DSOS release notes
From SpinetiX Support Wiki
- 1 Introduction
- 2 Release 4.7.0 build 2
- 3 Release 4.7.0
- 4 Release 4.6.4 build 2
- 5 Release 4.6.4
- 6 Release 4.6.3
- 7 Release 4.6.2
- 8 Release 4.6.1
- 9 Release 4.6.0
- 10 Release 4.5.3
- 11 Release 4.5.2
- 12 Release 4.5.1
- 13 Release 4.5.0
- 14 See also
Native to the HMP400, DSOS also brings embedded system design to the entire Intel ecosystem, ideal for fanless architectures like Intel Goldmont, but scalable to i5, i7 or i9 when maximum performance matters.
Release 4.7.0 build 2
- The player could reboot during a firmware update, which results in a corrupted firmware requiring reinstallation via the recovery console (regression introduced in 4.7.0); the probability of this occurring was high if a restart was initiated while a firmware update was in progress, it could also occur if a restart was not requested but it was much less likely.
- Static IPv4 address configurations did not work, the duplicate address detection was faulty and concluded that the same IP address was already in use on the network (regression introduced in 4.7.0).
- Static IPv4 address configurations did not always detect when the IP address was already in use on the network.
- The built-in analog audio output for HMP400/HMP400W was not functional (regression introduced in 4.7.0).
- Support for multi-touch touchscreens, including multi-touch handling in HTML layers.
- Streaming of the video output (requires a SYSTEMS license):
- Supports IPTV mode (MPEG2-TS unicast or multicast, with or without RTP headers), with H.264 video and MPEG1 Layer 2, AAC or AC-3 audio.
- Supports RTSP/RTP in unicast, multicast or TCP mode, with H.264 video and MPEG1 Layer 2, AAC, AC-3 or Opus audio.
- RTSP basic authentication is supported but the RTSP server is not over TLS.
- Supports RTMP/RTMPS upstream with H.264 video and AAC audio.
- Supports WebRTC with WebSocket signaling (H.264 constrained baseline + Opus only), peer to peer mode with STUN only.
- Simple configuration is done via Control Center, advanced configuration via the Configuration API.
- Multicast support is still deemed experimental.
- Support for Webcams (USB video class devices), including generic audio input devices, to support WebRTC and similar HTML APIs.
- Support for the WebRTC API in HTML5.
- Support for audio surround (5.1 and 7.1).
- Support for web radio streaming using the ICY, HLS or DASH protocols.
- Experimental support for adaptive video streaming with HLS and DASH.
- Support for bitmap color OpenType / TrueType fonts. Also, the Noto Color Emoji, with support for Unicode 13.1, is now included in the firmware for color emoji support.
- Predefined video modes are now available for 4K low-refresh rates (24, 25 and 30 Hz) compatible with HDMI 1.3.
- DisplayPort and DVI style display power management is now supported in addition to CEC.
- Players now respond to network name queries via LLMNR (Link-Local Multicast Name Resolution) in addition to the already existing support for Bonjour (mDNS), easing integration with Windows systems. LLMNR support can be disabled via Control Center and Configuration API.
- Added IPv6 support to UPnP / SSDP discovery.
- Improved the firmware updater to handle very large firmware updates.
- Add transportException property to JSON-RPC error responses generated by uploader.
- Add a log entry when opening a web page resource.
- Cache HTTP redirect answers.
- Improve caching of video files from an HTTP server when the bitrate of the connection is less than the bitrate of the video.
- Support for error resilient and SBR AAC audio.
- Improved the performance of cursor rendering in jSignage UI plugin.
- Add an error log entry when proxy password in incorrect for HTML5.
- Support loading the Widevine DRM module, pending agreement to redistribute the module from Google.
Applies to third-party players
- Added support for Intel Wi-Fi 6 802.11ax adapters AX101, AX200, AX201, 22560, Killer AX1650 i/s, Killer AX1650 x/w (Cyclone Peak and Harrison Peak).
- Added support for new Intel Wi-Fi AC-9560 / AC-9462 / AC-9461 (Jefferson Peak) variants.
- The configuration for NTP and stream/HTTP packets capture are now available in Control Center and via Configuration API for all models and irrespective of DSOS licenses.
- Display power saving schedules could be mishandled at startup, leading to an incorrect display power save state at boot.
- The snapshot shown in Control Center overflowed over other page elements with certain custom resolutions.
- Custom splash screens were not working, attempting to set one would return an error.
- MPEG-2 video with open GOP or MPEG-2 interlaced video would crash the player.
- Simultaneous video playback could freeze the player.
- MPEG-1 video was not decoded correctly.
- Some content-related warnings were no longer in the player.log.
- The SNMP daemon had a TCP listening socked open on port 199 (smux) although no smux connections are supported, smux support is now completely disabled to avoid this.
- Notifications of the status of content update from ARYA could fail due to lack of credentials when the content update took long.
- Actions triggered from the SpinetiX cloud (e.g., content updates) could be theoretically delayed by 60 seconds in exceptional circumstances.
- Uploader did include the necessary access token in retry queries to the SpinetiX cloud RPC concentrator when the first access failed.
- Uploader did not apply retry timeout with exponential backoff when there is a problem reaching the RPC concentrator.
- Firmware updater was too aggressive in cleaning oversize logs and useful logs were being lost on firmware updates.
- The report was missing display manager configuration.
- Underline might not show in some conditions in text areas.
- Minor fixes for iframe preview in browsers (removed borders and added configurable width and height)
- A minor memory leak occurred during video decoding with H.264 videos
- Audio on some web video services shown in HTML layers (e.g., Zattoo) was distorted.
Updated kernel from 4.19.127 to 5.4.90 to fix the following security issues:
- These could potentially affect the firmware: CVE-2018-20669, CVE-2019-5489, CVE-2019-12378, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381, CVE-2019-14615, CVE-2019-15222, CVE-2019-19037, CVE-2019-19072, CVE-2019-19073, CVE-2019-19074, CVE-2019-19078, CVE-2019-19252, CVE-2019-19447, CVE-2019-19462, CVE-2019-19602, CVE-2019-19767, CVE-2019-19768, CVE-2019-19769, CVE-2019-19770, CVE-2019-19947, CVE-2019-19965, CVE-2019-20636, CVE-2019-20812, CVE-2019-20908, CVE-2020-0305, CVE-2020-0427, CVE-2020-0431, CVE-2020-0465, CVE-2020-0466, CVE-2020-0543, CVE-2020-7053, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-8694, CVE-2020-8992, CVE-2020-10690, CVE-2020-10732, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-11565, CVE-2020-12351, CVE-2020-12352, CVE-2020-12464, CVE-2020-12768, CVE-2020-12826, CVE-2020-13974, CVE-2020-14314, CVE-2020-14331, CVE-2020-14351, CVE-2020-14356, CVE-2020-14381, CVE-2020-14386, CVE-2020-14390, CVE-2020-14416, CVE-2020-15436, CVE-2020-15437, CVE-2020-16166, CVE-2020-24490, CVE-2020-25285, CVE-2020-25641, CVE-2020-25656, CVE-2020-25668, CVE-2020-25704, CVE-2020-25705, CVE-2020-27068, CVE-2020-27786, CVE-2020-28588, CVE-2020-28915, CVE-2020-28974, CVE-2020-29369, CVE-2020-29370, CVE-2020-29374, CVE-2020-29660, CVE-2020-29661, CVE-2020-35508, CVE-2021-20239
- These do not affect the firmware: CVE-2019-2181, CVE-2019-3016, CVE-2019-3874, CVE-2019-10220, CVE-2019-11191, CVE-2019-12455, CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901, CVE-2019-15291, CVE-2019-16229, CVE-2019-16230, CVE-2019-16232, CVE-2019-18660, CVE-2019-18683, CVE-2019-18786, CVE-2019-18808, CVE-2019-18809, CVE-2019-18814, CVE-2019-18885, CVE-2019-19036, CVE-2019-19039, CVE-2019-19043, CVE-2019-19046, CVE-2019-19050, CVE-2019-19053, CVE-2019-19054, CVE-2019-19056, CVE-2019-19057, CVE-2019-19061, CVE-2019-19062, CVE-2019-19063, CVE-2019-19064, CVE-2019-19066, CVE-2019-19067, CVE-2019-19068, CVE-2019-19070, CVE-2019-19071, CVE-2019-19082, CVE-2019-19332, CVE-2019-19338, CVE-2019-19377, CVE-2019-19448, CVE-2019-20810, CVE-2019-19813, CVE-2019-19815, CVE-2019-19816, CVE-2019-20810, CVE-2020-0009, CVE-2020-0041, CVE-2020-0067, CVE-2020-0110, CVE-2020-0543, CVE-2020-0404, CVE-2020-0423, CVE-2020-0432, CVE-2020-0444, CVE-2020-1749, CVE-2020-2732, CVE-2020-4788, CVE-2020-9383, CVE-2020-9391, CVE-2020-10711, CVE-2020-10751, CVE-2020-10757, CVE-2020-10781, CVE-2020-10942, CVE-2020-11494, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11884, CVE-2020-12465, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12655, CVE-2020-12656, CVE-2020-12657, CVE-2020-12659, CVE-2020-12769, CVE-2020-12770, CVE-2020-12771, CVE-2020-12888, CVE-2020-13143, CVE-2020-14385, CVE-2020-15393, CVE-2020-15780, CVE-2020-24394, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25643, CVE-2020-25645, CVE-2020-25669, CVE-2020-26088, CVE-2020-27673, CVE-2020-27675, CVE-2020-27777, CVE-2020-27815, CVE-2020-27830, CVE-2020-28374, CVE-2020-28941, CVE-2020-29368, CVE-2020-29371, CVE-2020-29568, CVE-2020-29569, CVE-2020-36158, CVE-2021-0342, CVE-2021-0448
Updated core libraries and components, the main changes are as follows:
- PHP updated from 5.6.38 to 7.4.4; fixes CVE-2018-19395, CVE-2018-19396, CVE-2018-19935, CVE-2019-6977, CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024, CVE-2019-9637, CVE-2019-9638, CVE-2019-9639, CVE-2019-9641, CVE-2020-11579.
- Updated base Linux distribution to OE-Core / Yocto 3.1 (dunfell).
- Apache HTTPd updated from 2.4.41 to 2.4.46; fixes CVE-2020-1927 which affected the firmware and CVE-2020-1934, CVE-2020-11993, CVE-2020-11984 and CVE-2020-9490, none of which did not affect the firmware.
- libcurl updated from 7.61.0 to 7.69.1 plus backported patches; fixes CVE-2020-8177, CVE-2019-5481, CVE-2019-5482, CVE-2019-5443, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2018-16842, CVE-2018-16840, CVE-2018-16839, CVE-2018-14618
- dhcp-client from 4.4.1 to 4.4.2
- glibc updated from 2.28 to 2.31 plus backported patches; fixes CVE-2018-19591, CVE-2019-6488, CVE-2016-10739, CVE-2019-7309, CVE-2018-20796, CVE-2019-9169, CVE-2019-9192, CVE-2019-19126, CVE-2020-1751, CVE-2016-10739, CVE-2020-29562, CVE-2020-10029, CVE-2020-6096, CVE-2020-1752
- iNet wireless daemon (iwd) from 1.7 to 1.9; fixes CVE-2020-17497
- OpenSSL updated from 1.1.1b to 1.1.1i; fixes CVE-2020-1971, CVE-2020-1967, CVE-2019-1551, CVE-2019-1563, CVE-2019-1549, CVE-2019-1547, CVE-2019-1552, CVE-2019-1543
- Mesa 3D updated from 19.0.8 to 20.0.2
- expat updated from 2.2.6 to 2.2.9; fixes CVE-2018-20843, CVE-2019-15903
- FreeType updated from 2.9.1 to 2.10.1 plus backported patches; fixes CVE-2020-15999
- GnuTLS updated from 3.6.4 to 3.6.14 plus backported patches; fixes CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2018-16868, CVE-2019-3829, CVE-2019-3836, CVE-2020-11501, CVE-2020-13777, CVE-2020-24659
- SQLite from 3.23.1 to 3.31.1; fixes CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2019-8457, CVE-2019-16168, CVE-2019-19645, CVE-2019-19646, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358, CVE-2020-9327, CVE-2019-19242
- libtasn1 updated from 4.13 to 4.16.0; fixes CVE-2018-1000654
- libxml2 updated from 2.9.8 to 2.9.10; fixes CVE-2019-19956, the other vulnerabilities CVE-2018-14567, CVE-2018-14404, CVE-2018-9251 were already fixed with backports.
- nettle updated from 3.4 to 3.5.1 ; fixes CVE-2018-16869.
- NSS updated from 3.39 to 3.51.1; fixes CVE-2018-12404, CVE-2019-17006, CVE-2019-17007
- NTP updated from 4.2.8p13 to 4.2.8p15; fixes CVE-2020-15025, CVE-2020-13817, CVE-2018-8956, CVE-2020-11868.
- OpenSSH updated from 7.8p1 to 8.2p1; fixes CVE-2018-15919, CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2019-16905.
- Pango updated from 1.42.4 to 1.44.7; the vulnerability CVE-2019-1010238 was already fixed with backports.
- libjpeg-turbo updated from 2.0.0 to 2.0.4 plus backported patches; fixes CVE-2018-19664, CVE-2018-20330, CVE-2018-20330, CVE-2019-13960, CVE-2020-13790
- HarfBuzz updated from 1.8.8 to 2.6.4
- Intel microcode updated from 20190514a to 20201118; updated mitigations for processor vulnerabilities CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11135, CVE-2020-0548, CVE-2020-0549, CVE-2020-8694, CVE-2020-8695, CVE-2020-8698, CVE-2020-8696
- Intel Media Driver updated from 19.2.1 to 20.1.1
- Intel vaapi driver updated from 2.2.0 to 2.4.0
- timezone database (tzdata) updated from 2019a to 2020f.
- linux-firmware updated from 20190213 to 20201218.
- Updated libmosquitto from 1.4.15 to 1.6.10
- FFmpeg from 4.0.2 to 4.2.4; fixes CVE-2018-12458, CVE-2018-12459, CVE-2018-12460, CVE-2018-13300, CVE-2018-13301, CVE-2018-13302, CVE-2018-13303, CVE-2018-13304, CVE-2018-13305, CVE-2018-14394, CVE-2018-14395, CVE-2018-15822, CVE-2018-1999010, CVE-2018-1999011, CVE-2018-1999012, CVE-2018-1999013, CVE-2018-1999014, CVE-2018-1999015, CVE-2020-13904, CVE-2019-12730, CVE-2019-13390, CVE-2019-17539, CVE-2019-17542, CVE-2019-9718, CVE-2019-9721, CVE-2019-11339, CVE-2018-15822, CVE-2019-1000016, CVE-2019-9718, CVE-2019-9721, CVE-2019-11339, CVE-2019-11338, CVE-2019-12730, CVE-2019-13390, CVE-2019-17539, CVE-2019-17542, CVE-2020-12284, CVE-2020-13904, CVE-2019-9718, CVE-2019-9721, CVE-2019-11338, CVE-2019-11339, CVE-2019-12730, CVE-2019-17539, CVE-2019-17542, CVE-2019-1000016, CVE-2019-13390, CVE-2019-15942, CVE-2019-13312, CVE-2020-12284, CVE-2020-13904.
More security fixes:
- Control Center sessions are now limited to 1 hour to improve security.
- Hardened parsing of XML in components (spxiot, spxenroll, spxdispmanager, updater) to avoid all possibility of XEE attacks.
- Added mitigation for UPnP protocol vulnerability CVE-2020-12695 (CallStranger).
- Setting a static IP configuration fails and the player picks an IP from 169.254.*.* range. Regression introduced in 4.7.0.
- There is a potential issue with firmware update that on some circumstances may result in a corrupted firmware.
Release 4.6.4 build 2
- The default content contained a time-limited license expiring on 2021-07-31; the player would thus display a black screen when booted in factory defaults after this date.
- MPEG-2, MPEG-4 ASP and VC1 videos at 60 fps could freeze while playing.
- Revocation of a DSOS license resulted in the revoked license being reinstalled from the copy in the persistent data store, this created no functional issue as the license is anyhow invalid and thus ignored but was confusing.
- Some content combinations (video plus an animated widget on a solid background plus a fade transition on the entire layout) caused rendering errors.
- In Control Center > Advanced Applications, the "Webstorage API" and "RPC Security" sections have been merged into a single section named "APIs Security" to better convey their current use. Also, the "Enable RPC request using AJAX (CORS)" option has been renamed to "Enable CORS requests".
- DSOS licenses now persist across a reset to factory default settings or firmware installation from the Recovery Console. Also, they can now be bound to the TPM and can be revoked before their expiration date.
- The firmware updater would not retry downloading update packages when the source server indicates a temporary failure (e.g., an HTTP 503 service unavailable status), erroring out the firmware update request, it now retries several times after a delay.
- The firmware updater incorrectly included the device serial number in the user agent header of its HTTP requests, it now uses the same dedicated header as other firmware components.
- In some cases an HTTP request that received a redirect response could fail to follow the redirect
- Synthetized italic / oblique text was not slanted, regression introduced 4.5.0.
- The player snapshot could sometime fail to be shown in Control Center.
- Changes to the "Use external USB drive to store content" setting did not trigger a player restart, although it is required for the change to take effect.
- The CEC engine could send an "on" command instead of "off" after the first two attempts for "off" failed.
- The Certificate Signing Request (CSR) sent by the player to enroll to the SpinetiX cloud had an incorrect DER encoding for the version number, which beginning December 2020 is no longer accepted by the cloud infrastructure (an "Invalid CSR format" error is returned); as a result new HMP350, HMP300 and DiVA players could not be registered in ARYA. The correct encoding is now used and new players of these models can be registered in ARYA again.
- The embedded web server did not protect against abuse of the Proxy header in requests (i.e., httpoxy vulnerabilities), although no vector of exploit is known.
- The jSignage
applyFormatDateNumberfunction would crash if called with
- Added support for analog audio output (using the SpinetiX USB-C analog audio cable SX-HW-UCAUD). This appears as "Built-in Audio Analog Output" in Control Center.
- Known audio output options (e.g., audio over HDMI) are listed in Control Center even if the output is not currently available, to ease the player configuration.
- The installation of the firmware from the Recovery Console can now automatically recover from corruption in the environment blocks used to store boot parameters.
- Players could enter a reboot loop in some rare cases with very unstable networks due to timeouts on the ntp daemon handling logic.
- In some rare cases the QR code generation in jSignage could fail with an exception.
- HDMI 2.0 displays could show no image if the HMP was rebooted while the display had no power.
- Communication errors with eMMC could generate I/O errors on the internal storage marking some filesystems as corrupted and cause unexpected reboots; the problem has been fixed and devices with filesystems marked as corrupted are automatically repaired after a firmware update.
- Removed the bogus error message about missing /usr/share/raperca/recipes.json.
- Removed the focus frame rendered around HTML layers.
- Use of images in HTML could result in inconsistent image caching.
- Power failures could leave uninitialized or old data in some files in the internal storage due to mishandling of the eMMC write cache.
- When installing the firmware from the Recovery Console, the installation did not clear existing boot settings (although none are set by any previous firmware version).
- Display power saving can now be configured independently per day of the week.
- Animated playlist widgets are now compatible with multiscreen projects.
- The HTML engine has been updated to Chromium 84.3.10.
Applies to third-party players.
- Added support for Intel NUC Austin Beach with NUC 8 Element (Chandler Bay).
- Players could fail to be enrolled in the SpinetiX cloud in some regions of the world due to an incompatibility with TLS 1.3 in the enrollment process. The incompatibility has been fixed in the firmware and the enrollment endpoints in the cloud have been limited to TLS 1.2 until incompatible firmware versions are phased out.
- The firmware updater failed to pull new packages into install set when the dependency was a file path, which prevented new firmware updates from being applied.
- The player would crash when the audio output is enabled, along with "Enable display power management" and "Disable audio when screen is turned off" options.
- Some types of streaming would log errors when audio was on mute.
- The Pull Mode agent (uploader) could crash with servers that incorrectly returned a 206 HTTP status code for non-range requests.
- Control Center would show an incorrect serial number in the certificate list due to a wrong decoding procedure, the correct serial number was shown in the certificate details.
- Some name length validations done by Control Center were ineffective.
- The player.log could incorrectly report usage peaks of 100%.
- Calendar widgets may not show data from Google Calendar.
- Column stacked graphs could fail to render correctly due to an incorrect automatic min / max calculation.
- Parsing of udp and rtp pseudo-urls for unicast streams was broken.
- The meaning of spx:audioDelay and spx:buffering attributes were inverted, setting one was actually setting the other. Regression introduced in 4.5.0 release.
- Rendering latency changes due to interactivity could cause distorted audio.
- The periodical logging of CPU package temperature was not enabled.
- A crash could occur with some types of content due to a shader compilation failure.
- Secure Shared Variable Network API was not working.
- The Web Storage REST API was not returning the value of variables.
- User added trusted certificates were not taken into account in Web page layers as the HTML engine did not use the same list of trusted root certificates.
- The option to ignore certificate validation errors did not apply to HTML content.
- Rendering of web content could freeze after several days.
- Some types of HTML content caused an important memory leak.
- Scan and maintenance operations on the internal storage (eMMC) was not enabled.
- During Wi-Fi setup, the configuration QR code and AP information would be shown twice when the power/blue button was pressed.
- jSignage updated to version 1.6.0
- jSignage Graph plugin updated to version 1.0.4
- jSignage Custom Effects plugin updated to version 1.1.0
Added PURGE method to Web Storage REST API.
- Support for HDMI CEC.
- This can be used on the HDMI output or on the DisplayPort Alt-mode output with a DP to HDMI adapter cable supporting the DP 1.3 "CEC tunneling over AUX" protocol.
- HMP Control Center will show a warning message when the selected video output does not support CEC
- The display power management can be enabled from Control Center > Display & Audio page.
- Note that some players from the first production batches, could lack the hardware support for CEC - this information can be found in Control Center.
- Support for rendering PDF files.
- Wi-Fi connections can now be easily configured from a smartphone, tablet or computer without any other network connection, nor USB stick, by connecting directly to the player over the air. See Wi-Fi setup page for more details.
- HTML rendering engine:
- Performance got improved by adding texture sharing.
- Added support for using the proxy configuration.
- Updated to Chromium 79.
- The DSOS license status (license type, missing license, or expired license) is shown on Control Center home page and on the OSD that appears when the blue button is pressed.
- The configuration backup file now includes an indication of the DSOS license active at the time the backup file is generated. This allows displaying a clean error to the user if he tries to restore a configuration backup containing features not supported by the DSOS license currently activated on the player.
- The audio connectors' names shown in Control Center are hardware-dependent.
- The embedded web server now supports TLS 1.3.
- The IP addresses and other information are shown only for the active interface on the OSD that appears when the blue button is pressed.
- The welcome splash screen shows a specific error message when the device is not enrolled in SpinetiX cloud services, aiding in diagnosis.
- Support for new image codecs (webp, dng).
- Support for hardware motion-adaptive deinterlacing with past and/or future references.
- Updated timezone database from version 2018i to 2019a; it affects Palestine and Metlakatla.
- Daily power saving schedule feature.
- Players would stop communicating with ARYA until next reboot when reconfigured.
- Interlaced videos could show green frames.
- URLs with empty components in path (i.e., doubled slash) were not interpreted correctly.
- Minor changes within the player report.
- The dropdown listing the time zones in Control Center is empty. This is a regression introduced in 4.5.3 release.
Applies to third-party players.
- Incorrect serial number shown on the OSD that appears when the power button is pressed.
Updated Linux kernel from 4.19.80 to 4.19.127 to fix security issues.
- These could potentially affect the firmware: CVE-2019-17133, CVE-2019-19532, CVE-2019-18282, CVE-2019-0155, CVE-2019-0154, CVE-2019-19922, CVE-2019-11135, CVE-2019-19767, CVE-2019-19252, CVE-2019-19447, CVE-2019-20812, CVE-2020-0305, CVE-2019-20636, CVE-2019-14615, CVE-2019-19059, CVE-2019-19058, CVE-2019-5108, CVE-2020-8428, CVE-2019-16234, CVE-2020-8647, CVE-2020-8649, CVE-2020-8648, CVE-2020-11565, CVE-2020-12826, CVE-2019-19768, CVE-2020-12464, CVE-2020-10732, CVE-2019-19462
- These do not affect the firmware: CVE-2019-19075, CVE-2019-17075, CVE-2019-19060, CVE-2019-19065, CVE-2019-17666, CVE-2019-15098, CVE-2019-19048, CVE-2020-10773, CVE-2019-19526, CVE-2019-16233, CVE-2019-19049, CVE-2019-19045, CVE-2019-19052, CVE-2019-18813, CVE-2019-19529, CVE-2018-12207, CVE-2019-16231, CVE-2019-19534, CVE-2019-19524, CVE-2019-18660, CVE-2019-15291, CVE-2019-18683, CVE-2019-12614, CVE-2019-19062, CVE-2019-19227, CVE-2019-19071, CVE-2019-19079, CVE-2019-19332, CVE-2019-18786, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947, CVE-2019-16230, CVE-2019-16232, CVE-2019-16229, CVE-2020-10690, CVE-2019-18809, CVE-2019-19965, CVE-2019-14901, CVE-2019-14895, CVE-2019-19066, CVE-2019-19068, CVE-2019-19056, CVE-2019-9445, CVE-2019-20096, CVE-2019-15217, CVE-2019-19077, CVE-2020-12652, CVE-2019-19046, CVE-2019-20806, CVE-2019-14896, CVE-2019-14897, CVE-2020-14416, CVE-2020-12769, CVE-2019-3016, CVE-2020-12653, CVE-2020-12654, CVE-2020-9383, CVE-2020-2732, CVE-2020-0009, CVE-2020-10942, CVE-2020-12465, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11494, CVE-2020-12657, CVE-2020-11669, CVE-2020-12659, CVE-2020-1749, CVE-2020-0067, CVE-2020-11884, CVE-2020-10751, CVE-2020-13143, CVE-2020-10711, CVE-2020-12770, CVE-2020-12768, CVE-2019-18814, CVE-2020-10757
More security fixes:
- openssl: CVE-2019-1543
- bluez5: CVE-2018-10910
- libsndfile1: changed fix for CVE-2017-14245 and CVE-2017-14246, fixed CVE-2017-12562, CVE-2018-19758, CVE-2019-3832
- glibc: CVE-2019-9169, CVE-2016-10739, CVE-2018-19591, CVE-2019-6488, CVE-2019-7309; fix for incomplete CVE-2016-10739
- elfutils: CVE-2019-7146, CVE-2019-7149, CVE-2019-7150, CVE-2019-7664, CVE-2019-7665
- busybox: CVE-2018-20679, CVE-2019-5747
- sqlite3: CVE-2018-20505, CVE-2018-20506, CVE-2019-8457
- cairo: CVE-2018-19876, CVE-2019-6461, CVE-2019-6462
- tar: CVE-2019-0023, CVE-2018-20482
- glib2: CVE-2019-12450, CVE-2019-9633, CVE-2019-13012
- curl: CVE-2019-5435, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2019-5482
- bzip2: CVE-2019-12900
- expat: CVE-2018-20843
- dbus: CVE-2019-12749
- gcc: CVE-2019-14250
- bind libraries: updated from 9.11.4 to 9.11.5-P4, CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465
- pango: CVE-2019-1010238
- gnutls: CVE-2019-3829 and CVE-2019-3836
- libgcrypt: CVE-2019-12904
- apache httpd: update from 2.4.34 to 2.4.41, fixes CVE-2018-17189, CVE-2018-17199, CVE-2019-0190, CVE-2019-0220, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0211, CVE-2019-10081, CVE-2019-9517, CVE-2019-10098, CVE-2019-10092, CVE-2019-10097, CVE-2019-10082
- The fix for CVE-2020-15809 in 4.5.3 was incomplete, URI validation in the rssProxy.php missed a few possible cases.
- RPC API - new commands for Wi-Fi:
deviceInfoglobal object with two new methods, mostly relevant for Wi-Fi:
- Calendar widgets do not show data from Google.
- HMP400 serial number doesn't work as Multiscreen ID
- CORS requests are now allowed for endpoints other than RPC, provided the RPC API key is used.
- Changed the display message when the player license expires or is missing, now a black screen is shown instead of the "no valid license" floating text.
- The content server was not disabled when a player was added to ARYA, leading to confusing errors in Elementi if a publish was attempted.
- Importing X.509 server certificates with unknown extensions would make the network page display an error and be unusable until the certificate was removed.
- RTP (not MPEG2TS) streaming will stop after a few minutes.
- AJAX POST requests would use chunked transfer encoding since firmware 4.5.0, but many simple devices do not support them, which broke communications; now chunked transfer encoding is not used in AJAX requests.
- HTTP requests to server whose name started with vN, N being an integer, would be modified to be within square brackets, breaking the request
- Video modes could be incorrectly programmed when the attached display did not return a valid EDID, due to an internal DisplayPort link rate being incorrectly programmed.
- The hardware watchdog would not fire if the system hung during shutdown, as it got disabled when the software watchdog exited, now the hardware watchdog never disables.
- The unused rssProxy.php, i18njs.php and timezones.php were incorrectly included in the firmware image, which increases the attack surface, they are no longer included.
- Visual stutter could occur with looping videos.
- Player could hang after video playback.
- Fixed CVE-2020-15809, the spxmanage component would allow requests that access unintended resources because of SSRF and Path Traversal.
- The dropdown listing the time zones in Control Center is empty for HMP400, HMP400W, and third-party players.
- The workaround is to use the
<timezone>configuration tag. This is a regression introduced in 4.5.3 release.
- The workaround is to use the
- No proxy support in HTML rendering engine.
- The RTC is now calibrated for improved time accuracy while the player is powered off.
Applies to all models.
- Facebook widgets were no longer working due to a Facebook API change.
- The default gateway in static IPv6 configurations conflicted with IPv6 routes added from router advertisements resulting in unpredictable routing, the default gateway now uses a lower metric and has precedence.
- Fixed various minor presentation problems in Control Center, such as:
- Configurations deployed via USB sticks including a reboot directive could cause a reboot loop.
- Recovery Console updated to version 2.8.1, fixing the player rebooting after a couple of minutes when a reset to factory defaults operation was pending.
- On HMP400W, the local link IPv6 addresses in static DNS configurations would get the wrong interface identifier when Wi-Fi was the selected interface.
- Enabling capturing the HTTP traffic for Pull Mode would generate no or incomplete capture files.
- HTTP PUT requests with an empty body where incorrectly done as GET requests.
- Enabled Wi-Fi connections with support for personal (pre-shared key) and enterprise authentication, as well as open/unauthenticated networks. Wi-Fi is enabled from Control Center, and the configuration is done via a configuration backup file.
- Configurations can now be deployed via USB sticks - inserting a USB stick with a configuration backup file on a not-yet configured player will automatically apply the configuration; this feature is automatically disabled once the player has been fully configured for security reasons.
- Added support for 802.1x authentication on Ethernet; configuration is done via the configuration backup file.
- The Recovery Console has been updated to version 2.8.0, to support Wi-Fi connections and 802.1x authentication on Ethernet. The Recovery Console is now updated during the regular firmware update, if an older console version is installed on the player; also, it can now be installed via a .pkg file, just as the firmware.
- The player report includes more readable license data to aid in diagnostics.
Applies to third-party players.
- Names corresponding to the labels on the device are now shown in Control Center's video and audio output selectors.
- Licenses were incorrectly included in the configuration backup, which can invalidate a valid license received from the license server when restoring the configuration backup at a later time; licenses are no longer included in the configuration backup as they are distributed directly by the license server. Configuration backups saved from firmware 4.5.0 for units which had a license should be manually edited to remove the license before restoring.
Applies to all models.
- Streaming was not working properly with some sources.
- An HTTP proxy on port 80 could not be used. This was a regression introduced in 4.5.0.
- Some web services, like RSS feeds, behave differently when the referrer is about:blank, a full URL is now used to avoid problems.
- Solved incompatibility with myDrive.ch file storage service.
- Webp images could crash the player causing a reboot.
- RPC responses to failed calls were not returned to the RPC concentrator (regression introduced in 4.5.0); in addition any HTTP level RPC call errors are also returned to the RPC concentrator.
- The player could reboot during network state changes due to races in the restart of the NTP daemon.
- Credentials to access resources on AWS could be renewed just after they expired, instead of a few minutes before, causing temporary problems with ARYA.
- The license texts in Control Center's about page were not properly tagged as UTF-8 plain text and could display garbled.
- EULA and third-party licenses updated to reflect current ones.
- On full HD deinterlaced videos, the bottom of the 1088 coded lines were outputted instead of the top 1080.
- The player was not restarted when the audio configuration changed, although a restart was required.
- Network default routes installed by the DHCP client may conflict with existing default routes and not become effective, they are now replaced.
- The NTP daemon no longer restarts on IP address changes as it is no longer necessary.
- The report did not properly dump the TPM2 public data of persistent handles.
Applies to all players.
- Configuration API new tags:
- RPC API - the
get_infocommand has been extended to support Wi-Fi.
- Status API - the
infoendpoint has been extended to support Wi-Fi.
- Added DSOS support for the new hardware models: HMP400/HMP400W and selected 3rd-party players.
- Added support for the DSOS activation licenses; the player license information is displayed on the Control Center home page and included within the configuration backup.
- New HTML5 rendering engine, based on Chromium 74, with support for hardware accelerated video decoding and WebGL. Applies only to players with DSOS Kiosk and DSOS Systems licenses.
- New Pull Mode engine that supports faster downloads, end-to-end content integrity checking with SHA-256, and processing of RPC commands.
- JPEG images are now automatically rotated and flipped according to EXIF data.
- Added support merging multiple calendars on the same view for Google calendar and Outlook online.
- Added support for underlined text.
- HTTP traffic capturing can be enabled from Control Center or RPC, for improved diagnostics. The captures are also included in the player report. Credentials are masked in the captures.
- Added video and audio output selectors in Control Center and Configuration Wizard for players with multiple video/audio outputs.
- Added support Hyperlink and Picture columns in SharePoint lists.
- Firmware updater now checks that update source is compatible with product's model before applying any updates.
- Bonjour and SSDP announcements now include additional serial numbers for the benefit of the newly supported models.
- JS locale files are now compressed, reducing the firmware size.
- Updated some internal libraries:
- ffmpeg to version 4.0.2 (was 3.4.5)
- libical to version 2.0.0 (was 1.0.1)
- Yii PHP framework to version 1.1.21 (was 1.1.17)
- Removed support for Instagram widgets because Instagram has discontinued the Legacy API.
- Session cookies now expire after 2 days (used to never expire before).
- Pull Mode with ICS executed after being disabled.
- Cookies for public top level domains were incorrectly allowed in the Pull Mode daemon (uploader).
- Crash when pressing blue button when playing a project with asynchronous audio player event handlers.
- Events widget - long event titles were not showing correctly.
- JSignage Graph plugin: Axis grid were not shown in some cases because of missing min and max values.
- If there is any text in an editable text area, editing was broken.
- Enrollment to SpinetiX cloud services now uses the TPM to authenticate third-party devices.
- Protected from XEE attacks in XML files.
- Use HTTPS protocol for the ECB exchange rate data source.
- CORS violations and other errors in HTML5 content are reported in the log.
- Credentials can now be used on AJAX requests to the player from web pages not hosted on the player (i.e., the authorization headers are now allowed for CORS).
- Uploader process logs more messages at trace level to diagnose replication issues in Pull Mode.
- New tags for the Configuration API:
<video-output-selector>to select the video output connector on DSOS devices.
<pullmode-http-capture-log>to capture HTTP traffic for the uploader process.
<http-capture-log>to capture HTTP traffic for the player.
- New options for the
videoConnectors: trueto report the list of attached screens
audioConnectors: trueto report the list of attached audio connectors