DSOS release notes
From SpinetiX Support Wiki
- 1 Introduction
- 2 Release 4.6.0
- 3 Release 4.5.3
- 4 Release 4.5.2
- 5 Release 4.5.1
- 6 Release 4.5.0
- 7 See also
Native to the HMP400, DSOS also brings embedded system design to the entire Intel ecosystem, ideal for fanless architectures like Intel Goldmont, but scalable to i5, i7 or i9 when maximum performance matters.
- Support for HDMI CEC.
- This can be used on the HDMI output or on the DisplayPort Alt-mode output with a DP to HDMI adapter cable supporting the DP 1.3 "CEC tunneling over AUX" protocol.
- HMP Control Center will show a warning message when the selected video output does not support CEC
- The display power management can be enabled from Control Center > Display & Audio page.
- Note that some players from the first production batches, could lack the hardware support for CEC - this information can be found in Control Center.
- Support for rendering PDF files.
- Wi-Fi connections can now be easily configured from a smartphone, tablet or computer without any other network connection, nor USB stick, by connecting directly to the player over the air. See Wi-Fi setup page for more details.
- HTML rendering engine:
- Performance got improved by adding texture sharing.
- Added support for using the proxy configuration.
- Updated to Chromium 79.
- The DSOS license status (license type, missing license, or expired license) is shown on Control Center home page and on the OSD that appears when the blue button is pressed.
- The configuration backup file now includes an indication of the DSOS license active at the time the backup file is generated. This allows displaying a clean error to the user if he tries to restore a configuration backup containing features not supported by the DSOS license currently activated on the player.
- The audio connectors' names shown in Control Center are hardware-dependent.
- The embedded web server now supports TLS 1.3.
- The IP addresses and other information are shown only for the active interface on the OSD that appears when the blue button is pressed.
- The welcome splash screen shows a specific error message when the device is not enrolled in SpinetiX cloud services, aiding in diagnosis.
- Support for new image codecs (webp, dng).
- Support for hardware motion-adaptive deinterlacing with past and/or future references.
- Updated timezone database from version 2018i to 2019a; it affects Palestine and Metlakatla.
- Daily power saving schedule feature.
- Players would stop communicating with ARYA until next reboot when reconfigured.
- Interlaced videos could show green frames.
- URLs with empty components in path (i.e., doubled slash) were not interpreted correctly.
- Minor changes within the player report.
- The dropdown listing the time zones in Control Center is empty. This is a regression introduced in 4.5.3 release.
Applies to third-party players.
- Incorrect serial number shown on the OSD that appears when the power button is pressed.
Updated Linux kernel from 4.19.80 to 4.19.127 to fix security issues.
- These could potentially affect the firmware: CVE-2019-17133, CVE-2019-19532, CVE-2019-18282, CVE-2019-0155, CVE-2019-0154, CVE-2019-19922, CVE-2019-11135, CVE-2019-19767, CVE-2019-19252, CVE-2019-19447, CVE-2019-20812, CVE-2020-0305, CVE-2019-20636, CVE-2019-14615, CVE-2019-19059, CVE-2019-19058, CVE-2019-5108, CVE-2020-8428, CVE-2019-16234, CVE-2020-8647, CVE-2020-8649, CVE-2020-8648, CVE-2020-11565, CVE-2020-12826, CVE-2019-19768, CVE-2020-12464, CVE-2020-10732, CVE-2019-19462
- These do not affect the firmware: CVE-2019-19075, CVE-2019-17075, CVE-2019-19060, CVE-2019-19065, CVE-2019-17666, CVE-2019-15098, CVE-2019-19048, CVE-2020-10773, CVE-2019-19526, CVE-2019-16233, CVE-2019-19049, CVE-2019-19045, CVE-2019-19052, CVE-2019-18813, CVE-2019-19529, CVE-2018-12207, CVE-2019-16231, CVE-2019-19534, CVE-2019-19524, CVE-2019-18660, CVE-2019-15291, CVE-2019-18683, CVE-2019-12614, CVE-2019-19062, CVE-2019-19227, CVE-2019-19071, CVE-2019-19079, CVE-2019-19332, CVE-2019-18786, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947, CVE-2019-16230, CVE-2019-16232, CVE-2019-16229, CVE-2020-10690, CVE-2019-18809, CVE-2019-19965, CVE-2019-14901, CVE-2019-14895, CVE-2019-19066, CVE-2019-19068, CVE-2019-19056, CVE-2019-9445, CVE-2019-20096, CVE-2019-15217, CVE-2019-19077, CVE-2020-12652, CVE-2019-19046, CVE-2019-20806, CVE-2019-14896, CVE-2019-14897, CVE-2020-14416, CVE-2020-12769, CVE-2019-3016, CVE-2020-12653, CVE-2020-12654, CVE-2020-9383, CVE-2020-2732, CVE-2020-0009, CVE-2020-10942, CVE-2020-12465, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11494, CVE-2020-12657, CVE-2020-11669, CVE-2020-12659, CVE-2020-1749, CVE-2020-0067, CVE-2020-11884, CVE-2020-10751, CVE-2020-13143, CVE-2020-10711, CVE-2020-12770, CVE-2020-12768, CVE-2019-18814, CVE-2020-10757
More security fixes:
- openssl: CVE-2019-1543
- bluez5: CVE-2018-10910
- libsndfile1: changed fix for CVE-2017-14245 and CVE-2017-14246, fixed CVE-2017-12562, CVE-2018-19758, CVE-2019-3832
- glibc: CVE-2019-9169, CVE-2016-10739, CVE-2018-19591, CVE-2019-6488, CVE-2019-7309; fix for incomplete CVE-2016-10739
- elfutils: CVE-2019-7146, CVE-2019-7149, CVE-2019-7150, CVE-2019-7664, CVE-2019-7665
- busybox: CVE-2018-20679, CVE-2019-5747
- sqlite3: CVE-2018-20505, CVE-2018-20506, CVE-2019-8457
- cairo: CVE-2018-19876, CVE-2019-6461, CVE-2019-6462
- tar: CVE-2019-0023, CVE-2018-20482
- glib2: CVE-2019-12450, CVE-2019-9633, CVE-2019-13012
- curl: CVE-2019-5435, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2019-5482
- bzip2: CVE-2019-12900
- expat: CVE-2018-20843
- dbus: CVE-2019-12749
- gcc: CVE-2019-14250
- bind libraries: updated from 9.11.4 to 9.11.5-P4, CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465
- pango: CVE-2019-1010238
- gnutls: CVE-2019-3829 and CVE-2019-3836
- libgcrypt: CVE-2019-12904
- apache httpd: update from 2.4.34 to 2.4.41, fixes CVE-2018-17189, CVE-2018-17199, CVE-2019-0190, CVE-2019-0220, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0211, CVE-2019-10081, CVE-2019-9517, CVE-2019-10098, CVE-2019-10092, CVE-2019-10097, CVE-2019-10082
- The fix for CVE-2020-15809 in 4.5.3 was incomplete, URI validation in the rssProxy.php missed a few possible cases.
- RPC API - new commands for Wi-Fi:
deviceInfoglobal object with two new methods, mostly relevant for Wi-Fi:
- Calendar widgets do not show data from Google.
- HMP400 serial number doesn't work as Multiscreen ID
- CORS requests are now allowed for endpoints other than RPC, provided the RPC API key is used.
- Changed the display message when the player license expires or is missing, now a black screen is shown instead of the "no valid license" floating text.
- The content server was not disabled when a player was added to ARYA, leading to confusing errors in Elementi if a publish was attempted.
- Importing X.509 server certificates with unknown extensions would make the network page display an error and be unusable until the certificate was removed.
- RTP (not MPEG2TS) streaming will stop after a few minutes.
- AJAX POST requests would use chunked transfer encoding since firmware 4.5.0, but many simple devices do not support them, which broke communications; now chunked transfer encoding is not used in AJAX requests.
- HTTP requests to server whose name started with vN, N being an integer, would be modified to be within square brackets, breaking the request
- Video modes could be incorrectly programmed when the attached display did not return a valid EDID, due to an internal DisplayPort link rate being incorrectly programmed.
- The hardware watchdog would not fire if the system hung during shutdown, as it got disabled when the software watchdog exited, now the hardware watchdog never disables.
- The unused rssProxy.php, i18njs.php and timezones.php were incorrectly included in the firmware image, which increases the attack surface, they are no longer included.
- Visual stutter could occur with looping videos.
- Player could hang after video playback.
- Fixed CVE-2020-15809, the spxmanage component would allow requests that access unintended resources because of SSRF and Path Traversal.
- The dropdown listing the time zones in Control Center is empty for HMP400, HMP400W, and third-party players.
- The workaround is to use the
<timezone>configuration tag. This is a regression introduced in 4.5.3 release.
- The workaround is to use the
- No proxy support in HTML rendering engine.
- The RTC is now calibrated for improved time accuracy while the player is powered off.
Applies to all models.
- Facebook widgets were no longer working due to a Facebook API change.
- The default gateway in static IPv6 configurations conflicted with IPv6 routes added from router advertisements resulting in unpredictable routing, the default gateway now uses a lower metric and has precedence.
- Fixed various minor presentation problems in Control Center, such as:
- Configurations deployed via USB sticks including a reboot directive could cause a reboot loop.
- Recovery Console updated to version 2.8.1, fixing the player rebooting after a couple of minutes when a reset to factory defaults operation was pending.
- On HMP400W, the local link IPv6 addresses in static DNS configurations would get the wrong interface identifier when Wi-Fi was the selected interface.
- Enabling capturing the HTTP traffic for Pull Mode would generate no or incomplete capture files.
- HTTP PUT requests with an empty body where incorrectly done as GET requests.
- Enabled Wi-Fi connections with support for personal (pre-shared key) and enterprise authentication, as well as open/unauthenticated networks. Wi-Fi is enabled from Control Center, and the configuration is done via a configuration backup file.
- Configurations can now be deployed via USB sticks - inserting a USB stick with a configuration backup file on a not-yet configured player will automatically apply the configuration; this feature is automatically disabled once the player has been fully configured for security reasons.
- Added support for 802.1x authentication on Ethernet; configuration is done via the configuration backup file.
- The Recovery Console has been updated to version 2.8.0, to support Wi-Fi connections and 802.1x authentication on Ethernet. The Recovery Console is now updated during the regular firmware update, if an older console version is installed on the player; also, it can now be installed via a .pkg file, just as the firmware.
- The player report includes more readable license data to aid in diagnostics.
Applies to third-party players.
- Names corresponding to the labels on the device are now shown in Control Center's video and audio output selectors.
- Licenses were incorrectly included in the configuration backup, which can invalidate a valid license received from the license server when restoring the configuration backup at a later time; licenses are no longer included in the configuration backup as they are distributed directly by the license server. Configuration backups saved from firmware 4.5.0 for units which had a license should be manually edited to remove the license before restoring.
Applies to all models.
- Streaming was not working properly with some sources.
- An HTTP proxy on port 80 could not be used. This was a regression introduced in 4.5.0.
- Some web services, like RSS feeds, behave differently when the referrer is about:blank, a full URL is now used to avoid problems.
- Solved incompatibility with myDrive.ch file storage service.
- Webp images could crash the player causing a reboot.
- RPC responses to failed calls were not returned to the RPC concentrator (regression introduced in 4.5.0); in addition any HTTP level RPC call errors are also returned to the RPC concentrator.
- The player could reboot during network state changes due to races in the restart of the NTP daemon.
- Credentials to access resources on AWS could be renewed just after they expired, instead of a few minutes before, causing temporary problems with ARYA.
- The license texts in Control Center's about page were not properly tagged as UTF-8 plain text and could display garbled.
- EULA and third-party licenses updated to reflect current ones.
- On full HD deinterlaced videos, the bottom of the 1088 coded lines were outputted instead of the top 1080.
- The player was not restarted when the audio configuration changed, although a restart was required.
- Network default routes installed by the DHCP client may conflict with existing default routes and not become effective, they are now replaced.
- The NTP daemon no longer restarts on IP address changes as it is no longer necessary.
- The report did not properly dump the TPM2 public data of persistent handles.
Applies to all players.
- Configuration API new tags:
- RPC API - the
get_infocommand has been extended to support Wi-Fi.
- Status API - the
infoendpoint has been extended to support Wi-Fi.
- Added DSOS support for the new hardware models: HMP400/HMP400W and selected 3rd-party players.
- Added support for the DSOS activation licenses; the player license information is displayed on the Control Center home page and included within the configuration backup.
- New HTML5 rendering engine, based on Chromium 74, with support for hardware accelerated video decoding and WebGL. Applies only to players with DSOS Kiosk and DSOS Systems licenses.
- New "password manager" functionality to support forms-based authentication on websites, using credentials stored under Saved passwords.
- New "click robot" engine to navigate, scroll, zoom on content of interest and/or click through consent popups on HTML5 pages.
- New Pull Mode engine that supports faster downloads, end-to-end content integrity checking with SHA-256, and processing of RPC commands.
- JPEG images are now automatically rotated and flipped according to EXIF data.
- Added support merging multiple calendars on the same view for Google calendar and Outlook online.
- Added support for underlined text.
- HTTP traffic capturing can be enabled from Control Center or RPC, for improved diagnostics. The captures are also included in the player report. Credentials are masked in the captures.
- Added video and audio output selectors in Control Center and Configuration Wizard for players with multiple video/audio outputs.
- Added support Hyperlink and Picture columns in SharePoint lists.
- Firmware updater now checks that update source is compatible with product's model before applying any updates.
- Bonjour and SSDP announcements now include additional serial numbers for the benefit of the newly supported models.
- JS locale files are now compressed, reducing the firmware size.
- Updated some internal libraries:
- ffmpeg to version 4.0.2 (was 3.4.5)
- libical to version 2.0.0 (was 1.0.1)
- Yii PHP framework to version 1.1.21 (was 1.1.17)
- Removed support for Instagram widgets because Instagram has discontinued the Legacy API.
- Session cookies now expire after 2 days (used to never expire before).
- Pull Mode with ICS executed after being disabled.
- Cookies for public top level domains were incorrectly allowed in the Pull Mode daemon (uploader).
- Crash when pressing blue button when playing a project with asynchronous audio player event handlers.
- Events widget - long event titles were not showing correctly.
- JSignage Graph plugin: Axis grid were not shown in some cases because of missing min and max values.
- If there is any text in an editable text area, editing was broken.
- Enrollment to SpinetiX cloud services now uses the TPM to authenticate third-party devices.
- Protected from XEE attacks in XML files.
- Use HTTPS protocol for the ECB exchange rate data source.
- CORS violations and other errors in HTML5 content are reported in the log.
- Credentials can now be used on AJAX requests to the player from web pages not hosted on the player (i.e., the authorization headers are now allowed for CORS).
- Uploader process logs more messages at trace level to diagnose replication issues in Pull Mode.
- New tags for the Configuration API:
<video-output-selector>to select the video output connector on DSOS devices.
<pullmode-http-capture-log>to capture HTTP traffic for the uploader process.
<http-capture-log>to capture HTTP traffic for the player.
- New options for the
videoConnectors: trueto report the list of attached screens
audioConnectors: trueto report the list of attached audio connectors