present they need to be removed before modifying or adding entries.
  • Attempting to restore a configuration backup containing "catch all" saved passwords generates a verification error, the configuration backup needs be generated again after removing these saved passwords in Control Center or edited by hand.

Control Center and configuration

• Improved error notification the the user when credential are not entered correctly.
• Add support to enable/disable plain HTTP content web server in Control Center.
• The configured audio output target (HDMI or line-out) is now saved in the configuration backup file.
• Log format for the Player logs have been simplified.
• Report now includes complete video output timings for improved support.
• Updated timezone database to version 2017c (was 2017b). Affected timezones are Northern Cyprus, Fiji, Namibia, Sudan, Tonga, Turks & Caicos.

Embedded content management interface

• Added an "Un-select all" button in the media selection.

Network

• Updated the public domain name suffixes list.
• Make the user-agent header, sent when doing requests to external HTTP servers, more similar to browsers to improve compatibility.
• Use conditional HTTP GET instead of HEAD for improved compatibility with modern web services.
• Properly support IPv6 literal addresses in URIs.
• New spx:customHeaders attribute for all media elements. Can be used to display media from servers using HTTP headers based authentication.

Pull Mode

• Added new WebDAV properties for the download of the project: download-src props. If specified this source will be used to download the file instead of using the target location to determine the source file.

Widgets

• Use REST API for Google sheets and calendar feeds to improve response time and reliability.
• Upgrade Facebook API version and reflect new data access limitations decided by Facebook.
• Make sure that media folder widgets renew authorization tokens for medias as needed and download media files according to chosen refresh policy.
• Make media folder widgets work as expected with cloud sources, using default slide duration for images.

Libraries

• Updated live555 to version 2017.10.28.
• Updated FFmpeg to version 3.4.2.
• Updated neon to version 0.30.2.
• The JavaScript libraries have been updated.
  • The jSignage.Weather.js library is updated to version 1.0.3
  • The jSignage.QRCode.js library is updated to version 1.1.2
  • The jSignage.js library is updated to version 1.5.0
  • The jSignage.Social.js library is updated to version 1.2.0
  • New jSignage.UI.js library, version 1.0.0

Bug fixes

• Updated the eMMC driver in the kernel, solving some rare bugs and improving error recovery.
• The report could fail to correctly extract the product signature.
• In some cases, when using static IP address configuration, the web server could fail to bind to IPv6, which could result on connection refused errors when accessing it from a web browser.
• Renamed default playout to Horizontal and Vertical to avoid confusion.
• Cleanup and update to their latest version of the internal JavaScript libraries.

Security

• Fixed the following security vulnerabilities.
  • Linux kernel: CVE-2017-17558, which may affect the firmware.
  • Apache httpd: CVE-2017-9798, which does not affect the firmware
  • PHP: CVE-2017-16642, which may affect the firmware
  • Busybox: CVE-2017-15873 and CVE-2017-16544, none of which affect the firmware
  • icu: CVE-2017-14952, which may affect the firmware
  • libxml2: CVE-2017-16932, which may affect the firmware
  • binutils: CVE-2017-9954, CVE-2017-12799, CVE-2017-12451, CVE-2017-9753, CVE-2017-9754, CVE-2017-9756, CVE-2017-9751, CVE-2017-9750, CVE-2017-9746, CVE-2017-9747, CVE-2017-9742, CVE-2017-9744, CVE-2017-9749, CVE-2017-12967, CVE-2017-9955, CVE-2017-12449, CVE-2017-12455, CVE-2017-12457, CVE-2017-12458, CVE-2017-12459, CVE-2017-9745, CVE-2017-9752, CVE-2017-9748, CVE-2017-8393, CVE-2017-14130, CVE-2017-14129, CVE-2017-8395, CVE-2017-9040, CVE-2017-9042, CVE-2017-8394, CVE-2017-8393 and CVE-2017-13710, none of which affect the firmware.
  • p7zip: CVE-2017-17969, which may affect the firmware.
• Two PHP scripts (i18njs.php and timezones.php) did not require authentication; although these scripts do not allow to modify anything nor retrieve sensitive data, they now require authentication as all other PHP scripts.

Pull Mode

• If a query string is specified in the resource href for the XML database, then it is now also used to fetch the resource on the server.

Widgets

• Handle square brackets inside formatted data fields.
• Conditional formatted data field cannot use column names that are reserved JavaScript keywords.
• Alignment of text block in a text area should not change the way right-to-left text is rendered.
• Charset part of the content-type is not correctly interpreted for XHR responses.
• Q, q and e LDML date formatting not behaving as documented.
• Slide duration override for indefinite duration layers in playlist widgets.
• Avoid exception thrown when URL is too big for a QR code in Facebook widgets.
• Improve stability of the opening hours widget.
• Make spreadsheet widgets resilient to empty cells in Google sheets.

Release 4.2.3

Version: "Dufourspitze" 4.2.3-1.0.31922. Release date: 7 Dec. 2017.

Known issues

• Data feed content is not displayed and there are "Server certificate changed: connection intercepted?" error messages present in the player log - this might arrive when dealing with multiple servers hosted in a farm, as is the case for Google. A quick workaround is to republish the project or restart the player.
• In the static IPv6 configuration, using an IPv6 gateway address which is not in the local network is invalid, but accepted by Control Center. Such a configuration results in an incompletely initialized network after reboot. Make sure the IPv6 gateway address is in the same subnet as the assigned IPv6 address or is otherwise a link-local address.

Backward compatibility issues

Please check the release notes of version 4.2.0.

Minor features / improvements

Control Center and configuration

• It is now possible to completely disable Bonjour (mDNS). In the configuration backup, this is controlled by the new <bonjour-enabled> element.
• It is now possible to disable IPv6 auto-configured addresses (i.e. stateless address autoconfiguration, a.k.a. SLAAC). In the configuration backup, this is controlled by the new <disable-slaac> element.
• It is now possible to specify a static IPv6 configuration. In the configuration backup, this is controlled by the new <ethernet-v6-none> and <ethernet-v6-static> elements.
• DNS configuration has been reorganized to properly support static IPv6 configurations.
  • IPv6 address are now accepted for DNS servers.
  • The DNS configuration is now independent of the IPv4 configuration. A DNS configuration can now be "automatic" or "manual".
  • An "automatic" DNS configuration will use the DNS settings retrieved via any automatic IPv4 / IPv6 configuration mechanism (currently only IPv4 DHCP), if no automatic IPv4 / IPv6 configuration is active the resulting DNS settings will be empty.
  • A "manual" DNS configuration will use the DNS settings provided by the user, overriding any settings obtained via any automatic IPv4 / IPv6 configuration mechanism.
  • During a firmware update previous DHCP IPv4 configurations will be converted to "automatic" DNS and previous static IPv4 configurations will be converted to "manual" DNS, keeping the same user settings.
  • Consequently, the syntax of the configuration backup has changed as well. It is controlled by the <dns-automatic> and <dns-manual> elements. The older syntax is still accepted for backwards compatibility.

• The JavaScript libraries have been updated.
  • The Finance widgets were no longer working since Yahoo! retired its Financial services. The data source has been replaced with the AlphaVantage provider. Existing projects that were using Yahoo! should transparently switch to the new data source, newly created projects will explicitly use the new data source.

Miscellaneous

• Include dump of IPv6 routes in report for better diagnostics.

Bug fixes

• The UPnP and Bonjour discovery settings were not saved for the recovery console configuration.
• Uploading a backup without live-source on a player with a configured live source may cause an internal web server error.

Security

• Fixed the following security vulnerabilities.
  • Linux kernel: CVE-2017-14106, which likely did not affect the firmware.
  • Apache httpd: CVE-2016-2161, CVE-2016-8743, CVE-2017-3169 and CVE-2017-7679, which may all affect the firmware; and CVE-2016-0736, CVE-2017-7668, CVE-2017-3167 and CVE-2017-9788, none of which affect the firmware.
  • PHP: CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229, CVE-2016-10397 and CVE-2017-7890, which may all affect the firmware; and CVE-2017-11143, CVE-2017-11147 and CVE-2017-11628, none of which affect the firmware.
  • OpenSSL: CVE-2017-3735, which may affect the firmware.
  • glibc: CVE-2015-5180 and CVE-2017-12132, which may all affect the firmware; and CVE-2014-9984, which does not affect the firmware.
  • libxml2: CVE-2017-5969, which does not affect the firmware.
  • sqlite3: CVE-2017-10989, which does not affect the firmware.
  • expat: CVE-2017-9233 and CVE-2016-9063, both of which may affect the firmware.
  • gcrypt: CVE-2017-7526, which may affect the firmware.
  • libtasn1: CVE-2017-10790, which may affect the firmware.
  • ncurses: CVE-2017-10684, CVE-2017-10685, CVE-2017-11112 and CVE-2017-11113, none of which affect the firmware.
  • util-linux: CVE-2015-5224, which may affect the firmware.
  • curl: CVE-2017-1000100, which does not affect the firmware.
  • shadow: CVE-2017-12424, which does not affect the firmware.
  • binutils: CVE-2017-7302, CVE-2017-7300, CVE-2017-7614, CVE-2017-7301, CVE-2017-7299 and CVE-2017-12451, none of which affect the firmware.

• The JavaScript libraries have been updated to support fix a few issues.
  • The creation date and time of Twitter posts was not correctly parsed.
  • Date fields from data feeds were not being correctly parsed in multi-screen projects.
  • The moment.js timezone database version did not match the firmware's system timezone database (2017b).

Other

• Secure discards request to the storage were being issued as regular discard requests.

Release 4.2.2

Version: "Dufourspitze" 4.2.2-1.0.31510. Release date: 13 Sept. 2017.

Backward compatibility issues

Please check the release notes of version 4.2.0.

Minor features / improvements

• Updated timezone data to 2017b (was 2016j). Affected timezones are Mongolia, America/Punta_Arenas and Haiti.

Control Center and configuration

• It is now possible to use Bonjour host names (i.e. of the host.local form) for NTP servers; this allows to use the host names of another HMP as (e.g., spx-hmp-001d5020001a.local) NTP server and obtain reliable time synchronization.
• The auto-generated self-signed secure HTTP certificate is now persistent across firmware re-installs and resets to factory defaults, making it easier to maintain browser exceptions for untrusted self-signed certificates.
• The initial synchronization to NTP servers at boot now always uses all configured NTP servers, previously only NTP servers specified by IP address and the last NTP server specified by hostname was used for initial synchronization; in all cases all servers were used for synchronization after boot.
• It is now possible to disable Bonjour based device discovery of the player; this is controlled in the Network page of Control Center and via the backup, using <bonjour-discovery-enabled>yes</bonjour-discovery-enabled> or <bonjour-discovery-enabled>no</bonjour-discovery-enabled>. The use of Bonjour hostnames (e.g., spx-hmp-001d5020001a.local) from other devices as well as resolution of Bonjour hostnames always remains enabled.
• Server certificates in PKCS#12 and PFX form can now be imported.
• Server certificates in PEM form with an encrypted key can now be imported.
• The device report file now includes the most-recently-used list for NTP to aid in diagnostics.
• The device report file now includes a dump of extended eMMC registers to aid in diagnostics.
• The device report file now includes augmented file information data to aid in diagnostics.

Embedded content management interface

• It is now possible to include the published Elementi project and other liver sources into playlists.

Bug fixes

• Accessing the embedded web server via secure HTTPS and using a hostname with a trailing dot would result in a "400 Bad request" error.
• Incorrect parsing of URLs with a fragment part could prevent using them.

Control Center and configuration

• Reboot is not detected when enabling redirection from insecure HTTP to secure HTTP.
• The device report file included the hashed user passwords, although they are protected with a salt the information could be used to mount dictionary attacks. This data is no longer included in the device report file.
• The embedded web server could occasionally return a "500 Internal Server Error" or garbled responses including a trailing HTML error document when applying some configuration changes.
• When the "Web storage" is reset the database is re-created with wrong permissions, which prevents the use of web storage from the content creation interface.
• When restoring the default content the "Web storage" data was not being removed.
• The device report file did not include the NTP drift file.
• The EULA had an extraneous extra newline.
• When both insecure HTTP and secure HTTPS are disabled via a backup file Control Center would show an incorrect entry under Server Security before the unit was rebooted to apply the new configuration.
• The screen aspect ratio under Display was being ignored and 16:9 was always assumed. This entry has now been removed and a square pixel aspect ratio is assumed by the player, making it easier to use screens which do not have a 16:9 aspect ratio.
• A browser error could be displayed when activating a server certificate just after importing it.
• Modification of security settings or via RPC the changes were not applied until next reboot, they are now applied immediately as it was already the case when changing them via Control Center.
• Activating a server certificate that has spaces or other special characters in the subject's Common Name would make the player unbootable, requiring a reset to factory defaults to recover.
• It was possible to create users with names including special characters that would either break the web interface or cause the player to restart in recovery mode, names are now fully validated before being accepted.

Embedded content management interface

• Some schedules could cause the player to reboot in a loop and end in recovery mode, this was a regression introduced in 4.2.0.
• The scheduling interface could create malformed schedules.
• An unexpected warning "access denied to view project" is shown to DiVA users when editing a playlist
• Fixed some incorrect translations of error messages.
• Miscellaneous UI fixes.
• When the display was configured for a vertical orientation an image or video directly inserted in the schedule (i.e. not in a playout or playlist) would display in small size surrounded by black borders.

Security

• Fixed the following security vulnerabilities.
  • NTP updated from 4.2.8p9 to 4.2.8p10 fixing the following security vulnerabilities: CVE-2016-9042, which affects the firmware, and CVE-2017-6464, CVE-2017-6462, CVE-2017-6463, CVE-2017-6458, CVE-2017-6451 and CVE-2017-6460, of which none affect the firmware.
  • In PHP: CVE-2016-9933, CVE-2016-9138, CVE-2016-10158, CVE-2016-10161, CVE-2017-7272, CVE-2016-5399 and CVE-2016-7478, which all affect the firmware, and CVE-2014-9912, CVE-2016-9137, CVE-2016-9935, CVE-2016-9934, CVE-2016-10160, CVE-2016-10159, of which none affect the firmware.
  • In glibc: CVE-2016-1234, CVE-2016-3706, CVE-2016-4429, CVE-2016-5417, CVE-2015-8982, CVE-2015-8983 and CVE-2015-8984, which may affect the firmware, and CVE-2014-4043, CVE-2016-3075 and CVE-2016-6323, of which none affect the firmware.
  • In pcre: CVE-2015-3217, CVE-2017-7186, CVE-2017-7245, CVE-2017-7244 and CVE-2017-7246, which all affect the firmware.
  • In OpenSSH: CVE-2016-10009, CVE-2016-10011, CVE-2016-10012 and CVE-2016-1908, which do not affect the firmware.
  • In libgcrypt: CVE-2016-6313, which affects the firmware, and CVE-2014-3591, which does not affect the firmware.
  • In OpenSSL: CVE-2017-3731 and CVE-2016-7056, which do not affect the firmware.
  • In bash: CVE-2016-7543, CVE-2016-9401 and CVE-2016-0634, none of which affect the firmware.
  • In libpng: CVE-2016-10087, which appears to not affect the firmware.
  • In binutils: CVE-2014-9939, CVE-2017-6965, CVE-2017-6966, CVE-2017-7210, CVE-2017-7223, CVE-2017-7225, CVE-2017-7224, CVE-2017-7226 and CVE-2017-7227, none of which affect the firmware.
  • In FreeType: CVE-2016-10244, CVE-2016-10328, CVE-2017-8105 and CVE-2017-8287, all of which affect the firmware.
  • In busybox: CVE-2014-9645, which does not affect the firmware.
  • In libevent: CVE-2016-10195, CVE-2016-10196 and CVE-2016-10197, none of which affect the firmware.
  • In GnuTLS: CVE-2017-6891, which may affect the firmware, and CVE-2017-5335, CVE-2017-5336, CVE-2017-5337 and CVE-2017-7869, which appear to not affect the firmware.
  • In curl: CVE-2017-7407, which does not affect the firmware.
  • In libxml2: CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050, CVE-2017-0663, which all affect the firmware.
  • In elfutils: CVE-2017-7611, CVE-2017-7610, CVE-2017-7613, CVE-2017-7612, CVE-2016-10255 and CVE-2016-10254, none of which affect the firmware.
  • In ZLib: CVE-2016-9840 and CVE-2016-9841, which affect the firmware, and CVE-2016-9842 and CVE-2016-9843, none of which affect the firmware.
  • In ICU: CVE-2017-7867, CVE-2017-7868 and CVE-2014-9654, which affect the firmware.

• Security related
  • The directory permissions for persistent data, holding encryption secrets, were not restricted; although access to this area from untrusted parts of the system is anyhow not allowed, strengthening the permissions increases the protection.
  • Likewise, the protection of the configuration encryption key has been increased.

Release 4.2.1 build 2

Version: "Dufourspitze" 4.2.1-2.0.31256. Release date: 18 July 2017.

Known issues

• The player might end up in Recovery mode when scheduling an asset like this: first click on the schedule panel to create a new block, then drag & drop the asset on top of the right-side block. The workaround is to just drag & drop the asset directly into the schedule panel instead. This is a regression introduced in 4.2.0 firmware.

Backward compatibility issues

Please check the release notes of version 4.2.0.

Bug fixes

• Fixed the following security vulnerabilities.
  • Linux kernel: CVE-2017-1000364 and CVE-2017-6214.
  • glibc: CVE-2017-1000366 (from analysis it seems this issue was not exploitable in the HMP/DiVA).
• Weather forecasts from OpenWeatherMap could fail to update due to request limiting, access to OpenWeatherMap has been changed in updated jSignage version to eliminate this problem.
  • jSignage.Social.js updated to version 1.1.1 to fix this issue.
  • jSignage.Weather.js updated to version 1.0.2 to fix this issue.

Release 4.2.1

Version: "Dufourspitze" 4.2.1-1.0.31128. Release date: 17 May 2017.

Backward compatibility issues

Please check the release notes of version 4.2.0.

Bug fixes

Web Interface

• A Playout scheduled in the past is wrongly displayed. Playout without recurring rules, where displayed as if a daily recurring rule was set without any ends date. This had the effect that events scheduled in the past may be displayed in the screen.
• Overlapping event may not be displayed. If an event A without recurring rule was displayed on the same time as an event B with recurring rule and event B was ending after event A, then event A was not displayed at all on the screen unless the schedule was saved while event A was active.
• Event scheduled for tomorrow may not be displayed. If an event (without recursing rules) is scheduled for tomorrow, and there is nothing else in the schedule, then the vent will not be displayed unless the player is restarted on the day of the event.
• The last event in the schedule may play forever. If an event without recurring rule was set in the schedule and then the schedule is empty, this last event will be displayed until the player is restarted or the schedule is saved again.

Release 4.2.0

Version: "Dufourspitze" 4.2.0-1.0.30965. Release date: 6 April 2017.

Known issues

• The content scheduling tool might select the wrong asset to be displayed on the screen, instead of the one that is scheduled for the current time. The workaround for this issue is to remove the assets scheduled in the past. This is a regression introduced in 4.2.0 firmware.

Backward compatibility issues

• Cross-origin requests on the /rpc and /info endpoints of the embedded web server now require an API key to be provided.

Major features

Web Interface

Applies to HMP300 and HMP350.

• You can add a custom HTML interface by including a simple index.html page or an "interface" folder (containing an index.html, plus some other files, like css, scripts, etc.) within your published project.
• You can upload archived Elementi projects as media elements within the content management application - this allows to easily add richer and more powerful content in playouts. User editable text properties can be edited directly in the content creation tool.

Control Center

• It is now possible to install SSL certificates for the embedded HTTP server, allowing reliable and secure use of HTTPS.
• Added the security settings for the embedded web server to harden the device security. Note that Elementi versions before 2017 (a.k.a. 4.2.0) cannot publish to devices automatically discovered if insecure HTTP is redirected or disabled.
  • Always redirect accesses via insecure HTTP (i.e. plain HTTP) to secure HTTP (i.e. HTTPS).
  • Entirely disable insecure HTTP but allow access via secure HTTP.
  • Disable both insecure and secure HTTP. This can only be enabled via RPC or a configuration file since the device can only be controlled via pull-mode RPC after this is enabled.
  • Use of insecure HTTP, as well as secure HTTP, is allowed (default).
• Added the possibility to disable the secondary Ethernet port of the HMP350 for security purposes, this disables the switch functionality.
• Saved passwords and other secrets are no longer stored in plain-text in the configuration backup. They are now always encrypted using strong AES-256 encryption.
  • The encryption key is, by default, different on each device. This means that, by default, a configuration backup from one player cannot be restored on another one.
  • Users can set a passphrase that can be shared among players if needed; a configuration backup of one player can be restored on another one if the same passphrase has been set on both.
  • The user passphrase is not stored, it is only used to derive the encryption key in an irreversible way.
  • The encryption key is stored in the new persistent data storage area and hence a backup can be restored even after a reset to factory defaults or firmware reinstall.
  • The encryption key is never exported from the device, so it stays secure.
• Heightened protection against cross-site request forgery (CSRF) attacks on Control Center.
• Cross-origin requests on the /rpc and /info endpoints of the embedded web server now require an API key to be provided or are otherwise rejected. This is done to prevent possible CSRF attacks. This is a non-backwards compatible change, users of cross-origin requests need to enable the API key via Control Center and add the API key to their requests.

Minor features / improvements

Web Interface

• Improved the Schedule UI with a "clear" button that completely removes all schedule data to make it easier to reset it.
• Synchronized projects are now supported by the scheduling interface, one can schedule a synchronized project and it will display synchronously as intended.

Control Center

• Control Center configuration menu HTTPS has been renamed to Trusted Certificates.
• Passwords are no longer included when loading the Saved Passwords page of Control Center, increasing the security of saved passwords.
• Changed the default debug log format to include milliseconds in the timestamps.
• Renamed the /snapshot/snapshot and /snapshot/info URL paths to /status/snapshot and /status/info, solving an issue were these monitoring pages requested a password even if monitoring protection was disabled from the Security page. The old URL paths continue to work for backwards compatibility but remain affected by this issue.

Channels

• Added support for Microsoft Online accounts.
• Added support for Facebook accounts.
• Added support for Instagram accounts.

JavaScript

• In jSignage, added a spx:maxChars attribute to json-string properties to be able to enforce a maximum length.
• JavaScript function propFindURL now accepts a depth parameter of "infinity" for recursive listing of remote folders.
• The JavaScript libraries have been updated to support new functionality.
  • jSignage.js updated to version 1.4.0, exposing new APIs.
  • jSignage.Social.js updated to version 1.1.0, exposing new APIs.
  • jSignage.QRCode.js updated to version to 1.1.1, exposing new APIs.
  • jSignage.Multiscreen.js updated to version 1.0.2, exposing no new APIs.

Misc

• A new persistent data storage area has been introduced which retains private data persisted across resets to factory defaults and firmware re-installs. This persistent data storage can be reset, erasing all its data, from within the recovery console with the new "reset-persistent-data" configuration change command.
• The HDMI CEC implementation has been significantly changed, increasing power management and reporting compatibility with displays that are sensitive to message timing or do not implement some CEC features.
• The Bonjour announcements now include an extra TXT record, "fqdn", that provides the server name that is to be used for secure HTTP (i.e. https) connections to the device.
• The DeviceInfo variable in UPnP announcements now contains "name" and "fqdn" properties for improved discovery via UPnP.
• The processor unique ID is now included in the report for improved diagnostics.
• Add per-port Ethernet carrier, speed and duplex values in the report for improved diagnostics.

Bug fixes

Web Interface

• When a user was not already logged, the login page always redirect to / regardless of the URI entered by the user.
• It was possible to create an apps with a very long name, breaking the UI of the content creation interface.
• User fonts, contained in an Elementi project, could fail to load or be refreshed when using the scheduling interface (HMP300 and HMP350).

Control Center

• Placeholder values, such as "[serial]", in the pull mode schedule URI would not be kept as-is in the configuration backup, preventing sharing of configuration backups between players.
• Network tile stays in "Checking..." state indefinitely under some special conditions.
• Wrong error message when the user mistypes an old password.
• A network address would show up in the welcome screen of an unconfigured player when no network cable was plugged.
• An error was shown in the logs when not using the scheduling interface, although that is not an error.
• Control Center did not request a restart when the device name is changed, although it is required.
• The UPnP enable / disable option was not reset on a reset to factory defaults.

Security

• Fixed the following security vulnerabilities.
  • NTP updated from 4.2.8p8 to 4.2.8p9 fixing the following security vulnerabilities: CVE-2016-7431, CVE-2016-7434 and CVE-2016-7433, which all affect the firmware and CVE-2016-9311, CVE-2016-9310, CVE-2016-7427, CVE-2016-7428, CVE-2016-9312, CVE-2016-7429 and CVE-2016-7426, which do not affect the firmware.
  • In PHP: CVE-2015-6835, CVE-2016-4539, CVE-2016-4543, CVE-2016-4542, CVE-2016-4544, CVE-2015-8865, CVE-2016-4070, CVE-2014-9767, CVE-2015-4603, CVE-2015-8867, CVE-2015-4602, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598, CVE-2015-8877, CVE-2015-8873, CVE-2015-8876, CVE-2015-8874, CVE-2016-5385, CVE-2016-5766, CVE-2016-5767, CVE-2016-6128, CVE-2016-5771, CVE-2016-5773, CVE-2016-3132, CVE-2016-5768, CVE-2016-5094, CVE-2016-5095, CVE-2016-5096, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6292, CVE-2016-6291, CVE-2016-6297, CVE-2016-7124, CVE-2016-7414, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7411, CVE-2016-7417, CVE-2016-6207, CVE-2016-7568, CVE-2015-8935 and CVE-2016-7125, which may all affect the firmware and CVE-2016-4071, CVE-2015-6834, CVE-2016-4538, CVE-2016-4537, CVE-2016-4541, CVE-2016-4540, CVE-2016-4342, CVE-2016-2554, CVE-2016-4343, CVE-2015-6837, CVE-2015-6838, CVE-2015-4642, CVE-2015-4600, CVE-2015-4599, CVE-2015-8866, CVE-2015-5589, CVE-2015-8838, CVE-2015-8835, CVE-2016-3185, CVE-2015-8878, CVE-2015-4116, CVE-2013-7456, CVE-2016-5093, CVE-2016-5772, CVE-2016-5769, CVE-2016-5114, CVE-2016-6294, CVE-2016-6295, CVE-2016-7129, CVE-2016-7413, CVE-2016-7412, CVE-2016-7416, CVE-2016-7418, CVE-2016-7130, CVE-2016-7131 and CVE-2016-7132, which do not affect the firmware.
  • In Apache httpd: CVE-2016-5387, which affects the firmware.
  • In libxml2: CVE-2016-4447, CVE-2016-4448, CVE-2016-1762, CVE-2016-4449, CVE-2016-4483 and CVE-2016-5131, which may all affect the firmware and CVE-2015-6837 and CVE-2015-6838, which do not affect the firmware.
  • In OpenSSL: CVE-2016-8610, which affects the firmware.
  • In expat: CVE-2016-4472, CVE-2012-6702, CVE-2016-5300 and CVE-2016-0718, which may all affect the firmware.
  • In ibidn: CVE-2016-6261, CVE-2015-8948, CVE-2016-6262 and CVE-2016-6263, which may all affect the firmware.
  • In FreeType: CVE-2014-9747 and CVE-2014-9746, which may affect the firmware.
  • In fontconfig: CVE-2016-5384, which does not affect the firmware.
  • In busybox: CVE-2016-2148, CVE-2016-2147 and CVE-2016-6301, which does not affect the firmware.
  • In bzip2: CVE-2016-3189, which does not affect the firmware.
  • In OpenSSH: CVE-2016-8858 which affects the firmware and CVE-2016-6515, CVE-2016-6210 and CVE-2016-5615, which do not affect the firmware.
  • In util-linux: CVE-2016-5011, which affects the firmware.
  • In tar: CVE-2016-6321, which may affect the firmware.
  • In libtasn1: CVE-2016-4008, which affects the firmware.
  • In curl: CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624 and CVE-2016-9586, which do not affect the firmware.
  • In kernel: CVE-2016-5195 ("Dirty COW"), which affected the firmware although it could not be directly exploited.

JavaScript

• Error messages related to social data feeds now clearly identify the type of service or source with which their is a problem.
• When using jSignage, the search by ID search with a context did not work.

Misc

• Edge blending gradients were not being displayed.
• Support for Enhanced AC3 (EAC3) audio codec in combination with streaming.
• An error was being logged when an index.m3u8 file was not present on network sources, although this is not an error.
• A deadlock may occur in SPXThreadPool when shutting down.
• A crash may occur on H.264 video streaming with a GOP of 1 and no access unit delimiters or with frames larger than 2 MB.
• Detect .ts and .mkv video files with MPEG4 ASP video content and prevent them from being imported into a project since it is not a supported format combination.
• Stock symbols with digits in the symbol name were not accepted in the Yahoo finance widget.
• Fixed an issue in libxml2 which could cause a player crash and reboot.
• Updated timezone data to 2016j (from 2016d). Affected timezones are Africa/Cairo, Asia/Novosibirsk, Asia/Novokuznetsk, Turkey, Asia/Gaza and Asia/Hebron, Pacific/Tongatapu, Cyprus, Asia/Famagusta, Antarctica/Casey, Europe/Saratov.
• UPnP based discovery was not functioning correctly because the SpxHmp service descriptor could not be retrieved, it returned a "not found" error.
• The UPnP announcement included info about content server in models that do not have one.
• A race condition could could cause the uploader service to crash when cockpit is used, causing a player reboot.
• It was not possible to include the spx-api.js file without also including the language js file.
• A ticking sound could be heard on the audio output when the display resolution was set to 720p.
• During a hard power-off from the push button (button left pressed between 5 and 30 seconds) could crash or hang the player.
• Temperature info was missing from Status API.

Release 4.1.2

Version: "Grandes Jorasses " 4.1.2-1.0.30197. Release date: 14 Dec 2016.

Known issues

• The SSL/TLS self-signed certificate is not included in the configuration backup.

Backward compatibility issues

Please check the release notes of version 4.1.1.

Minor features / improvements

Widgets

• Updated jSignage.Social.js to 1.0.3
• Added support for the new "more than 140 characters" tweeter API.

Interface

• Added support for 1,2,3,4,5 and 10 lines of text in the RSS, Text and message apps.

Bug fixes

• HTML pages were not displayed due to an incorrect directory permission. This was a regression introduced in 4.1.1-1.0.30077.
• The connection to Cockpit would stop working after 50 days of uptime. This was a regression introduced in 4.1.0-1.0.29614.
• The error pages referenced the Google fonts and would take a long time to load when not connected to the Internet.
• The appearance of the logo in the login page was not correct.

Interface

• Resizing the browser window switch the calendar month view to week view.
• The start date was not shown for recurring all day events events.
• If was not possible to use recurrent events with an end date, if the interface was not in English.
• When the month view was used in the scheduling, the start and end date were modified when enabling recurring events.
• When using endless daily recurrences, the events would not be displayed on Sunday. This was a regression introduced in 4.1.1-1.0.30077.

Release 4.1.1

Version: "Grandes Jorasses " 4.1.1-1.0.30077. Release date: 17 Nov 2016.

Known issues

• Web Pages are not being displayed and "File cannot be accessed : cannot create the tmp directory" errors are present in the player.log. This is a regression introduced in 4.1.1.
• Scheduling a playout as all day event, with endless daily recurrence, is working during the current week, but wrongly ends at midnight on Saturday. The workaround is to use the right way to schedule content to play all the time, which is to configure a default content.
• The player is shown as offline in Cockpit after 50 days of up-time. This is a regression introduced in 4.1.0.
• The SSL/TLS self-signed certificate is not included in the configuration backup.

Backward compatibility issues

• Please check the release notes of version 4.1.0.
• The internal format used to store Data feed using a Shared Variable for multiscreen project has been modified. The result of the parser is now stored using JSON format. Previously the source of the data was stored in the variable.

Minor features / improvements

Misc

• Internal storage scanning for early detection and repair of data retention and read fatigue problems has been tuned for improved reliability.

RPC

• Added option {"network": true } in RPC's get_info method to be able to return IP addresses and other network interface info, the information is also included when the {"all": true} option is specified.

Bug fixes

Misc

• HID touchscreens that used the parallel reporting mode could generate button down and up events for each finger move, making them unusable.

Widgets

• Content using the Persian Calendar widget, or other widget using complex scripts and fonts, could make the device enter in safe mode. This was due to incorrect handling of complex composition rules in fonts such as Noto Nastaliq Urdu, where text shaping took a very long time.
• Text in complex scripts (e.g., Persian, Indic) could be incorrectly rendered due to incorrect handling of complex composition rules.

Rendering

• The "image not supported" icon did not match that used by Elementi.
• There were still some cases where the player (or Elementi) could crash if the network connection was lost while reading data from an HTTP server.

Control Center

• At the end of firmware update the reboot notification went away and the top link bar appeared before the device had finished rebooting, allowing the user to resume using the device before it was ready, which resulted in an error.
• When using live-source in a schedule, and that network connection is lost, the player will not check to see if the netwrk connection is restored if a fallback is specified, and that the fallback is a playout or a playlist.
• During initial setup of the player via the web interface, before the wizard was completed, the browser could incorrectly pop-up password prompts.
• The firmware update "Check Now" button would always check for Internet connectivity before proceeding, preventing update from non-Internet sources when the device is not connected to the Internet.
• The web interface was missing the favicon as well as icons for web clips and Windows tiles.

Interface

• Some internal databases were not correctly shared and previews could fail to show correctly in some cases. , ,
• Upload of media files from a browser could fail with an invalid type error if the user's browser had an unusual or incorrect media type configuration, the interface is now much more tolerant to such problems.
• The "Turn monitor OFF" option in the schedule was not working on DiVA and HMP300 models, only HMP350, this now works across all models as initially intended.
• The "Turn monitor OFF" option in the schedule would not turn on or off the screen as expected when the unit reboots or the schedule is modified.
• It was no longer possible to disable the display of the city name or temperature in the weather apps. (regression introduced in 4.1.0)

jSignage

• Updated jSignage to 1.3.2 to fix several bugs.
• Updated jSignage.Social.js to 1.0.2 to fix several bugs.
  • Using file extension filters in the media widget was not longer functioning (regression introduced in 4.1.0)
  • Twitter feeds reported October for dates in September.
  • The display of feeds would disappear till next refresh if network connectivity was down when refreshing the data, when such connectivity problems occur the cached data is used for up to 24 hours.
  • The new social data feed widgets don't work when a sync variable is set (multiscreen projects only).
  • Yahoo! YQL API no long works for finance data and must be replaced by the csv API.

Release 4.1.0 build 2

Version: "Grandes Jorasses " 4.1.0-2.0.29734. Release date: 5 Oct 2016.

Known issues

• The SSL/TLS self-signed certificate is not included in the configuration backup.

Backward compatibility issues

Please check the release notes of version 4.1.0.

Bug fixes

• Playlists of items whose duration was resolved at run time (e.g., soft scheduling, non looping RSS feed) where displayed for the configured default duration of the playlist, instead of waiting for the item to end.

  This is a regression introduced in 4.1.0-1.0.29614

Security

• Fixed the following OpenSSL security vulnerabilities.
  • CVE-2016-6304, which is of high severity and may affect the firmware
  • CVE-2016-2183, CVE-2016-6303, CVE-2016-6302, CVE-2016-2182 and CVE-2016-2180, which may affect the firmware
  • CVE-2016-2179, CVE-2016-2181 and CVE-2016-6306, which do not affect the firmware

Release 4.1.0

Version: "Grandes Jorasses " 4.1.0-1.0.29614. Release date: 15 Sept 2016.

Known issues

• The SSL/TLS self-signed certificate is not included in the configuration backup.

Backward compatibility issues

• The Chinese font AR PL New Sung, the Korean Un fonts (UnBatang and UnGraphic) and the Japanese IPA fonts (IPAGothic, IPAMincho, IPAPGothic, IPAPMincho) have been removed in favor of Noto Sans.

Major features

Interface

• Translation of the content creation interface in the following languages
  • Arabic (العربية), German (Deutsch), English, Spanish (Español), French (Français), Italian (Italiano), Japanese (日本語), Dutch, Portugese (Português), Russian (Pусский), Thai (ภาษาไทย), Chinese Simplified (简体字), Chinese Traditional (繁體字)

JavaScript / jSignage

• jSignage version is now 1.3.0.
• Added new jSignage.Social.js library.
• Support for new channels in data feed
  • foreign exchange rates (from the ECB or Yahoo)
  • Stock quotes (Yahoo)
  • Spreadsheets (CSV files, Excel files and Google sheets)
  • Calendars (ICS files, Google calendars)
  • Media playlists (Web folders, Flickr Albums),
  • Social networks (Twitter)
  • Weather (OpenWeatherMap, Weather Underground, World Weather Online and Yahoo! Weather)
• Expanded formatting options for data feed fields: conditionals and formulas.

Miscellaneous

• Devices now advertise using the SSDP / UPnP protocol in addition to Bonjour. All devices will now show up in the Windows Explorer's Network view in Windows computers if Network Discovery is enabled (see http://windows.microsoft.com/en-us/windows/enable-disable-network-discovery).
• HDMI displays without CEC support but with DVI-like display power management capabilities can now be put to standby in the same way as non-HDMI displays.
• New background audio playback feature for an audio playlist, independent of video content, specified through an index.m3u8 file.
• Special HMP350 new features:
  • Support multiscreen video streaming (MPEG2-TS multicast over RTP or UDP only).
  • Video with transparency (mask must be supplied by the spx:mask-href attribute pointing to a sibling black & white video file where black is fully transparent and white is fully opaque)

Minor features / improvements

Network

• Cookies supported when communicating with an HTTP server
• Minimum refresh period for data feeds is now 60s
• Allow using https://download.spinetix.com/spxjslibs as an alternative URI for jSignage

Media

• Optimized scanning of H.264, VC-1, MPEG-4 and MPEG-2 start codes, which reduces the CPU load when playing streaming video sources.
• New video streaming engine improves breadth support for video streamers and provides improved audio quality, audio/video lipsync and lower delays.
• New spx:packetization attribute for low-delay RTP/RTSP streaming

Interface

• It is now possible to configure the default content to Power Off the screen.
• The user can now select any media and upload a new version of the media, that will replace the old one. Playlist and playout that where using the old media, will then use the new one immediately.
• Added more locale and timezone options in the apps.
• Improved the timezone selection dropdown to be sorted by GMT offset.
• It is now possible to use markdown support for the text apps.
• Improved the UI to enter a color using HEX codes.
• Improved look of the schedule page for 1600x900 screens.
• No longer showing all parents Playout when editing the text of the message apps.
• Added news font to the apps configuration.
• Added download of fonts for the preview in the browser.
• The locale/all.js file is now sent via http compressed, speeding up loading.
• PHP caching is now enabled improving the speed of the Interface and Control Center.

Control Center

• Automatically try to detect user timezone in the wizard
• Added a refresh button on the NTP stats page.
• New advanced configuration field to the backup <update-fps> and <min-fps-step-factor>
• Added download button next to the HTTPS certificates.
• Added a link to the Firmware update page in the firmware info box in case of errors.
• It is now possible to do AJAX RPC request from any location using CORS even if the RPC end point is password protected.
• Updated the warning regarding powering off screen not supporting CEC.
• Added configuration of UPnP using the interface and the backup. It is now possible to enable/disable SSDP/UPnP using the interface (under network) and using the backup, using <ssdp-upnp-enabled>yes</ssdp-upnp-enabled> or <ssdp-upnp-enabled>no</ssdp-upnp-enabled>. The player needs to be restarted to apply the changes
• User must now accept the EULA as part of the installation wizard.
• Password field are no longer shown in clear text in the Saved Password page

JavaScript / jSignage

• Added support for significant digits type number formatting patterns
• Extended support for date/time formatting to all LDML fields except those related to weak of year and day of year and ambiguous timezone abbreviations
• If a field in a data feed is a number or a date it is formatted automatically as such with the current locale (instead of being converted to a string using javascript rules which use the en_US locale always)
• New data feed cache system using persistent storage and a simpler refresh time scheme. A cached feed is now private to an svg document, even if two documents use the same source URI.
• propFindURL returns 'file' in the 'resourcetype' field instead of empty when listing files

RPC

• Added option {"storageHealth": true } in get_info to be able to return various information about the storage health of the player.
• Added option {"all": true } in get_info to get ALL the possible info in a single option.

Internationalization

• Improved internationalization features for date/time and numbers formatting
• Upgraded to CLDR 29 with all locales in the "modern" set included.
  • As a side effects, some locales which were previously included but have insufficient coverage have been removed
• Added support for all CLDR 29 calendars
  • gregorian, buddhist, chinese, coptic, dangi, ethiopic, hebrew, indian, islamic-civil, islamic-tbla, islamic-umalqura, japanese, persian, and roc (Minguo)
• Added support for all CLDR 29 numbering systems
• The default calendar and numbering system will now be dependent on the chosen locale.
  • For instance for ar_SA (Saoudi Arabia), the Umm al'Quara calendar and eastern arabic numerals will be used by default
• Date specific numerals are supported
• Timezone database updated to 2016d (was 2015g).
  • This updates the data for America/Cayman, Asia/Chita, Asia/Magadan, Asia/Tehran, America/Caracas, America/Metlakatla, America/Santa_Isabel, Asia/Sakhalin, Azerbaijan, Chile, Haiti and Palestine, adds new zones Europe/Astrakhan, Europe/Ulyanovsk, Asia/Barnaul and Asia/Tomsk, and corrects past time for Asia/Karachi, Europe/Chisinau, Europe/Kaliningrad, Europe/Vilnius and Europe/Volgograd.

HTML support

• HTML support improved by updating PhantomJS to 2.1.1.
• Better support for modern web sites.
• Local storage is now supported and persistent.
• Persistent cookies are now truly persistent.
• SSL/TLS certificates in secure HTTP connections (i.e. https) are now correctly validated.

Fonts

• A common font covering all world scripts is now included.
  • This is the complete collection of Google Noto fonts, including all available Noto Sans, Noto Serif, Arabic, Urdu, CJK and Emoji.
  • Specifying "Noto Sans" as the font family will automatically use the appropriate script specific "Noto Sans" font, falling back to "Noto Sans SC" for CJK and "Noto Kufi Arabic" for Arabic.
  • Specifying "Noto Serif" as the font family will automatically use the appropriate script specific "Noto Serif" font, falling back to "Noto Sans SC" for CJK and "Noto Naskh Arabic" for Arabic.
• The four regional variants of CJK fonts are included as separate font families.
  • "Noto Sans SC" for simplified Chinese.
  • "Noto Sans TC" for traditional Chinese.
  • "Noto Sans JP" for Japanese.
  • "Noto Sans KR" for Korean.
  • To use a specific regional variant of a CJK font specify the variant specific family name (e.g., "Noto Sans JP") instead of the generic "Noto Sans" name.
• The "Noto Naskh Arabic", "Noto Kufi Arabic" and "Noto Nastaliq Urdu" font families are available to select a specific style of Arabic.
• Not all scripts are available in italic form, when the italic form is not available synthesized oblique form will be used.
• Not all the scripts are available in "Noto Serif".
• The "Noto Mono" monospaced font is now included.

Miscellaneous

• Logs are now rotated even if the device is not continuously powered on.
• Key components are now built with _FORTIFY_SOURCE support, increasing security.
• System report now includes internal storage health and remaining life information.
• The boot log following a firmware update is now archived to ease diagnostics.
• Speed up of the firmware update process, large firmware updates should now be about 5 minutes faster.
• Expanded the set of input device drivers included in the firmware, specific drivers for the following devices are now included: X-Box gamepad, 3M PCT touchscreen, Cando dual touch panel, eGalax multi-touch panel, UC-Logic device, Waltop devices, MosArt dual-touch panels, N-Trig touch screen, Quanta Optical Touch panels, Sony PS3 controller, Stantum multitouch panel and Sunplus wireless desktop. Support for these devices has not been verified and cannot be guaranteed.
• Internal storage is now scanned regularly for early detection and repair of data retention and read fatigue problems before they develop.
• Pixman library updated to 0.32.6
• Cairo library updated to 1.14.2

Bug fixes

• Many touchscreens that worked with firmware 3.2.x in HMP200 were not working with firmware 4.x due missing reporting of HID codes in the generic HID driver. These touchscreens should now work.

Security

• Fixed libstdc++ vulnerability CVE-2015-5276, which did not affect the firmware.
• Fixed glibc vulnerabilities CVE-2015-8777, CVE-2015-8779, CVE-2014-9761 and CVE-2015-8776.
• Updated ntp to 4.2.8p8 which fixes the following ntp vulnerabilities.
  • CVE-2015-8139, CVE-2015-5300 and CVE-2015-8138, CVE-2015-7704 (previously fixed but incomplete), CVE-2016-1549, CVE-2016-4954, CVE-2016-1548, CVE-2016-4955, CVE-2016-1547, CVE-2016-4957, CVE-2016-4953 and CVE-2016-2518, which affect the firmware.
  • CVE-2015-7974, CVE-2015-8158, CVE-2015-7976, CVE-2015-7973, CVE-2015-7978, CVE-2015-7977, CVE-2015-7979, CVE-2015-8140, CVE-2016-2517, CVE-2016-2516, CVE-2016-1550, CVE-2016-2519, CVE-2016-1551 and CVE-2016-4956, which do not affect the firmware.
• Fixed curl vulnerabilities CVE-2016-2326 and CVE-2016-0754, which do not affect the firmware.
• Fixed p7zip vulnerabilities CVE-2015-1038 and CVE-2016-2335, which could potentially affect the firmware.
• Fixed the following php vulnerabilities.
  • CVE-2016-4073, which affects the firmware.
  • CVE-2016-3141, CVE-2016-3142 and CVE-2016-4072, which do not affect the firmware.
• Fixed pcre vulnerability CVE-2016-3191, which may affect the firmware.
• Fixed dhcp vulnerability CVE-2016-2774, which may affect the firmware.
• Fixed openssh vulnerabilities CVE-2016-3115 and CVE-2015-8325, which do not affect the firmware.
• OpenSSL: fixed the following security vulnerabilities.
  • CVE-2016-2177 and CVE-2016-2178, which affect the firmware / software
  • CVE-2016-0703 and CVE-2016-0704, which do not affect the firmware / software
• Fixed the following libxml2 vulnerabilities
  • CVE-2016-3705, CVE-2016-3627, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1838 and CVE-2016-1840, which do affect the firmware / software.
  • CVE-2015-8710, CVE-2016-2073, CVE-2015-8806, CVE-2016-1839 and CVE-2016-1837, which does not affect the firmware / software.
• Fixed libpng vulnerabilities CVE-2015-8540, CVE-2015-8472, CVE-2015-8126 and CVE-2015-7981.

Firmware update

• Silences innocuous DB_BUFFER_SMALL errors that may appear in the update log during large firmware updates.
• Some addon packages such as fonts were being installed in the first pass instead of the second pass during firmware update, in subsequent updates they will be installed in the second pass.

Pull mode

• Insure that repeating events are not executed if there execution time is in the past.
• If there are too many event in the event queue (50 or more), skip new event as not to overload the player.
• Misleading messages were sometimes logged to the uploader log when communicating with Cockpit.

RPC

• File descriptor leak in the RPC API would limit the number of RPC call to change a local variable to ~1000.

Interface

• All day scheduling overflow when event is created in the monthly calendar view
• Increased the granularity of the font size selection
• Make sure the color information is only updated after the user has typed all the hex value.
• Interface may not be displayed correctly if the LocalStorage is disabled in the browser.
• Make sure the the list view is not removed when switching from horizontal to vertical icons.
• Extra spaces were displayed in the browser preview on text with words in italic or bold.
• Default values for all check box was always enabled in the interface.
• In case of json error in uploaded backup, do not crash with a 500 error.

Control Center

• Showing the low latency settings if they are selected.
• Calibration is now working even is the interface is password protected. It also shows more explicit error on the screen if the configuration was not applied successfully.
• Make sure that opening the "/main/firmware" page do not trigger a firmware update, but only shows the status of the update in progress.
• File upload and time processing limits were not correctly set and thus default limits, larger than intended, were being used.
• Live source may show show an error if they are used on local data, and the local data is modified using pull mode.
• When an error occurs in the web_storage RPC, the connection was closed twice causing an error in the logs.
• It was not possible for user without admin right to modify their own passwords.
• It was not possible to use https addresses for live sources.
• Make sure that display errors are shown to the user and partial display config can be applied.
• Removing known extension in listing license file
• It was not possible to specify a live source as a fallback for another live source (including Elementi and USB drive). Doing so would cause none of the source to be shown.

JavaScript / jSignage

• Out of memory conditions in javascript while processing too large data feeds should in most cases avoid a reboot to safe mode
• Default duration was used erroneously for some playlist items whose duration was set in the playlist
• Gauge values outside of the gauge range do not cause the cursor to be positioned outside the gauge area
• Opacity setting was ignored on scrolling text area layers
• Bottom of some letters on the last list was cut off in scrolling text areas

Miscellaneous

• Fixed potential crash of IPv4 local-link address monitoring.
• System logs could be filled with innocuous warnings from avahi when Windows 10 computers are present in the local network, due to an incomplete Bonjour implementation in Windows 10.
• When HDMI CEC errors occur the logs could be flooded with error messages, these are now suppressed after 10 consecutive events.
• Frame rate and video size information in the SDP description were not used when streaming with RTP/RTSP . This makes MJPEG streaming work with Axis cameras although it is highly recommended to use H.264 instead
• The first group of picture was black when connecting to an H.264 RTP/RTSP stream and the first frame number in the stream is 0
• The pixman library may crash under some rare circumstances.
• The player could crash if the HTTP connection was closed by a remote server while reading data.

Release 4.0.2 build 2

Version: "Gran Paradiso" 4.0.2-2.0.28840. Release date: 30 May 2016.

Known issues

• The SSL/TLS self-signed certificate is not included in the configuration backup.

Bug fixes

Security

• OpenSSL: fixed the following security vulnerabilities
  • CVE-2016-2108, which affects the firmware.
  • CVE-2016-0798, CVE-2016-2176, CVE-2016-2107, which do not affect the firmware.
  • CVE-2016-2105, CVE-2016-2106 and CVE-2016-2109, which are believed to not affect the firmware.

Miscellaneous

• The report was missing information about the DHCP client, complicating some diagnostics.
• On some occasions the restart notification sent to Cockpit could be malformed, making Cockpit miss it.
• If an SSL/TLS certificate is imported which has the "Subject Alternative Name" as the first extension in the certificate, accessing the Network -> HTTPS page would return an "Internal Server Error".

Release 4.0.2

Version: "Gran Paradiso" 4.0.2-1.0.28645. Release date: 4 May 2016.

Known issues

• The SSL/TLS self-signed certificate is not included in the configuration backup.

Minor features / improvements

Display power save

• Added support for display power saving.
• For HDMI displays which have CEC enabled, HDMI-CEC is used to turn on or put to standby the display according to the display power saving policy. The display is automatically switched to the correct input when it is turned on.
• For DVI displays the display saving power management signaling (DPMS) is used to put put the display to standby according to the display power saving policy.
• Control Center displays a warning when an HDMI display is connected which does not support CEC or has it disabled in its configuration.
• Control Center now shows the power state of connected displays when available.
• Note that unlike in firmware 3.x, display power saving is now disabled by default.

Control Center

• Changed the device images in Control Center to make it easier to recognize the different device models.
• It is now possible to set up ultra-low latency (200ms, 100ms, or 50ms) using the configuration backup or from advanced mode.
• Updated the name of the button related to Cockpit. It is now possible to add a player into Cockpit directly from the main Control Center page.
• A prominent warning is now shown on the web interface when the device is running in safe more or a corrupted firmware is detected.

Miscellaneous

• The device report now includes information about the package database files to aid in diagnosis of firmware update problems.
• The device model is now explicitly mentioned in the report for easier diagnostic.
• Allow the spx:buffering value to be negative so that the streaming latency can be reduced when the user knows that the default 750ms latency for RTP streams is not required.

Web interface

• Added a "Select all" button to select all visible file in the Create page
• Added Arabic Peninsula and Portuguese in the list of supported languages for the date formatting

JavaScript

• jSignage updated to 1.2.2
• Modified jSignage.Weather add-on for more flexibility when passing parameters to weather widgets.

Bug fixes

Miscellaneous

• DNS name resolution stopped working after a few weeks of uptime with Could not resolve hostname xxx: Host not found errors (regression introduced in 4.0.1-2.0.28178). Depending on the number of remote servers used (e.g., remote content, RPC concentrator, Cockpit) the amount of time before the failure starts occurring varies.
• When a device was started with a DVI display connected and later was changed for an HDMI display without restarting the device, all HDMI functionality would remain disabled and thus HDMI audio output did not work until the device was restarted.
• When booting the pull mode could sometimes get a transient error obtaining internal device data (e.g., a report) due to a race between the pull mode service and the internal web server startup.
• There were still some internal operations that could lead a player to hang and need a power cycle to recover.
• A loss of power while checking for the availability of a firmware update could lead to a corrupted state after which it was no longer possible to update firmware, requiring a re-install from the recovery console.
• The display co-processor could potentially fail initialization without properly reporting it.
• Under some rare circumstances the serial port handler could miss a wake-up event.

Media

• Too many JPEG files may be opened when using transition in multiscreen content.
• Video files tagged with an incorrect H.264 level, too low for the actual video resolution, failed to decode.
• Crash when opening some videos that had no frame rate information.

Security vulnerabilities solved

• pcre: CVE-2015-8388, CVE-2015-8390, CVE-2015-8381, CVE-2015-8395, CVE-2015-8393, CVE-2015-8389, CVE-2015-8391, CVE-2015-8394, CVE-2015-8385, CVE-2015-8392, CVE-2015-8386, CVE-2015-8380, CVE-2015-8387, CVE-2015-8384.
• libxml2: CVE-2015-7499, CVE-2015-7500, CVE-2015-7498, CVE-2015-8241, CVE-2015-8317.
• openssl: CVE-2015-7575, CVE-2015-3197.
• openssh: CVE-2016-0777 and CVE-2016-0778 which do not affect the device.
• openssh: CVE-2016-1907.
• php: CVE-2015-6831, CVE-2016-1903, CVE-2015-6832, CVE-2015-6836, CVE-2015-6833, CVE-2015-5590.
• libpng: CVE-2015-8472.
• dhcp: CVE-2015-8605.

Control Center

• Improved the resilience of the internet connection check mechanism.
• Backup from firmware 4.0.0 could not be uploaded to 4.0.1 if they contains weather apps.
• Removing warnings in the logs causes by php errors
• Creation of the configuration backup could fail under some rare conditions (could happen for devices that had been configured using the 0.3 beta version of the firmware)
• The following error: "Host of Source Href is not valid" was shown when using a live source with an "_" in the name
• Preview of the live source where not updated when the URI of the source was modified
• once a live source has been created, the uri should not be editable anymore.

Web interface

• Importing some Windows Media Video files could fail.
• City & temperature cannot be disabled when using the weather apps
• When multiscreen project from Elementi is used in a schedule, it is no longer synchronized. It is no longer allowed to have multiscreen project in the schedule, if not the default content.
• Import of some Window media file may fail with the error: "Cannot extract size of uploaded file"
• First time a file is added to the schedule, it may takes up to 30s for the file to be displayed
• It was possible to have events overlapping in the scheduling interface. The behavior of the player was not predictable in this case. The interface not forbid overlapping events.
• Player restarts at midnight when using daily recurrence without end
• Live Sources where wrongly shown when using the playout filter in scheduling
• Under some conditions (when using live sources) a JavaScript could be triggered in the schedule page, preventing the user from doing any modification. It was necessary to reset the default content to have the player functional again..
• Weather apps may stop displaying weather info if the player fails contacting the weather server. The weather apps is now resilient to such errors.
• Improved the title of the page to show the current action

RPC

• RPC polling time above 2147 seconds where considered a 0s by the player, which could cause a DoS on the RPC concentrator.
• It is now possible to change the uploader log level using the backup <pullmode-logs-level>debug</pullmode-logs-level>

JavaScript

• AJAX requests to Sharepoint servers could fail with a 500 error due to the referrer using a custom protocol URL, the referrer used for AJAX requests is now always "about:blank" to maximize compatibility.
• Various minor fixes in the jSignage library
• Text may become too big and the flames may disappear when automatic scroll is used.
• "Click to Switch" doesn't end when used inside "Click Through"
• parseXML returns unexpected result when enabling "keep XML markup"

Release 4.0.1 build 2

Version: "Gran Paradiso" 4.0.1-2.0.28151. Release date: 8 March 2016.

Known limitations

• Display detection is not available.
• Display power control using DVI style power saving or HDMI CEC is not available.
• The SSL/TLS self-signed certificate is not included in the configuration backup.

Bug fixes

Interface

• The login screen of the web browser interface was slow to load if the user was not connected to the Internet.
• Clicking on the "Update Now" button of the "Firmware" popup that shows up on the "Operations => Firmware Update" page returned a "Firmware Update Error" shortly after starting the firmware update and no firmware update was done. Note that this did not occur when starting the update from the main Control Center page or by clicking the "Check Now" button on the "Operations => Firmware Update" page. (regression introduced in 4.0.1)

Security

• glibc: fixed CVE-2015-7547 (glibc getaddrinfo() stack-based buffer overflow), which affected the device.
• OpenSSL: fixed CVE-2016-0800, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, which affected the device; SSLv2 has been removed as part of the fix for CVE-2016-0800.
• OpenSSL: CVE-2016-0703 and CVE-2016-0704 were already solved as a side effect of the fix for CVE-2015-0293 in firmware 4.0.1-1.0.27900.
• OpenSSL: CVE-2016-0798 is not yet solved but does not affect the device (no firmware component enables TLS-SRP).

Release 4.0.1

Version: "Gran Paradiso" 4.0.1-1.0.27900. Release date: 5 Feb 2016.

Known limitations

• Display detection is not available.
• Display power control using DVI style power saving or HDMI CEC is not available.
• The SSL/TLS self-signed certificate is not included in the configuration backup.

Known issues

• City & temperature cannot be disabled for the Weather app.
• Multiscreen projects are not played in a synchronized manner when being used within the Content scheduling tool of the HMP350. The workaround is to restore the default content on the player, then publish the multiscreen project from Elementi.
• Player restarts at midnight when using daily recurrence without end - this is due to the way the content has been scheduled; the right way to schedule some content to play all the time, is by using the default schedule placeholder.
• Player forgets the scheduled content when using daily recurrence without end - this is due to the way the content has been scheduled; the right way to schedule some content to play all the time, is by using the default schedule placeholder.
• DNS name resolution stopped working after a few weeks of up-time with Could not resolve hostname xxx: Host not found errors (regression introduced in 4.0.1-2.0.28178 by the fix for CVE-2015-7547). Depending on the number of remote servers used (e.g., remote content, RPC concentrator, Cockpit) the amount of time before the failure starts occurring varies. The solution is to manually restart the player.

Minor features / improvements

• New internal storage location for SSL certificates
• Improved resilience and detection of power loss (power off without shutdown)
• Speedup of pkg install (firmware update)
• The system LED now blinks green rapidly while the system is starting up and shutting down, it reverts to the normal "heartbeat" like blink when it finishes booting
• The timezone database used by the system has been updated to version 2015g (it was 2015f). This adds the America/Fort_Nelson time zone and updates the Turkey, Norfolk, Fiji, Fort Nelson and British Columbia time zones.
• The firmware update state now also reports the =CORRUPTED= state if the firmware is known to be corrupted.

Interface

• The main Control Center page now shows a warning symbol on the firmware tile if an error is detected (e.g., corrupted firmware or interrupted update).
• When an error occurs during a multiple file upload the name of the file causing the error is now shown.
• The timezone database used by the content management interface was updated to match the system timezone database version (it was 2015d).
• Redesign of the firmware update page
• Improvement of the Schedule layout for vertical setup
• Added the possibility to copy a Playlist
• Added a simple configuration of serial protocol file (HMP300/350 only)
• User with monitoring rights now have access to the monitoring page of Control Center and the log pages
• Improved the landing page in case of vertical screen configuration. The snapshot is now rotated
• It is now possible to configure vertical screen rotated Clock Wise AND Counter Clock Wise (DIVA only )
• Added the option not to slice media in Playout for the media apps
• Added the possibility to select the title and/or the description in RSS feeds
• Added a Diplay Power Off setting to Control Center for use with RS-232.

jSignage

• jSignage version changed to 1.2.1
• Custom parser can now have access to all the data of the row if needed. The custom parser can now be used as custom( cell, rowData );
• New jSignage.Weather.js library to retrieve weather forecast info.

Media

• Optimized memory allocation for decoding of H.264 videos missing the video usability information (VUI)
• H.264 videos encoded with VLC are now rejected since VLC generates corrupted data
• Videos shot with rotated cameras are now auto-rotated at display time so that they are displayed with the correct orientation

Logging

• A warning message will now be logged if a document is not rendered because the maximum depth is exceeded
• Added logging of the current firmware version in the logs for better diagnostics

Bug fixes

Pull mode / RPC

• When using an ICS file with pull mode, the pull mode would stop fetching the ICS file is the servers returns a 503 answer at any time
• Upload of system reports via the pull mode (to Cockpit or otherwise) uploaded a zero byte file.
• The player did not report its reboot reason to in RPC (to Cockpit or otherwise).
• The X-spinetix-firmware HTTP header was not present when uploading logs/reports using PUT
• Player may send 2 reboot notifications to an RPC concentrator if shutdown for more than 24h
• The device no longer waits 1 minute before doing a shutdown when sent a shutdown request with a direct RPC call

Media

• Player may restart in safe mode because of an H.264 video
• Removed the error "The bitstream cannot be decoded correctly: error: 0x00040000.", as this just means that the end of video file has been reached
• Garbage may appear on top of PNG images when using rotated screens
• Some MPEG4 video files were not played by DiVA/HMP300/HMP350 even if they were supported in HMP130
• Sending keep-alive for RTSP streaming
• spx:overrideFPS was ignored for streaming sources
• Buffering and streaming transport parameters ignored on <audio> elements
• Removed the requirement on RTCP support when doing RTP Streaming
• Add an option to be able to select a program in MPEG2-TS (spx:program, spx:audio, spx:videoPID, spx:audioPID)
• Faster than expected playback of streaming video can be observed when audio is present

Interface

• The app breadcrumb was leading the user to an empty page
• Pressing save multiple time when editing a new Playlist, would create multiple versions of the playlist each time
• Current day value was not visible in Month view calendar
• Help box could be displayed outside of the browser window
• Enabling power save was enabling the serial port. Disabling the serial port was disabling the power save. (internal only)
• Media file with "'" in their names would cause issues with the interface
• When uploading a rotated video file the interface did not detect the orientation properly
• The interface was slow to load if the user was not connected to the Internet.
• All day events with a daily recurrence appeared covering an extra day in the scheduler.
• Uploading a high resolution JPEG image using 4:2:2 chroma sub-sampling produced a display and thumbnail image with incorrect colors.
• Made the used vocabulary more uniform.
• When a resource that was already deleted was deleted again (e.g., from another browser session) the error message was shown twice.
• Access control via HTTP and the web interface was not always correct

Control Center

• When a firmware check is in progress, it is now no longer possible to start another firmware check in parallel
• Label of DNS server was missing in configuration page
• When enabling USB as local storage, a wrong notification message could be displayed to the user. This had no impact on the settings themselves.
• Formatting USB key was not working as expected (HMP300/350 only)
• Copying content from USB key to the internal storage was not working as expected (HMP300/350 only)
• Make sure the loading button stays in the loading state until the report is generated
• Clicking on the USB disconnect button was returning an error
• NTP information and warnings were never shown.
• Some informational text referred to _recovery mode_ as _diagnostics mode_, now all instances use the same terminology.
• Accessing backup player logs always asked for a user name and password, even if the user was logged in.

Apps

• Updated the weather apps to use better caching and updated rules
• Cleanup of the data used in Web Storage when removing a message apps from playouts
• Letter such as p, y ... could be cut at the bottom of the text zone. Note that the extra margin needed to solve this issue may cause text that was previously displayed to be missing the last line if it was using all the space available.
• Background of the digital clocks were not using all the space of the widgets
• Added more languages in locale menu (Hungarian, Japanese, Norwegian and Vietnamese)
• Force refresh of all js libraries after an update of the apps due to firmware upgrade
• Date shown by the date apps may be truncated (j and y letter) if the height of the apps is small.
• Rendering not correct on message app when text contains many lines and the apps is configured to display a single line.
• QR code app did not handle certain string lengths correctly and failed to encode them.

Widgets

• Text ticker could cause CPU to reach 100% if there are only empty items to be displayed
• Crawling widgets (Text Ticker, Text Bar, Text Roll, Media Crawler) may not be synchronized when used over multiple screens within a video wall
• Added support for non-standard ICS file possibly generated by Outlook Online and Office 365
• Custom Date/time parser now recognize the month name, pattern such as "d MMM yyyy" can now be used to parse a date.
• Using inline-data as data source was no longer working.
• Fixed the case where Query String parser is used with full URLs
• Text Roll automatic duration not working as expected
• Removed debug alert when using a data feed widget in a multiscreen project
• *.mka, *.wma and *.ac3 audio files are correctly recognized as audio files in playlist templates
• The HTML Table widget may cause out of memory errors under some conditions

jSignage

• Creating two node such as $( "<g></g><g></g>" ) was not supported
• $(...).contents() was returning null all the time
• $(...).wrapAll(), $.inArray(), $(svg, attributes ), $.globalEval( ... ), jQuery.type( new Error() ), $.map( object ), $.proxy(), $.removeData(), $.clone(), $().is() did not behave as documented in jQuery
• $(...).delegate and $().on() could trow an exception "TypeError: jSignage.expr.match.needsContext is undefined"
• $(...).hover() throw an exception "TypeError: this.mouseenter is not a function"
• $('svg').find("#layers") throws an Exception "TypeError: context.getElementById is not a function"
• $("g > * > *") throws an Exception "TypeError: elem.localName is null"
• $("[watch]") throws an Exception
• $("g [dur]") throws an Exception "TypeError: elem.localName is null"
• When using $().on(), the event.data do not contains the right data
• $().preprend do not prepend if the content of the node is a text
• The first call to globalEval may not be executed
• ajax global events are not called
• $.ajax should return an error in case of bad JSON data
• $.add() jQuery function has been renamed to $.merge() because $.add() as a different meaning in jSignage
• $.end() jQuery function has been renamed to $.pop() because $.end() as a different meaning in jSignage

Misc

• HID devices were not reporting their serial number in the HIDDevice API even if they had one
• A race condition in the boot scripts could generate error messages in the kernel log, although they had no ill effect they should now no longer appear
• The firmware updater status could be lost if a power cycle occurred shortly after rebooting
• The player may hang and need a power cycle to recover after one month of being uninterruptedly powered on.
• Disabled the sendComPort for HMP300 as it is not avaible for this model
• The HMP may go into recovery mode instead of safe mode if the "disable audio when power is off" option is enabled
• setTimeout( func ) without timeout was not supported
• Some animations failed to render properly in multiscreen projects.

Security

• ntp: CVE-2015-7853, CVE-2015-7852, CVE-2015-7855, CVE-2015-7704 and CVE-2015-7705 which could affect the device.
• ntp: CVE-2015-7852, CVE-2015-7850, CVE-2015-7701, CVE-2015-7871, CVE-2015-7703, CVE-2015-7691 and CVE-2015-7692 which should not affect the device.
• OpenSSH: CVE-2015-6564 and CVE-2015-6563 which did not affect the device in normal operating conditions.
• OpenSSL: CVE-2015-3194 and CVE-2015-3196 which could affect the device.
• OpenSSL: CVE-2015-3195 which should not affect the device.
• pcre: CVE-2015-8382, CVE-2015-2328, CVE-2015-2327 which could potentially affect the device.
• expat: CVE-2015-1283 which could affect the device.
• libxml2: CVE-2015-5312, CVE-2015-7497, CVE-2015-8242, CVE-2015-8035, CVE-2015-7942, CVE-2015-7941 which could affect the device.
• libpng: CVE-2015-8126 which could affect the device.
• FreeType: CVE-2014-9745 which could affect the device.
• Apache httpd: CVE-2013-5704 which should not affect the device.
• PHP: CVE-2015-7803 and CVE-2015-7804 which should not affect the device.

Release 4.0.0 build 2

Version: "Gran Paradiso" 4.0.0-2.0.27449. Release date: 14 Dec 2015.

Known limitations

• Display detection is not available.
• Display power control using DVI style power saving or HDMI CEC is not available.
• The SSL/TLS self-signed certificate is not included in the configuration backup.

Bug fixes

• A unit may randomly fail to boot as it may fail to re-initialize the display output after applying the configured video timings. When this happens will reboot automatically but may end in safe mode or recovery console if the condition repeats.

Release 4.0.0

Version: "Gran Paradiso" 4.0.0-1.0.27172. Release date: 3 Nov 2015.

Known limitations

• Display detection is not available.
• Display power control using DVI style power saving or HDMI CEC is not available.
• CVT custom display settings modes are not available on HMP350, but you can use the "Fixed Mode" video timings instead. See Custom display settings page for more details.
• USB cellular modems (3G/4G) are not supported.
• USB external storage is not supported on DiVA, nor by the Content creation tool.
• Self tests are not supported.
• The SSL/TLS self-signed certificate is not included in the configuration backup.
• Fusion interface is not supported on the DiVA, HMP300 and HMP350, being replaced by a new content creation interface.

Known issues

• (#4397) Some RSS feeds may be missing some extra fields such as <pubDate>. This happens when the <item> sections contains a <category> tag with a <name> tag inside.
• (#4398) Cannot upload and use media with special signs (e.g., apostrophe), in their name. Note that once uploaded, such media cannot be removed, so a default content restore is needed. This affects only version 4.0.0.
• The weather app doesn't work correctly when set to display the next day forecast. This affects only version 4.0.0.

Major features

New Control Center interface

• Full redesign of the look of Control Center. Login password is now mandatory.
• Added possibility to create multiple users and passwords to log into the player.
• New health trackers for Up-time, CPU load, Storage, Display, Network and firmware on the front page
• One click button to add a player in Cockpit
• Quick config wizard for startup
• New System page with the most common configuration parameters
• Renamed 'Credentials' to 'saved passwords' to help users
• Separated Time/Date and NTP configuration (for multi-screens)
• Added live source configuration
• Renamed pull mode to scheduled download. Multiple source can be configured. An update now button has been added.
• Added the possibility to configure independently the usage of the Pull mode using an ICS file, scheduled download of content, uploads of the logs and Cockpit.
• Vertical snapshot are automatically rotated.
• HMP do not reboot automatically when setting the configuration, user must explicitly trigger the reboot at the end of the configuration process.
• User must explicitly choose the audio output HDMI or analog
• Secure HTTP (a.k.a. HTTPS) is now supported on the embedded web server.
  • The web interface is now also available on the standard HTTPS port (443) and is thus reachable via https://<device-name> or https://<device-ip-address>
  • The WebDAV interface for content publishing over HTTPS is available on port 9802 (standard WebDAV port) and is this reachable via https://<device-name>:9802 or https://<device-ip-address>:9802
  • The SSL/TLS certificate is an automatically generated self-signed certificate.

New Content editing interface

• Upload of images/video using drag and drop, with automatic preview generation
• Creation of Playlists and Playouts
• Built-in apps and Playouts for professional content creation
• Online Playout edition
• Live preview of created Playout
• Scheduling of Playout, Playlist or media
• Scheduling of Elementi content (HMP300 and HMP350 only)
• Backup and restore of Playout. Playlist or full created content.
• Inline help boxes with step by step wizard.

Configuration backup structure has been modified and is not compatible with the firmware 3.X backup files.

• Strict validation of backup files. Backup containing unknown options are rejected.
• Password encoding using BLOWFISH ( digest no longer supported, need to use crypt instead )
• Any username can be used in user tag.
• touchscreen item for touch screen calibration
• New secure-admin, secure-content and secure-monitoring option to enable secure access to the player
• New time-ntp-restore options to restore default NTP configuration.
• New syntax for pull-mode configuration.
  • pull-mode-static only supports logs and rpc.
  • Can use pull-mode-static and pull-mode-file/pull-mode-remote/pull-mode-disable in parallel.
  • New scheduled-download-reset and scheduled-download-add for publish actions.
• New live-source-reset and live-source-add options
• primary-source and secondary-source no longer supported
• enable-fusion and fusion-startup no longer supported

Base system

• The firmware is now based on Wind River Linux version 6
• The core components have been upgraded, the main changes are as follows.
  • Apache httpd is based on 2.4.6
  • PHP is based on 5.5.2
  • OpenSSL is based on 1.0.1e
  • NTP is based on 4.2.6p5
  • Net-SNMP is based on 5.7.2
  • The DHCP client is now based on ISC dhcp 4.2.5+P1
• The native filesystem is now ext4

HTML support

• Support for Web Page layers using Phantom.js 1.9.8 with an embedded WebKit browser (HMP300 and HMP350 only).

Media

• New audio decoding engine.
• Support for new codecs: AC3, DTS, HE-AACv2 and WMA Pro (experimental).
• Support of .aac and .ac3 audio files.

Streaming

New streaming engine.

• MPEG2 transport stream now support MPEG2, H.264, MPEG4 ASP and VC1 for video, plus MPEG Layer I/II/III, ADTS AAC, LATM AAC, AC3 and DTS for audio.
  • Support for AC3 audio should improve support for German TV channels.
  • Support for HE-AAC should improve support for British TV channels.
  • Strict compliance to DVB for PES packetization and AUD presence is no longer required, which improves compatibility with non broadcast sources such as encoders.
  • Delay is now controlled by the PCR and DTS timestamps embedded in the transport stream. Audio pitch should no longer be altered.
  • Resilience to loss of packets is greatly improved.
  • Program number, audio channel choice and video channel choice can be controlled from an SDP file or with new media layer advanced properties if required.
• RTSP / RTP support has been updated for better A/V synchronization using the RTCP messages.

Note that the deprecated MMS protocol and HTTP streaming are no longer supported.

Multiscreen

• Support for using data feed widgets within multiscreen projects (requires setting a network shared variable for synchronization).

Minor features / improvements

Media

• Official support for .mkv video files and .mka audio files.
• If a text file or text feed is supposed to be UTF-8 encoded but there are encoding error, a relevant warning is generated.
• Limit the number of video file related warnings for a single file to avoid them filling up the logs.
• Playback of interlaced video encoded with MPEG2, H.264 and VC1 now much smoother because it is running at the field rate (double frame rate).
• New hardware accelerated deinterlacing

Audio

• Improved compatibility for HE-AAC and WMA.
• Support for multichannel audio with automatic stereo downmix.
• More precise audio/video delay control, avoiding audible audio pitch changes.

JavaScript

• New window.top and window.screen objects in JavaScript.
• New global SPXTransform event in JavaScript.

jSignage

• QRCode widget support UTF-8 encoding for international vcards are QRCode generation is now much quicker.
• Trying to load an alternative version of jSignage or trying to overwrite the global jSignage object will fail and generate a warning.
• Support time zone conversions for dates before Jan 1st, 1970.
• Added RGBToHSL(), HSLToRGB() and hsl() functions in jSignage.
• Added QRCode and Astronomy libraries.
• jSignage.Graph - added library version number and the 'f' option in ticks.
• jSignage.QRCode - added support for non-Latin chars.
• Improved compatibility with IE11 and Edge

Maintenance / Logs

• All PHP error logging has been moved to the internal syslog
• The format of the Apache httpd access logs has changed, the cipher and request time are now included.
• The currently installed firmware version is logged when starting a firmware update for improved diagnostics.
• Early boot console messages are now saved for improved diagnostics.

Network

• HTTP authentication has switched from digest to basic for ease of management and compatibility with Control Center forms based authentication
• Bonjour host names on the local network (e.g. <host-name>.local) are now supported to open connections from the device to other network locations.
• The DHCP lease is now requested for 15 days (the DHCP server may further limit this duration).

System

• External USB storage is now formatted as an ext4 file system instead of ext3. External USB storage formatted on firmware 3.x is incompatible with firmware 4.x.
• Formatting of external USB storage devices up to 2TB are now supported.
• Timezone data has been upgraded to 2015f
• Improved RTC recovery. If the internal real-time-clock (RTC) looses the date and time (e.g., due to battery discharge) and the current date and time cannot be obtained via NTP at boot, the time of the last proper shutdown is used as a fallback instead of setting the date to 1970. If the device was not properly shut down the fallback time is no older than one hour before the improper shut down.
• The firmware updater now checks the signature of the repository metadata in addition to individual package signatures, increasing firmware update security.
• The internal web server now starts much closer to the end of the boot process; this avoids the risk of doing operations before the necessary services are started.

Bug fixes

Network

• Always set a header in XMLHttpRequest to decline zip encoding of content.
• Using partial get also for server not returning an Etag as long as they accept partial get. In such case the last modification date is used to check that the file has not been modified.

Scheduling

• Bugs in processing of recurrence rules for calendar events.

Media

• Audio and video were sometimes out of sync.
• The duration of audio only files was not correctly computed at import.
• When using large padding value, media size is not correct (and rotated).
• Unexpected crash when streaming is used in conjunction with playlist and effect.
• WMAv2 without bit reservoir not supported correctly.

Streaming

• Crash that could be triggered when saving a document or refreshing its metadata and that document includes a streaming layer.
• Streaming capture could fail if the target path contained a space character.

JavaScript

• Global DOM variables must be overwritable.

jSignage

• Position of minor ticks in graphs and gauges axes was wrong when the baseline value was not zero.
• Allow area charts without lines.
• Color of dots in the simple clock widget where not changed when the user configured the color.
• The date-time widget now accept multiple date format separated by a space: 'LONG_DATE SHORT_TIME' for instance.
• Gauge attributes: animateBars and animateIndicator, cannot be disabled.
• Wrong default color used for gradient fill.
• Incorrect axes draw for negative dataMin.
• Wrong parameters for stackedAndGroupedHorizontalBarGauge function.
• Ticks are not at the right position in graph when a starting point different from 0 is used.
• Gauge issue when using multiple center-positioned texts.
• Removed global variables in jGraph, as it prevents any other document of using a global variable with the same name.
• Removed incorrect usage of a global variable "i" in jSignage.
• When using the countdown widget, and the count unit set to days, the number of days may is incorrect if the end of the timer is not in the same month as the current day.
• Infinite loop (causing HMP to crash) could be triggered if a wrong date format was used in one of the feed widgets, or the date-time widgets.
• Date of format RFC822 and ISO8601 are automatically converted to dates if a date formatting is applied to them. Other date formats need to be explicitly parsed as date. Note that this trigger a small backward compatibility issue for feeds widgets using a date format not RFC822/ISO8601 but that was recognized by the JavaScript Date() constructor.
• In a feed widget, if a data is not a date, and a date formatting is applied to it, display the raw data and some something like "LONG_DATE2015"
• Added the zoom transition in playlist when random is chosen.

Maintenance / Logs

• The CPU usage reported in the log could be above 100%.
• The uploader.log file could overflow before being rotated and earlier log messages lost, the size has been increased to 30MB to avoid this

Major changes from 3.x firmware

• CVT custom display settings modes are not available on HMP350, but you can use the "Fixed Mode" video timings instead. See Custom display settings page for more details.
• USB cellular modems (3G/4G dongles) are not supported.
• USB external storage is not supported on DiVA, nor by the Content creation tool.
• Player self-tests are not supported.
• Fusion interface is not supported on DiVA, HMP300 and HMP350, being replaced by the player web interface.