DSOS release notes

From SpinetiX Support Wiki

(Redirected from Latest DSOS)
Jump to: navigation, search
This page tells you what's new within the DSOS operating system starting with release 4.5.0. It applies to HMP400, HMP350, HMP300, DiVA, and 3rd-party players. We welcome your feedback!
For download links, see the Firmware page. For release notes prior to 4.5.0, see the links below.

Introduction

DSOS

DSOS™ by SpinetiX™ is a lightweight, secured operating system designed for digital signage players, especially for demands of defense, financial, cruise vessel and other high-availability scenarios.

Native to the HMP400, DSOS also brings embedded system design to the entire Intel ecosystem, ideal for fanless architectures like Intel Goldmont, but scalable to i5, i7 or i9 when maximum performance matters.

Unresolved

  • Calls to the Web Storage REST API fail due to CORS errors. This is a regression introduced in DSOS 4.7.4.
    There's no workaround other than disabling same origin policy on the browser, but that is not recommended, of course.
  • HMP350 player might crash when using a custom font in a variable format. This is a regression introduced in DSOS 4.7.1 build 2.

Release 4.7.4 build 2

Release name: "Grand Pilier d'Angle" 4.7.4 build 2. Release date: August 23th, 2022.
Applies to HMP400, HMP400W, HMP350, HMP300, DiVA, and third-party players.
Firmware version number: 4.7.4-2.0.0-6bfffad2

Fixes

  • Cross-origin requests to RPC using the API key returns CORS errors as if the API key was wrong, due to a build error. This is a regression introduced in 4.7.4-1.0.1.

Security

  • Fixed a security vulnerability which could allow mounting an XSS attack for escalation of privileges (CVE-2022-38483).

Release 4.7.4

Release name: "Grand Pilier d'Angle" 4.7.4. Release date: June 16th, 2022.
Applies to HMP400, HMP400W, HMP350, HMP300, DiVA, and third-party players.
Firmware version number: 4.7.4-1.0.1-e70888e0

Improvements

  • Accessing Control Center's custom HTML interface pages by users which are not signed in to Control Center no longer causes a confusing browser authentication dialog to pop-up, users are now redirected to the Control Center sign in instead and then redirected to the custom HTML interface after successfully signing in. A new /uiauth/ path in the web server space is introduced to support this.
  • USB storage is now available in Control Center on HMP400, HMP400W and third party players running DSOS regardless of the DSOS license installed. When no DSOS license is installed USB storage can only be used as storage extension, when a DSOS license is installed it can also be used to play content externally copied to the USB storage (e.g., from Elementi).
  • Calendar widgets using Exchange online as data source now support showing images attached to the calendar event.
  • Improved support for showing images from Yammer feeds.
  • Projects using DarkSky as provider for weather information are now transparently redirected to the default provider since DarkSky no longer makes the data available.
  • Redirect responses to HTTP requests from the content could be dropped if the body of the redirect was over more than one network packet.
  • Recovery console is updated to version 2.11.0 which includes the same core libraries and component updates as firmware 4.7.4-1.0.1.

Fixes

  • The manual date and time menu in Control Center had the year drop-down limited to 2021.
  • Pull mode would parse the response of a failed HTTP request to a server instead of ignoring it, possibly leading to stopping pull mode actions after a failed HTTP request (e.g., 502 error).
  • The status API would show an error about a /srv/raperca/interface/public/index.svg file on HMP400, HMP400W and third party players; although there was no real error.
  • The player could crash and reboot when changing the timezone configuration, depending on the newly selected timezone (Moscow would trigger it).
  • The player could crash and reboot after publishing a project referencing some special timezones, like Moscow.
  • Video streams with URLs ending in .sdp would not play, this is regression introduced in 4.7.0.
    • HMP400, HMP400W and third party players only
      • iwd from version 1.9 to 1.20.
        • Solves 802.1x compatibility with switches using 802.1x version 2010 (a.k.a. EAPoL version 3) by default.
        • Solves Wi-Fi issues with WPA3 authentication, roaming, scanning, authentication timeouts, and many other reliability issues.
      • linux-firmware: upgrade from 20210511 to 20211027
  • HMP400 and HMP400W only
    • The spxucd daemon was not watched by the watchdog daemon.
  • Third party players only
    • Ignore more patterns of dummy / uninitialized serial numbers in BIOS data, they could cause a failure to enroll in the SpinetiX cloud.

Security

Updated base libraries and components, the main changes are as follows.

  • busybox: fixed CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42384 and CVE-2021-42385 which did not affect the firmware.
  • libgcrypt: fixed CVE-2021-33560, CVE-2021-40528 and CVE-2021-33560 which could affect the firmware.
  • ncurses: fixed CVE-2021-39537, which could affect the firmware.
  • glib-2.0: fixed CVE-2021-2721, CVE-2021-27219, CVE-2021-28153, which could affect the firmware.
  • glibc: fixed CVE-2021-38604, CVE-2021-33574 and CVE-2021-35942, which could affect the firmware.
  • curl: fixed CVE-2021-22897, CVE-2021-22945, CVE-2021-22946 and CVE-2021-22947, which did not affect the firmware.
  • openssh: fixed CVE-2021-28041, which did not affect the firmware.
  • squashfs-tools: fixed CVE-2021-40153, which could affect the firmware.
  • nettle: fixed CVE-2021-3246, CVE-2021-20305 and CVE-2021-3580, which could affect the firmware.
  • apr: fixed CVE-2021-35940, which could affect the firmware.
  • dbus: fixed CVE-2020-12049, which could affect the firmware.
  • openssl: fixed CVE-2021-3711 and CVE-2021-3712, which could affect the firmware.
  • rpm: fixed CVE-2021-20266, which could affect the firmware.
  • gnupg: fixed CVE-2020-25125, which did not affect the firmware.
  • util-linux: fixed CVE-2021-37600, which did not affect the firmware.
  • nss: fixed CVE-2021-43527, CVE-2020-12403 and CVE-2022-22747, which did not affect the firmware.
  • apache2 (updated to 2.4.53): fixed CVE-2022-22720, which could affect the firmware, and CVE-2022-23943, CVE-2022-22721, CVE-2022-22719, CVE-2021-44790 and CVE-2021-44224, which did not affect the firmware.
  • p7zip: fixed CVE-2016-9296 and CVE-2018-5996, which could affect the firmware.
  • tzdata: updated from version 2021a to 2021e, which affects Jordan, Samoa, Fiji and Palestine timezones.
  • ca-certificates: updated from version 20210119 to 20211016, which updates the list of trusted certificate authorities, matching that of Firefox 90.
  • HMP400, HMP400W and third party players only
    • Linux kernel from 5.4.143 to 5.4.170, fixing the following security issues.
      • That could affect the firmware: CVE-2022-20141, CVE-2021-20322, CVE-2021-34556, CVE-2021-35477, CVE-2021-3764, CVE-2021-4203, CVE-2021-3744, CVE-2021-41864, CVE-2022-0644, CVE-2021-3752, CVE-2021-3640, CVE-2021-39686, CVE-2021-4002, CVE-2021-4083, CVE-2022-20132 and CVE-2021-39698.
      • That did not affect the firmware: CVE-2021-39633, CVE-2021-3753, CVE-2021-3739, CVE-2021-40490, CVE-2021-42252, CVE-2021-20320, CVE-2020-16119, CVE-2021-37159, CVE-2021-20321, CVE-2021-38300, CVE-2021-3894, CVE-2021-4149, CVE-2022-0322, CVE-2021-3896, CVE-2021-43056, CVE-2021-3760, CVE-2021-43389, CVE-2021-3772, CVE-2021-42739, CVE-2021-45868, CVE-2021-4202, CVE-2020-27820, CVE-2021-43975, CVE-2021-39685, CVE-2021-28715, CVE-2021-28714, CVE-2021-28713, CVE-2021-28712, CVE-2021-28711, CVE-2021-4135, CVE-2021-45469, CVE-2022-1195, CVE-2022-20154 and CVE-2021-44733.

Release 4.7.3

Release name: "Grand Pilier d'Angle" 4.7.3. Release date: December 20th, 2021.
Applies to HMP400, HMP400W, HMP350, HMP300, DiVA, and third-party players.
Firmware version number: 4.7.3-1.0.0-aec8d491.

Fixes

  • Control Center immediately logged out a user when the player clock was not synchronized and more than 8 hours in the past, making it unusable and difficult to recover. This was a regression introduced in firmware 4.7.2
  • The SNMP user configuration was not correctly processed, which had the following consequences:
    • If the community string was left at its default "public" value, then only the system MIB subtree was readable.
    • Changing the community string to anything else than "public" left the system MIB subtree still readable with the "public" community string, while the complete MIB tree was readable with the configured community string.
    • Limiting access to specific IP networks or addresses did not have an effect of the "public" community string.
  • The SNMPv2-MIB reported a bogus value for contact and location instead of the empty value, which means "unknown".
  • The processes and disk configuration of the UCD-SNMP-MIB was outdated, so some entries in the process table were being flagged in error, some other important ones were missing and some file systems (i.e. disks) were not being listed.
  • The custom interface link in Control Center was not displayed if its title was longer than 20 bytes.
  • The "Start Recovery Mode" button in the corrupted firmware message was non-functional.
  • Corrected minor typos in Control Center messages.


Applies to HMP400 and HMP400W.

  • The daemon that reports information from the power management microcontroller was not started on the latest hardware revision (i.e. revision C); this did not have any functional consequence.

Security

Updated core libraries and components, the main changes are as follows:

  • apache2: updated to version 2.4.51
    • This fixes the following security vulnerabilities which affected the firmware: CVE-2021-40438 and CVE-2021-34798
    • This fixes the following security vulnerabilities which did not affect the firmware: CVE-2021-31618, CVE-2020-13938, CVE-2019-17567, CVE-2021-39275, CVE-2021-36160, CVE-2021-33193, CVE-2021-41773, CVE-2021-41524 and CVE-2021-42013
    • Note that the following security vulnerabilities were already fixed in firmware 4.7.2 with backported fixes: CVE-2021-30641, CVE-2021-26690, CVE-2021-26691, CVE-2020-35452 and CVE-2020-13950
  • nss: fixed CVE-2020-6829 and CVE-2020-12400
  • dnsmasq: fixed CVE-2021-3448


Applies to HMP400, HMP400W, and third-party players.

  • Updated kernel to version 5.4.143
    • This fixes the following security vulnerabilities which affected the firmware: CVE-2021-33624, CVE-2021-3732, CVE-2021-3679 and CVE-2020-3702
    • This fixes the following security vulnerabilities which did not affect the firmware: CVE-2020-36311, CVE-2021-3609, CVE-2021-3655, CVE-2021-38160, CVE-2021-38199, CVE-2021-37576, CVE-2021-38198, CVE-2021-38205, CVE-2021-38204, CVE-2021-3653, CVE-2021-3656 and CVE-2021-42008
    • Note that the security vulnerability CVE-2021-33909 was already fixed in firmware 4.7.2 with a backported fix.

Unresolved

Release 4.7.2

Release name: "Grand Pilier d'Angle" 4.7.2. Release date: October 11th, 2021.
Applies to HMP400, HMP400W, HMP350, HMP300, DiVA, and third-party players.
Firmware version number: 4.7.2-1.0.1-577fb6de.

Improvements

Control Center

  • The session duration has been changed to 8 hours (measured from sign-in) to ease usage, and a dialog is shown when the session expires.
  • When more than one user exists in Control Center, the player web interface sign-in page no longer unconditionally redirects to ARYA, even if the player is registered in ARYA.
  • Power save scheduling options are no longer shown when display power management is disabled, to avoid confusion.
  • The advanced configuration of loggers for diagnostics and debugging has been simplified and is now controlled via configuration backup files. The respective page was removed from Control Center.

Recovery Console updated to version 2.10.1

  • Includes same core libraries and component updates as firmware 4.7.2-1.0.
  • A "firmware update" splash screen is shown during a firmware update via the recovery console (required during an update from firmware 4.6.x or older), instead of the "Recovery mode" default one, to avoid confusion.

Other improvements:

  • The locale database (CLDR) was updated to release 39 for improved internationalization.


Applies to HMP400, HMP400W, and third-party players.

  • The output volume of audio devices is now adjustable in Control Center's Display & Audio page, with 100% being the default.
  • The list of Wi-Fi networks is now shown in Control Center's Network page, with signal quality and connected status.
  • The Wi-Fi configurator now checks that the password length is valid for Wi-Fi.
  • Improved compatibility of USB video capture devices (Sandberg USB2, Elgato Cam Link 4K, AverMedia ExtremeCap UVC, ATEN CamLive Uc3020) and extended the HDMI capture to support RAW mode. This remains a Technology Preview Feature.

Changes

  • The maximum rendering latency is now limited to 1 second. A higher maximum rendering latency of 1500ms could be specified in earlier firmware versions, although the effective limit was often 1 second or less due to hardware constraints and in the cases where a higher latency was possible it interfered with the stream out feature. Any maximum rendering latency value higher than 1 second is now capped, and Control Center no longer proposes higher values; this applies to all player models to ensure consistency.

Fixes

  • When doing a firmware update from a USB stick and the firmware update required two passes, the second pass would update from the server and not the USB stick.
  • Control Center generated a 500 internal error when the network logs of the uploader were enabled.
  • Control Center could show some strings in languages other than English, although only English is supported.
  • Literal IPv6 link-local addresses used in the NTP, DNS, default network API server, etc., were not working when the network was configured to use Wi-Fi instead of Ethernet.
  • Configuration files that mixed Ethernet and Wi-Fi configuration could leave the network configuration in a wrong state, applying Ethernet configurations to Wi-Fi and vice-versa.
  • Enrollment did not follow HTTP redirects received from the enrollment server, now 307 and 308 redirects are followed as expected.
  • Double-clicks on an interactive widget inside a document were not correctly detected.


Applies to HMP400, HMP400W, and third-party players.

  • Control Center allowed configuring stream out in 4K but not all players are powerful enough to do it, 4K is thus no longer proposed on HMP400, HMP400W and third-party players like Chaco Canyon and ECS Liva Q2.
  • The Output Streaming section was showing a "C:\fakepath\" string when uploading a custom XML file; only the base filename is shown now.
  • The video stream from the stream out feature stuttered when stream out was configured at a lower resolution than the display and the display was configured at 4K (e.g., 1080p stream out with a 4K display).
  • Some USB audio devices would not output audio because their default volume was too low, now all USB audio devices have their volume set to 100% by default.
  • Taking a snapshot could briefly pause rendering, snapshots are now taken asynchronously to avoid this effect.
  • Windows Hello compatible cameras could appear as two video input devices.

Security

Let's Encrypt certificate chain compatibility

  • Removed the expired root certificate "DST Root CA X3" used by Let's Encrypt for cross-signing its own root certificate. Having this certificate caused web page layers to stop rendering on HMP350 and HMP300 on 2021-09-30 for sites with certificates delivered by Let's Encrypt; other player models and other parts of the system were briefly affected by this issue.

Updated core libraries and components, the main changes are as follows:

  • tar: fixes for CVE-2021-20193, which should not affect the firmware.
  • openssh: fixes for CVE-2020-14145, which should not affect the firmware.
  • libxml2: fixes for CVE-2021-3517, CVE-2021-3518 and CVE-2021-3541, which can affect the firmware, and CVE-2021-3537, which should not affect the firmware.
  • gnutls: fixes for CVE-2021-20231 and CVE-2021-20232, which can affect the firmware.
  • bind: fixes for CVE-2021-25214, CVE-2021-25215 and CVE-2021-25216, none of which should affect the firmware.
  • dnsmasq: fixes for CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686, none of which should affect the firmware.
  • expat: fixes for CVE-2013-0340, which can affect the firmware.
  • rpm: fixes for CVE-2021-3421, which should not affect the firmware.
  • glibc: fixes for fixes CVE-2021-35942, which can affect the firmware.
  • busybox: fixes for CVE-2021-28831, which should not affect the firmware.
  • dhcp: fixes for CVE-2021-25217, which can affect the firmware.
  • bluez: fixes for CVE-2021-3588, which should not affect the firmware.
  • avahi: fixes for CVE-2021-3468, which should not affect the firmware.
  • curl: fixes for CVE-2021-22898, CVE-2021-22924 and CVE-2021-22925, none of which should affect the firmware.
  • apache2: fixes for CVE-2020-35452 and CVE-2021-26690, which can affect the firmware, and CVE-2020-13950, CVE-2021-26691 and CVE-2021-30641, which should not affect the firmware.
  • php: upgrade to 7.4.21, which fixes CVE-2021-21705, which can affect the firmware, and CVE-2021-21704, which should not affect the firmware.


Applies to HMP400, HMP400W, and third-party players.

  • Updated kernel to version 5.4.129 to fix the following security issues:
    • These could potentially affect the firmware: CVE-2021-29154, CVE-2021-31829, CVE-2021-33034, CVE-2021-32399, CVE-2020-26558, CVE-2021-0129, CVE-2020-24587, CVE-2020-24586, CVE-2020-24588, CVE-2020-26139, CVE-2020-26145, CVE-2020-26147, CVE-2020-26141, CVE-2021-3564, CVE-2021-3573, CVE-2020-26541, CVE-2021-35039
    • These do not affect the firmware: CVE-2021-28964, CVE-2021-28972, CVE-2021-28971, CVE-2021-28688, CVE-2021-29264, CVE-2021-31916, CVE-2021-29650, CVE-2021-29647, CVE-2021-3483, CVE-2020-25672, CVE-2020-25673, CVE-2020-25670, CVE-2020-25671, CVE-2021-22555, CVE-2021-23133, CVE-2021-3506, CVE-2021-38208, CVE-2021-3587, CVE-2021-34693, CVE-2021-3743, CVE-2021-22543
  • Updated core libraries and components, the main changes are as follows:
    • cairo: fixes for CVE-2020-35492, which can affect the firmware.
    • linux-firmware: upgrade from 20210208 to 20210511, fixes CVE-2020-26555, CVE-2020-26558 and CVE-2021-0105, which affected the firmware on some platforms.
    • intel-microcode: upgrade from 20210216 to 20210608, fixes CVE-2021-24489, CVE-2020-24511, CVE-2020-24512 and CVE-2020-24513, which affected the firmware on some platforms.
  • Added backported fix for CVE-2021-33909 (sequoia), the functions necessary to exploit it are not exposed on DSOS, so it is unlikely that DSOS was affected.


Applies to HMP350, HMP300, DiVA players.

  • Although not accessible, the root account was not locked; it is now completely locked for increased security.

Developer

RPC API

  • RPC communication was non-functional when the "Password protect RPC admin" option was disabled, affecting communications with Cockpit, ARYA and any third-party RPC concentrator. This is a regression introduced in 4.7.1.
    This option is enabled by default, and disabling it is strongly discouraged (as it removes all security for player administration access).
    Users running firmware 4.7.1 that have disabled this option need to either update the firmware or re-enable the option from Control Center to recover the RPC functionality before updating the firmware.
  • The firmware_update ignored the repo_uri parameter when repo_id was not specified.
  • A new parameter, web-page-data, added to the reset command, allowing to clear the web content related data (HTTP cache, HTTP web storage, cookies).

Release 4.7.1 build 2

Release name: "Grand Pilier d'Angle" 4.7.1 build 2. Release date: August 9, 2021.
Applies to HMP400, HMP400W, HMP350, HMP300, DiVA, and third-party players.
Firmware version number: 4.7.1-2.0.0-d1e6b60b.
Note Note:
For more details about the update process on HMP350, HMP300, and DiVA players, see this section.

Improvements

  • Added the capability to block specific firmware versions from installation via pkg files when delivered via firmware update.
  • The update to firmware 4.7.1-1.0.1 and recovery console 2.9.5 are now blocked on HMP350, HMP300 and DiVA players.
  • Updated recovery console to version 2.9.6 with the following changes:
    • Added the capability to block specific firmware versions from installation via pkg files.
    • Installation of firmware 4.7.1-1.0.1 and recovery console 2.9.5 packages are blocked on HMP350, HMP300 and DiVA players.

Fixes

Fixed the following regressions introduced by the migration of HMP350, HMP300 and DiVA players to the common software base of other player models in 4.7.1-1.0.1; the other players are not affected.

  • The serial port was not working properly.
  • Security vulnerability which could allow local user escalation (CVE-2021-38301).

Release 4.7.1

Release name: "Grand Pilier d'Angle" 4.7.1. Release date: June 2, 2021.
Firmware version number: 4.7.1-1.0.1-5ab720ce.
Note Note:
The 4.7.1 firmware is currently not available for HMP350, HMP300, and DiVA, pending the fix for the issue regarding the serial port not working properly.

New

The HMP400, HMP400W, and third-party players now support the playback of content generated by audio/video capture devices connected through USB.

Changes

Applies to HMP350, HMP300, and DiVA.

  • The firmware for these player models is now built using the same software base (Yocto), as the HMP400/W players, so they benefit from all the security improvements and base services available on newer models.
    • All the features and fixes added in 4.7.0 which are not marked as being specific to other player models now apply to HMP350, HMP300 and DiVA players as well.
    • If an older version of the Recovery Console is present, it will be updated through the regular firmware update process.
  • The HTML rendering engine used on these players, PhantomJS, is now deprecated and may be removed in a future release as it is no longer maintained upstream. See SpinetiX-SA-21:01 for more details.
  • HMP350 and HMP300 players have ARYA enabled by default and maintain a connection to the SpinetiX cloud even when ARYA is not enabled, as it was already the case for DiVA players.
Note Warning:
The serial port is not working properly on HMP350 and HMP300; deployments using the COM port should wait until a fix is made available before updating.

Improvements

  • Added support to update the firmware using a package file (.pkg) found among the update files.
    • The player will automatically boot in Recovery mode to perform the update and will boot afterwards back in normal mode using the new firmware, the same configuration as before, and with all user data and previous logs preserved.
    • The firmware update process decides whether to use the pkg file or the normal update method based on firmware update compatibility requirements from the update files' metadata.
  • During the firmware update, the Recovery Console gets updated to version 2.9.5, featuring:
    • Added support for an automated firmware upgrade using a pkg file that preserves player configuration and user data, it is used to by the main firmware to do firmware updates that cannot be done using the normal method.
    • Added a Link-Local Multicast Name Resolution (LLMNR) responder so that Windows systems can find the IP address of the player without registering the players in DNS.
    • SDP / UPnP announcements now use the hostname instead of the IP address when the LLMNR responder is not disabled.
    • AJAX requests to the recovery console's web server without authentication now return a 403 Forbidden message to avoid unexpected password prompt popups on browsers.
  • Updated the iCalendar implementation library (libical) to version 3.0.7 (from 2.0.0).
  • Control Center
    • Setting a user password which is in a dictionary of known passwords or that contains the username is now refused, unless the user consents to low security passwords, to protect against password spraying attacks; passwords in configuration backup files or set via RPC are not affected by these checks.
    • A single "invalid username or password" error is now displayed for both bad password and bad username, to avoid username probing attacks.
  • Widgets
    • The Yammer widget has been reworked to better reflect how message selection currently works on Yammer.
    • Requests for weather data using the Yahoo Weather provider are now re-routed to the default provider to ensure continuity of service, since Yahoo is discontinuing its weather service.
    • Percent encoding is now applied to all unreserved characters in URI query strings for better browser compatibility; for instance, this problem prevented some Twitter feed from being displayed.


Applies to HMP400, HMP400W, and third-party players.

Fixes

  • A focus event for text input would not be generated if no physical keyboard was connected, making the use of virtual keyboards difficult.
  • No caret is showed inside an editable text area.
  • The title of an RSS feed was not shown if the title was multi-line and the first line was empty; now the first non-empty line is shown.
  • The player can crash when a referenced image is missing from the content.
  • Some types of H.264 interlaced videos could crash the player.


Applies to HMP400, HMP400W, and third-party players.

  • Firmware update from 4.5.0 directly to 4.7.0 breaks network name resolution after the first update step, effectively disconnecting players from any network services in most cases, and the second update step can never be completed (unless done from a USB stick); updates from firmware 4.5.1 or later to 4.7.0 are not affected. A workaround is now included that makes updating from 4.5.0 directly to 4.7.1 or later possible. A workaround was also put in place in SpinetiX's firmware update server on 2021-05-18 so that players with firmware 4.5.0 are first updated to 4.5.2 and only after that is 4.7.0 proposed for updates.
  • Firmware update from a 4.5.0 beta version (4.5.0-0.7, 4.5.0-0.8 or 4.5.0-0.9) directly to 4.7.0 failed due to unsatisfied dependencies; this did not affect the 4.5.0 release version (4.5.0-1.0) nor any later firmware versions.
  • Changing the screen rotation configuration could make regular text become italics and vice-versa. Regression introduced in 4.7.0.
  • Activation of a TPM bound license could fail due to a race condition with TPM bound license verification in other components.
  • HTML rendering engine:
    • Solved bad quality and garbled audio when using WebRTC on HMP400 and other devices with similar CPU power, Webcams with integrated echo canceling are required for good audio quality.
    • Web pages that open new tabs following user interaction now navigate to the location of the new tab.
    • Detection of installed external apps to handle custom URL schemes used in HTML pages did not work as expected and left a blank page.
    • When attempting to navigate to non-http URLs (e.g., mailto) the HTML layer would become blank, such navigation requests are now ignored and only navigation within http URL scheme is allowed.
    • The player can crash if the web page in an HTML layer closes itself via JavaScript.
    • If the HTML engine rendering process crashed, it was not automatically restarted.
    • When the HTML engine's GPU rendering process restarted it would fall back to software rendering, decreasing rendering performance.
    • Mixing multi-touch interfaces in HTML layers with input elements in SVG layers would not work correctly.
    • The logs from the HTML rendering engine (CEF) were not included in the report.
  • Streaming:
    • RTMP streaming would not start if it was the only stream-out protocol enabled.
    • The video output could stutter when stream-out was enabled.


Applies to HMP350, HMP300, and DiVA.

  • The player would hang during boot if a custom video mode had width larger than 1920 or height larger than 2047, which is not supported by the hardware; such custom video modes are now refused.
  • Some custom video modes with widths not multiple of 8 would fail due to a rounding error.
  • The surfaces behind opaque videos could be painted even though they are not visible, resulting in a slightly reduced rendering performance.
  • A surround sound option was shown in Control Center, when there is no support for surround sound or multi-channel audio in these players.


Applies to third-party players.

  • The name of the main storage device was incorrectly identified when firmware was newly installed from pkg file (regression introduced in 4.7.0-1.0.1-47e24bd6).

Security

  • Solved improper RPC user privilege verification; fixes CVE-2021-32034 and CVE-2021-32035.
  • Strict mode for PHP sessions cookies was not enabled and made Control Center vulnerable to session fixation attacks (referenced as CWE-384), fixes CVE-2021-33817.
  • Control Center did not correctly escape command arguments in some cases, which could potentially have been exploited by malicious configuration files or RPC calls, although no attack vectors are currently known.
  • The directory where the APIs security keys are stored had too wide permissions, they have been narrowed to the strict minimum.

Updated kernel from version 5.4.90 to 5.4.106 to fix the following security issues:

  • These could potentially affect the firmware: CVE-2021-3347, CVE-2021-3444 and CVE-2021-30002
  • These do not affect the firmware: CVE-2021-3178, CVE-2021-3348, CVE-2021-26930, CVE-2021-26931, CVE-2021-26932, CVE-2020-25639, CVE-2021-27365, CVE-2021-27364, CVE-2021-27363, CVE-2021-28038, CVE-2021-28375, CVE-2021-33033, CVE-2021-29265, CVE-2021-28660

Updated core libraries and components, the main changes are as follows:

  • Updated linux-firmware from version 20201218 to 20210208.
  • Updated Intel microcode to from version 20201118 to 20210216, fixing CVE-2020-8698 and CVE-2020-8696 which do not affect HMP400 nor HMP400W hardware but may affect some third party players.
  • curl: fixes for CVE-2020-8231, CVE-2020-8286, CVE-2021-22876 and CVE-2021-22890 which affected the firmware and CVE-2020-8284 and CVE-2020-8285, which did not affect the firmware.
  • glibc: fixes for CVE-2020-29573, CVE-2019-25013, CVE-2021-3326, CVE-2020-27618 and CVE-2020-29562 which affected the firmware and CVE-2021-27645 which did not affect the firmware.
  • ca-certificates: update from version 20190110 to 20210119.
  • p11-kit: update from version 0.23.20 to 0.23.22; fixes CVE-2020-29361, CVE-2020-29362 and CVE-2020-29363, none of which affected the firmware.
  • openssl: update from version 1.1.1i to 1.1.1k; fixes CVE-2021-3450, CVE-2021-3449, CVE-2021-23841 and CVE-2021-23840, which affected the firmware.
  • bind: fix for CVE-2020-8625, which does not affect the firmware.
  • wpa-supplicant: fixes for CVE-2021-0326, CVE-2021-27803 and CVE-2021-30004, none of which affected the firmware.
  • giflib: fix for CVE-2019-15133, which affected the firmware.
  • hostapd: fixes for CVE-2019-5061, CVE-2021-0326, CVE-2021-27803 and CVE-2021-30004, which affected the firmware.

Developer

  • The firmware updater now includes an X-spinetix-firmware header in all its HTTP requests, with the version of the running firmware as the value.
  • The embedded web server has a new /getconfig HTTP endpoint that returns the complete configuration backup like Control Center's "Get Config" button.
  • RPC API
    • Calls that modify the configuration or player state were previously accepted during a firmware update, potentially leading to an inconsistent configuration or state; now a FirmwareUpdateInProgress exception is returned when an update is ongoing and should be retried later; other RPC calls are not affected.
    • The firmware_update_status() command returns a new boolean property "applied_on_reboot" that is set to true when the update is actually applied during reboot and thus the reboot can take much longer than usual; also "done" property is set to true after the reboot following a firmware update completes, to ease chaining of RPC calls with firmware updates.
  • jSignage API updated to version 1.6.1
    • Updated the log messages from checkCacheData and updateCacheData to improve expiration information.


Applies to HMP400, HMP400W, and third-party players.

  • When the user clicks on an editable field on a webpage, a virtualKeyboardRequest event is generated in the parent SVG content so that a virtual keyboard widget can be shown.

Unresolved

  • The serial port is not working properly on HMP350 and HMP300; deployments using the COM port should wait until a fix is made available before updating.
  • The first access to Control Center on a DiVA, HMP300, or HMP350 after a reboot could take up to 20 seconds; subsequent accesses are not affected.

Release 4.7.0 build 2

Release name: "Grand Pilier d'Angle" 4.7.0 build 2. Release date: March 22, 2021.
Applies to HMP400, HMP400W, third-party players.
Firmware version number: 4.7.0-2.0.0-1e3ba268.

Fixes

  • The player could reboot during a firmware update, which results in a corrupted firmware requiring reinstallation via the recovery console (regression introduced in 4.7.0); the probability of this occurring was high if a restart was initiated while a firmware update was in progress, it could also occur if a restart was not requested, but it was much less likely.
  • Static IPv4 address configurations did not work, the duplicate address detection was faulty and concluded that the same IP address was already in use on the network (regression introduced in 4.7.0).
  • Static IPv4 address configurations did not always detect when the IP address was already in use on the network.
  • The built-in analog audio output for HMP400/HMP400W was not functional. This regression was introduced in 4.7.0.

Unresolved

  • When using vertical CW screen orientation, regular SVG text is displayed formatted as italic. The vertical CCW orientation is not affected. This regression was introduced in 4.7.0.

Release 4.7.0

Release name: "Grand Pilier d'Angle" 4.7.0. Release date: March 11, 2021.
Applies to HMP400, HMP400W, third-party players.
Firmware version number: 4.7.0-1.0.1-47e24bd6.
Note Note:
A release for HMP350, HMP300 and DiVA is being worked on and will be available at a later time, in the interim a 4.6.5 firmware is available for these models with all the applicable bug fixes of 4.7.0.

New

  • Support for multi-touch touchscreens, including multi-touch handling in HTML layers.
  • Streaming of the video output (requires a SYSTEMS license):
    • Supports IPTV mode (MPEG2-TS unicast or multicast, with or without RTP headers), with H.264 video and MPEG1 Layer 2, AAC or AC-3 audio.
    • Supports RTSP/RTP in unicast, multicast or TCP mode, with H.264 video and MPEG1 Layer 2, AAC, AC-3 or Opus audio.
    • RTSP basic authentication is supported but the RTSP server is not over TLS.
    • Supports RTMP/RTMPS upstream with H.264 video and AAC audio.
    • Supports WebRTC with WebSocket signaling (H.264 constrained baseline + Opus only), peer to peer mode with STUN only.
    • Simple configuration is done via Control Center, advanced configuration via the Configuration API.
    • Multicast support is still deemed experimental.
  • Support for Webcams (USB video class devices), including generic audio input devices, to support WebRTC and similar HTML APIs.
  • Support for the WebRTC API in HTML5.
  • Support for audio surround (5.1 and 7.1).
  • Support for web radio streaming using the ICY, HLS or DASH protocols.
  • Experimental support for adaptive video streaming with HLS and DASH.
  • Support for bitmap color OpenType / TrueType fonts. Also, the Noto Color Emoji, with support for Unicode 13.1, is now included in the firmware for color emoji support.

Improvements

  • Predefined video modes are now available for 4K low-refresh rates (24, 25 and 30 Hz) compatible with HDMI 1.3.
  • DisplayPort and DVI style display power management is now supported in addition to CEC.
  • Players now respond to network name queries via LLMNR (Link-Local Multicast Name Resolution) in addition to the already existing support for Bonjour (mDNS), easing integration with Windows systems. LLMNR support can be disabled via Control Center and Configuration API.
  • Added IPv6 support to UPnP / SSDP discovery.
  • Improved the firmware updater to handle very large firmware updates.
  • Add transportException property to JSON-RPC error responses generated by uploader.
  • Add a log entry when opening a web page resource.
  • Cache HTTP redirect answers.
  • Improve caching of video files from an HTTP server when the bitrate of the connection is less than the bitrate of the video.
  • Support for error resilient and SBR AAC audio.
  • Improved the performance of cursor rendering in jSignage UI plugin.
  • Add an error log entry when proxy password in incorrect for HTML5.
  • Make the Shared Variables JavaScript API and the JavaScript COM API available in HTML5 pages. These are disabled by default.
  • Support loading the Widevine DRM module, pending agreement to redistribute the module from Google.


Applies to third-party players

  • Added support for Intel Wi-Fi 6 802.11ax adapters AX101, AX200, AX201, 22560, Killer AX1650 i/s, Killer AX1650 x/w (Cyclone Peak and Harrison Peak).
  • Added support for new Intel Wi-Fi AC-9560 / AC-9462 / AC-9461 (Jefferson Peak) variants.

Changes

Fixes

  • Display power saving schedules could be mishandled at startup, leading to an incorrect display power save state at boot.
  • The snapshot shown in Control Center overflowed over other page elements with certain custom resolutions.
  • Custom splash screens were not working, attempting to set one would return an error.
  • MPEG-2 video with open GOP or MPEG-2 interlaced video would crash the player.
  • Simultaneous video playback could freeze the player.
  • MPEG-1 video was not decoded correctly.
  • Some content-related warnings were no longer in the player.log.
  • The SNMP daemon had a TCP listening socked open on port 199 (smux) although no smux connections are supported, smux support is now completely disabled to avoid this.
  • Notifications of the status of content update from ARYA could fail due to lack of credentials when the content update took long.
  • Actions triggered from the SpinetiX cloud (e.g., content updates) could be theoretically delayed by 60 seconds in exceptional circumstances.
  • Uploader did include the necessary access token in retry queries to the SpinetiX cloud RPC concentrator when the first access failed.
  • Uploader did not apply retry timeout with exponential backoff when there is a problem reaching the RPC concentrator.
  • Firmware updater was too aggressive in cleaning oversize logs and useful logs were being lost on firmware updates.
  • The report was missing display manager configuration.
  • Underline might not show in some conditions in text areas.
  • Minor fixes for iframe preview in browsers (removed borders and added configurable width and height)
  • Player may crash under some circumstances due to JavaScript garbage collection.
  • A minor memory leak occurred during video decoding with H.264 videos
  • Audio on some web video services shown in HTML layers (e.g., Zattoo) was distorted.

Security

Updated kernel from 4.19.127 to 5.4.90 to fix the following security issues:

  • These could potentially affect the firmware: CVE-2018-20669, CVE-2019-5489, CVE-2019-12378, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381, CVE-2019-14615, CVE-2019-15222, CVE-2019-19037, CVE-2019-19072, CVE-2019-19073, CVE-2019-19074, CVE-2019-19078, CVE-2019-19252, CVE-2019-19447, CVE-2019-19462, CVE-2019-19602, CVE-2019-19767, CVE-2019-19768, CVE-2019-19769, CVE-2019-19770, CVE-2019-19947, CVE-2019-19965, CVE-2019-20636, CVE-2019-20812, CVE-2019-20908, CVE-2020-0305, CVE-2020-0427, CVE-2020-0431, CVE-2020-0465, CVE-2020-0466, CVE-2020-0543, CVE-2020-7053, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-8694, CVE-2020-8992, CVE-2020-10690, CVE-2020-10732, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-11565, CVE-2020-12351, CVE-2020-12352, CVE-2020-12464, CVE-2020-12768, CVE-2020-12826, CVE-2020-13974, CVE-2020-14314, CVE-2020-14331, CVE-2020-14351, CVE-2020-14356, CVE-2020-14381, CVE-2020-14386, CVE-2020-14390, CVE-2020-14416, CVE-2020-15436, CVE-2020-15437, CVE-2020-16166, CVE-2020-24490, CVE-2020-25285, CVE-2020-25641, CVE-2020-25656, CVE-2020-25668, CVE-2020-25704, CVE-2020-25705, CVE-2020-27068, CVE-2020-27786, CVE-2020-28588, CVE-2020-28915, CVE-2020-28974, CVE-2020-29369, CVE-2020-29370, CVE-2020-29374, CVE-2020-29660, CVE-2020-29661, CVE-2020-35508, CVE-2021-20239
  • These do not affect the firmware: CVE-2019-2181, CVE-2019-3016, CVE-2019-3874, CVE-2019-10220, CVE-2019-11191, CVE-2019-12455, CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901, CVE-2019-15291, CVE-2019-16229, CVE-2019-16230, CVE-2019-16232, CVE-2019-18660, CVE-2019-18683, CVE-2019-18786, CVE-2019-18808, CVE-2019-18809, CVE-2019-18814, CVE-2019-18885, CVE-2019-19036, CVE-2019-19039, CVE-2019-19043, CVE-2019-19046, CVE-2019-19050, CVE-2019-19053, CVE-2019-19054, CVE-2019-19056, CVE-2019-19057, CVE-2019-19061, CVE-2019-19062, CVE-2019-19063, CVE-2019-19064, CVE-2019-19066, CVE-2019-19067, CVE-2019-19068, CVE-2019-19070, CVE-2019-19071, CVE-2019-19082, CVE-2019-19332, CVE-2019-19338, CVE-2019-19377, CVE-2019-19448, CVE-2019-20810, CVE-2019-19813, CVE-2019-19815, CVE-2019-19816, CVE-2019-20810, CVE-2020-0009, CVE-2020-0041, CVE-2020-0067, CVE-2020-0110, CVE-2020-0543, CVE-2020-0404, CVE-2020-0423, CVE-2020-0432, CVE-2020-0444, CVE-2020-1749, CVE-2020-2732, CVE-2020-4788, CVE-2020-9383, CVE-2020-9391, CVE-2020-10711, CVE-2020-10751, CVE-2020-10757, CVE-2020-10781, CVE-2020-10942, CVE-2020-11494, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11884, CVE-2020-12465, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12655, CVE-2020-12656, CVE-2020-12657, CVE-2020-12659, CVE-2020-12769, CVE-2020-12770, CVE-2020-12771, CVE-2020-12888, CVE-2020-13143, CVE-2020-14385, CVE-2020-15393, CVE-2020-15780, CVE-2020-24394, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25643, CVE-2020-25645, CVE-2020-25669, CVE-2020-26088, CVE-2020-27673, CVE-2020-27675, CVE-2020-27777, CVE-2020-27815, CVE-2020-27830, CVE-2020-28374, CVE-2020-28941, CVE-2020-29368, CVE-2020-29371, CVE-2020-29568, CVE-2020-29569, CVE-2020-36158, CVE-2021-0342, CVE-2021-0448

Updated core libraries and components, the main changes are as follows:

  • PHP updated from 5.6.38 to 7.4.4; fixes CVE-2018-19395, CVE-2018-19396, CVE-2018-19935, CVE-2019-6977, CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024, CVE-2019-9637, CVE-2019-9638, CVE-2019-9639, CVE-2019-9641, CVE-2020-11579.
  • Updated base Linux distribution to OE-Core / Yocto 3.1 (dunfell).
    • Apache HTTPd updated from 2.4.41 to 2.4.46; fixes CVE-2020-1927 which affected the firmware and CVE-2020-1934, CVE-2020-11993, CVE-2020-11984 and CVE-2020-9490, none of which did not affect the firmware.
    • libcurl updated from 7.61.0 to 7.69.1 plus backported patches; fixes CVE-2020-8177, CVE-2019-5481, CVE-2019-5482, CVE-2019-5443, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2018-16842, CVE-2018-16840, CVE-2018-16839, CVE-2018-14618
    • dhcp-client from 4.4.1 to 4.4.2
    • glibc updated from 2.28 to 2.31 plus backported patches; fixes CVE-2018-19591, CVE-2019-6488, CVE-2016-10739, CVE-2019-7309, CVE-2018-20796, CVE-2019-9169, CVE-2019-9192, CVE-2019-19126, CVE-2020-1751, CVE-2016-10739, CVE-2020-29562, CVE-2020-10029, CVE-2020-6096, CVE-2020-1752
    • iNet wireless daemon (iwd) from 1.7 to 1.9; fixes CVE-2020-17497
    • OpenSSL updated from 1.1.1b to 1.1.1i; fixes CVE-2020-1971, CVE-2020-1967, CVE-2019-1551, CVE-2019-1563, CVE-2019-1549, CVE-2019-1547, CVE-2019-1552, CVE-2019-1543
    • Mesa 3D updated from 19.0.8 to 20.0.2
    • expat updated from 2.2.6 to 2.2.9; fixes CVE-2018-20843, CVE-2019-15903
    • FreeType updated from 2.9.1 to 2.10.1 plus backported patches; fixes CVE-2020-15999
    • GnuTLS updated from 3.6.4 to 3.6.14 plus backported patches; fixes CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2018-16868, CVE-2019-3829, CVE-2019-3836, CVE-2020-11501, CVE-2020-13777, CVE-2020-24659
    • SQLite from 3.23.1 to 3.31.1; fixes CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2019-8457, CVE-2019-16168, CVE-2019-19645, CVE-2019-19646, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358, CVE-2020-9327, CVE-2019-19242
    • libtasn1 updated from 4.13 to 4.16.0; fixes CVE-2018-1000654
    • libxml2 updated from 2.9.8 to 2.9.10; fixes CVE-2019-19956, the other vulnerabilities CVE-2018-14567, CVE-2018-14404, CVE-2018-9251 were already fixed with backports.
    • nettle updated from 3.4 to 3.5.1 ; fixes CVE-2018-16869.
    • NSS updated from 3.39 to 3.51.1; fixes CVE-2018-12404, CVE-2019-17006, CVE-2019-17007
    • NTP updated from 4.2.8p13 to 4.2.8p15; fixes CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868.
    • OpenSSH updated from 7.8p1 to 8.2p1; fixes CVE-2018-15919, CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2019-16905.
    • Pango updated from 1.42.4 to 1.44.7; the vulnerability CVE-2019-1010238 was already fixed with backports.
    • libjpeg-turbo updated from 2.0.0 to 2.0.4 plus backported patches; fixes CVE-2018-19664, CVE-2018-20330, CVE-2018-20330, CVE-2019-13960, CVE-2020-13790
    • HarfBuzz updated from 1.8.8 to 2.6.4
    • Intel microcode updated from 20190514a to 20201118; updated mitigations for processor vulnerabilities CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2020-0548, CVE-2020-0549, CVE-2020-8694, CVE-2020-8695, CVE-2020-8698, CVE-2020-8696
    • Intel Media Driver updated from 19.2.1 to 20.1.1
    • Intel vaapi driver updated from 2.2.0 to 2.4.0
    • timezone database (tzdata) updated from 2019a to 2020f.
    • linux-firmware updated from 20190213 to 20201218.
  • Updated libmosquitto from 1.4.15 to 1.6.10
  • FFmpeg from 4.0.2 to 4.2.4; fixes CVE-2018-12458, CVE-2018-12459, CVE-2018-12460, CVE-2018-13300, CVE-2018-13301, CVE-2018-13302, CVE-2018-13303, CVE-2018-13304, CVE-2018-13305, CVE-2018-14394, CVE-2018-14395, CVE-2018-15822, CVE-2018-1999010, CVE-2018-1999011, CVE-2018-1999012, CVE-2018-1999013, CVE-2018-1999014, CVE-2018-1999015, CVE-2020-13904, CVE-2019-12730, CVE-2019-13390, CVE-2019-17539, CVE-2019-17542, CVE-2019-9718, CVE-2019-9721, CVE-2019-11339, CVE-2018-15822, CVE-2019-1000016, CVE-2019-9718, CVE-2019-9721, CVE-2019-11339, CVE-2019-11338, CVE-2019-12730, CVE-2019-13390, CVE-2019-17539, CVE-2019-17542, CVE-2020-12284, CVE-2020-13904, CVE-2019-9718, CVE-2019-9721, CVE-2019-11338, CVE-2019-11339, CVE-2019-12730, CVE-2019-17539, CVE-2019-17542, CVE-2019-1000016, CVE-2019-13390, CVE-2019-15942, CVE-2019-13312, CVE-2020-12284, CVE-2020-13904.

More security fixes:

  • Control Center sessions are now limited to 1 hour to improve security.
  • Hardened parsing of XML in components (spxiot, spxenroll, spxdispmanager, updater) to avoid all possibility of XEE attacks.
  • Added mitigation for UPnP protocol vulnerability CVE-2020-12695 (CallStranger).

Unresolved

  • Setting a static IP configuration fails and the player picks an IP from 169.254.*.* range. Regression introduced in 4.7.0.
  • There is a potential issue with firmware update that on some circumstances may result in a corrupted firmware.

Release 4.6.4 build 2

Release name: "Punta Giordani" 4.6.4 build 2. Release date: January 11, 2021.
Firmware version numbers:

Fixes

  • The default content contained a time-limited license expiring on 2021-07-31; the player would thus display a black screen when booted in factory defaults after this date.

Release 4.6.4

Release name: "Punta Giordani" 4.6.4. Release date: December 18, 2020.
Firmware version numbers:

Fixes

  • A problem with garbage collection of JavaScript objects could sometimes crash the player, this was more likely to occur with content that uses JavaScript heavily and the QR code generator.
  • MPEG-2, MPEG-4 ASP and VC1 videos at 60 fps could freeze while playing.


Applies to HMP400 and HMP400W.

  • Revocation of a DSOS license resulted in the revoked license being reinstalled from the copy in the persistent data store, this created no functional issue as the license is anyhow invalid and thus ignored but was confusing.


Applies to HMP400, HMP400W, and third-party players.

  • Some content combinations (video plus an animated widget on a solid background plus a fade transition on the entire layout) caused rendering errors.

Release 4.6.3

Release name: "Punta Giordani" 4.6.3. Release date: December 7, 2020.
Firmware version numbers:

Improvements

  • In Control Center > Advanced Applications, the "Webstorage API" and "RPC Security" sections have been merged into a single section named "APIs Security" to better convey their current use. Also, the "Enable RPC request using AJAX (CORS)" option has been renamed to "Enable CORS requests".


Applies to HMP400 and HMP400W.

Fixes

  • The firmware updater would not retry downloading update packages when the source server indicates a temporary failure (e.g., an HTTP 503 service unavailable status), erroring out the firmware update request, it now retries several times after a delay.
  • The firmware updater incorrectly included the device serial number in the user agent header of its HTTP requests, it now uses the same dedicated header as other firmware components.
  • In some cases an HTTP request that received a redirect response could fail to follow the redirect
  • Synthetized italic / oblique text was not slanted, regression introduced 4.5.0.


Applies to HMP400, HMP400W, and third-party players.


Applies to HMP350, HMP300, and DiVA.

  • The Certificate Signing Request (CSR) sent by the player to enroll to the SpinetiX cloud had an incorrect DER encoding for the version number, which beginning December 2020 is no longer accepted by the cloud infrastructure (an "Invalid CSR format" error is returned); as a result new HMP350, HMP300 and DiVA players could not be registered in ARYA. The correct encoding is now used and new players of these models can be registered in ARYA again.

Security

  • The embedded web server did not protect against abuse of the Proxy header in requests (i.e., httpoxy vulnerabilities), although no vector of exploit is known.

Developer

  • The jSignage applyFormatDateNumber function would crash if called with null.

Release 4.6.2

Release name: "Punta Giordani" 4.6.2. Release date: November 12, 2020.
Firmware version numbers:

Improvements

Applies to HMP400 and HMP400W.

  • Added support for analog audio output (using the SpinetiX USB-C analog audio cable SX-HW-UCAUD). This appears as "Built-in Audio Analog Output" in Control Center.


Applies to HMP400, HMP400W, and third-party players.

Fixes

  • Players could enter a reboot loop in some rare cases with very unstable networks due to timeouts on the ntp daemon handling logic.
  • In some rare cases the QR code generation in jSignage could fail with an exception.


Applies to HMP400 and HMP400W.

  • HDMI 2.0 displays could show no image if the HMP was rebooted while the display had no power.
  • Communication errors with eMMC could generate I/O errors on the internal storage marking some filesystems as corrupted and cause unexpected reboots; the problem has been fixed and devices with filesystems marked as corrupted are automatically repaired after a firmware update.
  • Removed the bogus error message about missing /usr/share/raperca/recipes.json.
  • Removed the focus frame rendered around HTML layers.
  • Use of images in HTML could result in inconsistent image caching.


Applies to HMP400, HMP400W, and third-party players.

Release 4.6.1

Release name: "Punta Giordani" 4.6.1. Release date: October 5, 2020.
Firmware version numbers:

Improvements


Applies to HMP400 and HMP400W.


Applies to third-party players.

Fixes

  • Players could fail to be enrolled in the SpinetiX cloud in some regions of the world due to an incompatibility with TLS 1.3 in the enrollment process. The incompatibility has been fixed in the firmware and the enrollment endpoints in the cloud have been limited to TLS 1.2 until incompatible firmware versions are phased out.
  • The firmware updater failed to pull new packages into install set when the dependency was a file path, which prevented new firmware updates from being applied.
  • The player would crash when the audio output is enabled, along with "Enable display power management" and "Disable audio when screen is turned off" options.
  • Some types of streaming would log errors when audio was on mute.
  • The Pull Mode agent (uploader) could crash with servers that incorrectly returned a 206 HTTP status code for non-range requests.
  • Control Center would show an incorrect serial number in the certificate list due to a wrong decoding procedure, the correct serial number was shown in the certificate details.
  • Some name length validations done by Control Center were ineffective.
  • The player.log could incorrectly report usage peaks of 100%.
  • Calendar widgets may not show data from Google Calendar.
  • Column stacked graphs could fail to render correctly due to an incorrect automatic min / max calculation.
  • Parsing of udp and rtp pseudo-urls for unicast streams was broken.
  • The meaning of spx:audioDelay and spx:buffering attributes were inverted, setting one was actually setting the other. Regression introduced in 4.5.0 release.


Applies to HMP400, HMP400W, and third-party players.

  • Rendering latency changes due to interactivity could cause distorted audio.
  • The periodical logging of CPU package temperature was not enabled.
  • A crash could occur with some types of content due to a shader compilation failure.


Applies to HMP400 and HMP400W.

  • Secure Shared Variable Network API was not working.
  • The Web Storage REST API was not returning the value of variables.
  • User added trusted certificates were not taken into account in Web page layers as the HTML engine did not use the same list of trusted root certificates.
  • The option to ignore certificate validation errors did not apply to HTML content.
  • Rendering of web content could freeze after several days.
  • Some types of HTML content caused an important memory leak.
  • Scan and maintenance operations on the internal storage (eMMC) was not enabled.


Applies to HMP400W and third-party players.

  • During Wi-Fi setup, the configuration QR code and AP information would be shown twice when the power/blue button was pressed.

Developer

The following JavaScript libraries have been updated:

Added PURGE method to Web Storage REST API.

Release 4.6.0

Release name: "Punta Giordani" 4.6.0. Release date: August 6, 2020.
Firmware version numbers:

New

Applies to HMP400 and HMP400W.

  • Support for HDMI CEC.
    • This can be used on the HDMI output or on the DisplayPort Alt-mode output with a DP to HDMI adapter cable supporting the DP 1.3 "CEC tunneling over AUX" protocol.
    • HMP Control Center will show a warning message when the selected video output does not support CEC
    • The display power management can be enabled from Control Center > Display & Audio page.
    • Note that some players from the first production batches, could lack the hardware support for CEC - this information can be found in Control Center.
  • Support for rendering PDF files.


Applies to HMP400W and third-party players.

  • Wi-Fi connections can now be easily configured from a smartphone, tablet or computer without any other network connection, nor USB stick, by connecting directly to the player over the air. See Wi-Fi setup page for more details.

Improvements

Applies to HMP400 and HMP400W.

  • HTML rendering engine:
    • Performance got improved by adding texture sharing.
    • Added support for using the proxy configuration.
    • Updated to Chromium 79.
  • The DSOS license status (license type, missing license, or expired license) is shown on Control Center home page and on the OSD that appears when the blue button is pressed.
    • The configuration backup file now includes an indication of the DSOS license active at the time the backup file is generated. This allows displaying a clean error to the user if he tries to restore a configuration backup containing features not supported by the DSOS license currently activated on the player.


Applies to HMP400, HMP400W, and third-party players.

  • The audio connectors' names shown in Control Center are hardware-dependent.
  • The embedded web server now supports TLS 1.3.
  • The IP addresses and other information are shown only for the active interface on the OSD that appears when the blue button is pressed.
  • The welcome splash screen shows a specific error message when the device is not enrolled in SpinetiX cloud services, aiding in diagnosis.
  • Support for new image codecs (webp, dng).
  • Support for hardware motion-adaptive deinterlacing with past and/or future references.
  • Updated timezone database from version 2018i to 2019a; it affects Palestine and Metlakatla.

Fixed

  • Daily power saving schedule feature.
  • Players would stop communicating with ARYA until next reboot when reconfigured.
  • Interlaced videos could show green frames.
  • URLs with empty components in path (i.e., doubled slash) were not interpreted correctly.
  • Minor changes within the player report.


Applies to HMP400, HMP400W, and third-party players.

  • The dropdown listing the time zones in Control Center is empty. This is a regression introduced in 4.5.3 release.


Applies to third-party players.

  • Incorrect serial number shown on the OSD that appears when the power button is pressed.

Security

Applies to HMP400, HMP400W, and third-party players.

Updated Linux kernel from 4.19.80 to 4.19.127 to fix security issues.

  • These could potentially affect the firmware: CVE-2019-17133, CVE-2019-19532, CVE-2019-18282, CVE-2019-0155, CVE-2019-0154, CVE-2019-19922, CVE-2019-11135, CVE-2019-19767, CVE-2019-19252, CVE-2019-19447, CVE-2019-20812, CVE-2020-0305, CVE-2019-20636, CVE-2019-14615, CVE-2019-19059, CVE-2019-19058, CVE-2019-5108, CVE-2020-8428, CVE-2019-16234, CVE-2020-8647, CVE-2020-8649, CVE-2020-8648, CVE-2020-11565, CVE-2020-12826, CVE-2019-19768, CVE-2020-12464, CVE-2020-10732, CVE-2019-19462
  • These do not affect the firmware: CVE-2019-19075, CVE-2019-17075, CVE-2019-19060, CVE-2019-19065, CVE-2019-17666, CVE-2019-15098, CVE-2019-19048, CVE-2020-10773, CVE-2019-19526, CVE-2019-16233, CVE-2019-19049, CVE-2019-19045, CVE-2019-19052, CVE-2019-18813, CVE-2019-19529, CVE-2018-12207, CVE-2019-16231, CVE-2019-19534, CVE-2019-19524, CVE-2019-18660, CVE-2019-15291, CVE-2019-18683, CVE-2019-12614, CVE-2019-19062, CVE-2019-19227, CVE-2019-19071, CVE-2019-19079, CVE-2019-19332, CVE-2019-18786, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947, CVE-2019-16230, CVE-2019-16232, CVE-2019-16229, CVE-2020-10690, CVE-2019-18809, CVE-2019-19965, CVE-2019-14901, CVE-2019-14895, CVE-2019-19066, CVE-2019-19068, CVE-2019-19056, CVE-2019-9445, CVE-2019-20096, CVE-2019-15217, CVE-2019-19077, CVE-2020-12652, CVE-2019-19046, CVE-2019-20806, CVE-2019-14896, CVE-2019-14897, CVE-2020-14416, CVE-2020-12769, CVE-2019-3016, CVE-2020-12653, CVE-2020-12654, CVE-2020-9383, CVE-2020-2732, CVE-2020-0009, CVE-2020-10942, CVE-2020-12465, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11494, CVE-2020-12657, CVE-2020-11669, CVE-2020-12659, CVE-2020-1749, CVE-2020-0067, CVE-2020-11884, CVE-2020-10751, CVE-2020-13143, CVE-2020-10711, CVE-2020-12770, CVE-2020-12768, CVE-2019-18814, CVE-2020-10757

More security fixes:

  • openssl: CVE-2019-1543
  • bluez5: CVE-2018-10910
  • libsndfile1: changed fix for CVE-2017-14245 and CVE-2017-14246, fixed CVE-2017-12562, CVE-2018-19758, CVE-2019-3832
  • glibc: CVE-2019-9169, CVE-2016-10739, CVE-2018-19591, CVE-2019-6488, CVE-2019-7309; fix for incomplete CVE-2016-10739
  • elfutils: CVE-2019-7146, CVE-2019-7149, CVE-2019-7150, CVE-2019-7664, CVE-2019-7665
  • busybox: CVE-2018-20679, CVE-2019-5747
  • sqlite3: CVE-2018-20505, CVE-2018-20506, CVE-2019-8457
  • cairo: CVE-2018-19876, CVE-2019-6461, CVE-2019-6462
  • tar: CVE-2019-0023, CVE-2018-20482
  • glib2: CVE-2019-12450, CVE-2019-9633, CVE-2019-13012
  • curl: CVE-2019-5435, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2019-5482
  • bzip2: CVE-2019-12900
  • expat: CVE-2018-20843
  • dbus: CVE-2019-12749
  • gcc: CVE-2019-14250
  • bind libraries: updated from 9.11.4 to 9.11.5-P4, CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465
  • pango: CVE-2019-1010238
  • gnutls: CVE-2019-3829 and CVE-2019-3836
  • libgcrypt: CVE-2019-12904
  • apache httpd: update from 2.4.34 to 2.4.41, fixes CVE-2018-17189, CVE-2018-17199, CVE-2019-0190, CVE-2019-0220, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0211, CVE-2019-10081, CVE-2019-9517, CVE-2019-10098, CVE-2019-10092, CVE-2019-10097, CVE-2019-10082


Applies to HMP350, HMP300, and DiVA.

  • The fix for CVE-2020-15809 in 4.5.3 was incomplete, URI validation in the rssProxy.php missed a few possible cases.

Developer

Applies to HMP400, HMP400W, and third-party players.

  • RPC API - new commands for Wi-Fi: wifi_scan, wifi_connect, wifi_disconnect, and wifi_get_info.
  • JavaScript - extended the deviceInfo global object with two new methods, mostly relevant for Wi-Fi: .getMainNetworkInterface() and .getActiveNetworkInterface().

Unresolved

Release 4.5.3

Release name: "Matterhorn" 4.5.3. Release date: July 20, 2020.
Firmware version numbers:

Improvements

  • CORS requests are now allowed for endpoints other than RPC, provided the RPC API key is used.
  • Changed the display message when the player license expires or is missing, now a black screen is shown instead of the "no valid license" floating text.

Fixed

  • The content server was not disabled when a player was added to ARYA, leading to confusing errors in Elementi if a publish was attempted.
  • Importing X.509 server certificates with unknown extensions would make the network page display an error and be unusable until the certificate was removed.
  • RTP (not MPEG2TS) streaming will stop after a few minutes.
  • AJAX POST requests would use chunked transfer encoding since firmware 4.5.0, but many simple devices do not support them, which broke communications; now chunked transfer encoding is not used in AJAX requests.
  • HTTP requests to server whose name started with vN, N being an integer, would be modified to be within square brackets, breaking the request


Applies to HMP400, HMP400W, and third-party players.

  • Video modes could be incorrectly programmed when the attached display did not return a valid EDID, due to an internal DisplayPort link rate being incorrectly programmed.
  • The hardware watchdog would not fire if the system hung during shutdown, as it got disabled when the software watchdog exited, now the hardware watchdog never disables.
  • The unused rssProxy.php, i18njs.php and timezones.php were incorrectly included in the firmware image, which increases the attack surface, they are no longer included.


Applies to HMP350, HMP300, and DiVA.

  • Visual stutter could occur with looping videos.
  • Player could hang after video playback.

Security

  • Fixed CVE-2020-15809, the spxmanage component would allow requests that access unintended resources because of SSRF and Path Traversal.

Unresolved

Release 4.5.2

Release name: "Matterhorn" 4.5.2. Release date: June 8, 2020.
Firmware version numbers:

Improvements

Applies to HMP400 and HMP400W.

  • The RTC is now calibrated for improved time accuracy while the player is powered off.

Fixed

Applies to all models.


Applies to HMP400, HMP400W, and third-party players.

  • Configurations deployed via USB sticks including a reboot directive could cause a reboot loop.
  • Recovery Console updated to version 2.8.1, fixing the player rebooting after a couple of minutes when a reset to factory defaults operation was pending.
  • On HMP400W, the local link IPv6 addresses in static DNS configurations would get the wrong interface identifier when Wi-Fi was the selected interface.

Developer

Release 4.5.1

Release name: "Matterhorn" 4.5.1. Release date: May 20, 2020.
Firmware version numbers:

New

Applies to HMP400, HMP400W, and third-party players.

  • Enabled Wi-Fi connections with support for personal (pre-shared key) and enterprise authentication, as well as open/unauthenticated networks. Wi-Fi is enabled from Control Center, and the configuration is done via a configuration backup file.
  • Configurations can now be deployed via USB sticks - inserting a USB stick with a configuration backup file on a not-yet configured player will automatically apply the configuration; this feature is automatically disabled once the player has been fully configured for security reasons.
  • Added support for 802.1x authentication on Ethernet; configuration is done via the configuration backup file.

Improvements

Applies to HMP400, HMP400W, and third-party players.


Applies to third-party players.

  • Names corresponding to the labels on the device are now shown in Control Center's video and audio output selectors.

Changes

Applies to HMP400 and HMP400W.

  • Licenses were incorrectly included in the configuration backup, which can invalidate a valid license received from the license server when restoring the configuration backup at a later time; licenses are no longer included in the configuration backup as they are distributed directly by the license server. Configuration backups saved from firmware 4.5.0 for units which had a license should be manually edited to remove the license before restoring.

Fixed

Applies to all models.

  • Streaming was not working properly with some sources.
  • An HTTP proxy on port 80 could not be used. This was a regression introduced in 4.5.0.
  • Some web services, like RSS feeds, behave differently when the referrer is about:blank, a full URL is now used to avoid problems.
  • Solved incompatibility with myDrive.ch file storage service.
  • Webp images could crash the player causing a reboot.
  • RPC responses to failed calls were not returned to the RPC concentrator (regression introduced in 4.5.0); in addition any HTTP level RPC call errors are also returned to the RPC concentrator.
  • The player could reboot during network state changes due to races in the restart of the NTP daemon.
  • Credentials to access resources on AWS could be renewed just after they expired, instead of a few minutes before, causing temporary problems with ARYA.
  • The license texts in Control Center's about page were not properly tagged as UTF-8 plain text and could display garbled.
  • EULA and third-party licenses updated to reflect current ones.


Applies to HMP400, HMP400W, and third-party players.

  • On full HD deinterlaced videos, the bottom of the 1088 coded lines were outputted instead of the top 1080.
  • The player was not restarted when the audio configuration changed, although a restart was required.
  • Network default routes installed by the DHCP client may conflict with existing default routes and not become effective, they are now replaced.
  • The NTP daemon no longer restarts on IP address changes as it is no longer necessary.
  • The report did not properly dump the TPM2 public data of persistent handles.

Developer

Applies to all players.


Applies to HMP400, HMP400W, and third-party players.

  • Configuration API new tags: wifi-dhcp, wifi-static, wifi-v6-none, wifi-v6-static, wifi-ap-add, and wifi-ap-reset.
  • RPC API - the get_info command has been extended to support Wi-Fi.
  • Status API - the info endpoint has been extended to support Wi-Fi.

Release 4.5.0

Release name: "Matterhorn" 4.5.0. Release date: April 20, 2020.
Firmware version numbers:

New

  • Added DSOS support for the new hardware models: HMP400/HMP400W and selected 3rd-party players.
  • Added support for the DSOS activation licenses; the player license information is displayed on the Control Center home page and included within the configuration backup.
  • New HTML5 rendering engine, based on Chromium 74, with support for hardware accelerated video decoding and WebGL. Applies only to players with DSOS Kiosk and DSOS Systems licenses.
  • New Pull Mode engine that supports faster downloads, end-to-end content integrity checking with SHA-256, and processing of RPC commands.
  • JPEG images are now automatically rotated and flipped according to EXIF data.
  • Added support merging multiple calendars on the same view for Google calendar and Outlook online.
  • Added support for underlined text.
  • HTTP traffic capturing can be enabled from Control Center or RPC, for improved diagnostics. The captures are also included in the player report. Credentials are masked in the captures.

Improvements

  • Added video and audio output selectors in Control Center and Configuration Wizard for players with multiple video/audio outputs.
  • Added support Hyperlink and Picture columns in SharePoint lists.
  • Firmware updater now checks that update source is compatible with product's model before applying any updates.
  • Bonjour and SSDP announcements now include additional serial numbers for the benefit of the newly supported models.
  • JS locale files are now compressed, reducing the firmware size.
  • Updated some internal libraries:
    • ffmpeg to version 4.0.2 (was 3.4.5)
    • libical to version 2.0.0 (was 1.0.1)
    • Yii PHP framework to version 1.1.21 (was 1.1.17)

Changes

  • Removed support for Instagram widgets because Instagram has discontinued the Legacy API.
  • Session cookies now expire after 2 days (used to never expire before).

Fixed

  • Pull Mode with ICS executed after being disabled.
  • Cookies for public top level domains were incorrectly allowed in the Pull Mode daemon (uploader).
  • Crash when pressing blue button when playing a project with asynchronous audio player event handlers.
  • Events widget - long event titles were not showing correctly.
  • JSignage Graph plugin: Axis grid were not shown in some cases because of missing min and max values.
  • If there is any text in an editable text area, editing was broken.

Security

  • Enrollment to SpinetiX cloud services now uses the TPM to authenticate third-party devices.
  • Protected from XEE attacks in XML files.
  • Use HTTPS protocol for the ECB exchange rate data source.
  • CORS violations and other errors in HTML5 content are reported in the log.

Developer

  • Credentials can now be used on AJAX requests to the player from web pages not hosted on the player (i.e., the authorization headers are now allowed for CORS).
  • Uploader process logs more messages at trace level to diagnose replication issues in Pull Mode.
  • New tags for the Configuration API:
    • <video-output-selector> to select the video output connector on DSOS devices.
    • <pullmode-http-capture-log> to capture HTTP traffic for the uploader process.
    • <http-capture-log> to capture HTTP traffic for the player.
  • New options for the get_info RPC command:
    • videoConnectors: true to report the list of attached screens
    • audioConnectors: true to report the list of attached audio connectors
  • The JavaScript libraries have been updated.

See also

This page was last modified on 28 September 2022, at 13:28.