DSOS release notes
From SpinetiX Support Wiki
- 1 Introduction
- 2 Release 4.6.4 build 2
- 3 Release 4.6.4
- 4 Release 4.6.3
- 5 Release 4.6.2
- 6 Release 4.6.1
- 7 Release 4.6.0
- 8 Release 4.5.3
- 9 Release 4.5.2
- 10 Release 4.5.1
- 11 Release 4.5.0
- 12 See also
Native to the HMP400, DSOS also brings embedded system design to the entire Intel ecosystem, ideal for fanless architectures like Intel Goldmont, but scalable to i5, i7 or i9 when maximum performance matters.
Release 4.6.4 build 2
- The default content contained a time-limited license expiring on 2021-07-31; the player would thus display a black screen when booted in factory defaults after this date.
- MPEG-2, MPEG-4 ASP and VC1 videos at 60 fps could freeze while playing.
- Revocation of a DSOS license resulted in the revoked license being reinstalled from the copy in the persistent data store, this created no functional issue as the license is anyhow invalid and thus ignored but was confusing.
- Some content combinations (video plus an animated widget on a solid background plus a fade transition on the entire layout) caused rendering errors.
- In Control Center > Advanced Applications, the "Webstorage API" and "RPC Security" sections have been merged into a single section named "APIs Security" to better convey their current use. Also, the "Enable RPC request using AJAX (CORS)" option has been renamed to "Enable CORS requests".
- DSOS licenses now persist across a reset to factory default settings or firmware installation from the Recovery Console. Also, they can now be bound to the TPM and can be revoked before their expiration date.
- The firmware updater would not retry downloading update packages when the source server indicates a temporary failure (e.g., an HTTP 503 service unavailable status), erroring out the firmware update request, it now retries several times after a delay.
- The firmware updater incorrectly included the device serial number in the user agent header of its HTTP requests, it now uses the same dedicated header as other firmware components.
- In some cases an HTTP request that received a redirect response could fail to follow the redirect
- Synthetized italic / oblique text was not slanted, regression introduced 4.5.0.
- The player snapshot could sometime fail to be shown in Control Center.
- Changes to the "Use external USB drive to store content" setting did not trigger a player restart, although it is required for the change to take effect.
- The CEC engine could send an "on" command instead of "off" after the first two attempts for "off" failed.
- The Certificate Signing Request (CSR) sent by the player to enroll to the SpinetiX cloud had an incorrect DER encoding for the version number, which beginning December 2020 is no longer accepted by the cloud infrastructure (an "Invalid CSR format" error is returned); as a result new HMP350, HMP300 and DiVA players could not be registered in ARYA. The correct encoding is now used and new players of these models can be registered in ARYA again.
- The embedded web server did not protect against abuse of the Proxy header in requests (i.e., httpoxy vulnerabilities), although no vector of exploit is known.
- The jSignage
applyFormatDateNumberfunction would crash if called with
- Added support for analog audio output (using the SpinetiX USB-C analog audio cable SX-HW-UCAUD). This appears as "Built-in Audio Analog Output" in Control Center.
- Known audio output options (e.g., audio over HDMI) are listed in Control Center even if the output is not currently available, to ease the player configuration.
- The installation of the firmware from the Recovery Console can now automatically recover from corruption in the environment blocks used to store boot parameters.
- Players could enter a reboot loop in some rare cases with very unstable networks due to timeouts on the ntp daemon handling logic.
- In some rare cases the QR code generation in jSignage could fail with an exception.
- HDMI 2.0 displays could show no image if the HMP was rebooted while the display had no power.
- Communication errors with eMMC could generate I/O errors on the internal storage marking some filesystems as corrupted and cause unexpected reboots; the problem has been fixed and devices with filesystems marked as corrupted are automatically repaired after a firmware update.
- Removed the bogus error message about missing /usr/share/raperca/recipes.json.
- Removed the focus frame rendered around HTML layers.
- Use of images in HTML could result in inconsistent image caching.
- Power failures could leave uninitialized or old data in some files in the internal storage due to mishandling of the eMMC write cache.
- When installing the firmware from the Recovery Console, the installation did not clear existing boot settings (although none are set by any previous firmware version).
- Display power saving can now be configured independently per day of the week.
- Animated playlist widgets are now compatible with multiscreen projects.
- The HTML engine has been updated to Chromium 84.3.10.
Applies to third-party players.
- Added support for Intel NUC Austin Beach with NUC 8 Element (Chandler Bay).
- Players could fail to be enrolled in the SpinetiX cloud in some regions of the world due to an incompatibility with TLS 1.3 in the enrollment process. The incompatibility has been fixed in the firmware and the enrollment endpoints in the cloud have been limited to TLS 1.2 until incompatible firmware versions are phased out.
- The firmware updater failed to pull new packages into install set when the dependency was a file path, which prevented new firmware updates from being applied.
- The player would crash when the audio output is enabled, along with "Enable display power management" and "Disable audio when screen is turned off" options.
- Some types of streaming would log errors when audio was on mute.
- The Pull Mode agent (uploader) could crash with servers that incorrectly returned a 206 HTTP status code for non-range requests.
- Control Center would show an incorrect serial number in the certificate list due to a wrong decoding procedure, the correct serial number was shown in the certificate details.
- Some name length validations done by Control Center were ineffective.
- The player.log could incorrectly report usage peaks of 100%.
- Calendar widgets may not show data from Google Calendar.
- Column stacked graphs could fail to render correctly due to an incorrect automatic min / max calculation.
- Parsing of udp and rtp pseudo-urls for unicast streams was broken.
- The meaning of spx:audioDelay and spx:buffering attributes were inverted, setting one was actually setting the other. Regression introduced in 4.5.0 release.
- Rendering latency changes due to interactivity could cause distorted audio.
- The periodical logging of CPU package temperature was not enabled.
- A crash could occur with some types of content due to a shader compilation failure.
- Secure Shared Variable Network API was not working.
- The Web Storage REST API was not returning the value of variables.
- User added trusted certificates were not taken into account in Web page layers as the HTML engine did not use the same list of trusted root certificates.
- The option to ignore certificate validation errors did not apply to HTML content.
- Rendering of web content could freeze after several days.
- Some types of HTML content caused an important memory leak.
- Scan and maintenance operations on the internal storage (eMMC) was not enabled.
- During Wi-Fi setup, the configuration QR code and AP information would be shown twice when the power/blue button was pressed.
- jSignage updated to version 1.6.0
- jSignage Graph plugin updated to version 1.0.4
- jSignage Custom Effects plugin updated to version 1.1.0
- Support for HDMI CEC.
- This can be used on the HDMI output or on the DisplayPort Alt-mode output with a DP to HDMI adapter cable supporting the DP 1.3 "CEC tunneling over AUX" protocol.
- HMP Control Center will show a warning message when the selected video output does not support CEC
- The display power management can be enabled from Control Center > Display & Audio page.
- Note that some players from the first production batches, could lack the hardware support for CEC - this information can be found in Control Center.
- Support for rendering PDF files.
- Wi-Fi connections can now be easily configured from a smartphone, tablet or computer without any other network connection, nor USB stick, by connecting directly to the player over the air. See Wi-Fi setup page for more details.
- HTML rendering engine:
- Performance got improved by adding texture sharing.
- Added support for using the proxy configuration.
- Updated to Chromium 79.
- The DSOS license status (license type, missing license, or expired license) is shown on Control Center home page and on the OSD that appears when the blue button is pressed.
- The configuration backup file now includes an indication of the DSOS license active at the time the backup file is generated. This allows displaying a clean error to the user if he tries to restore a configuration backup containing features not supported by the DSOS license currently activated on the player.
- The audio connectors' names shown in Control Center are hardware-dependent.
- The embedded web server now supports TLS 1.3.
- The IP addresses and other information are shown only for the active interface on the OSD that appears when the blue button is pressed.
- The welcome splash screen shows a specific error message when the device is not enrolled in SpinetiX cloud services, aiding in diagnosis.
- Support for new image codecs (webp, dng).
- Support for hardware motion-adaptive deinterlacing with past and/or future references.
- Updated timezone database from version 2018i to 2019a; it affects Palestine and Metlakatla.
- Daily power saving schedule feature.
- Players would stop communicating with ARYA until next reboot when reconfigured.
- Interlaced videos could show green frames.
- URLs with empty components in path (i.e., doubled slash) were not interpreted correctly.
- Minor changes within the player report.
- The dropdown listing the time zones in Control Center is empty. This is a regression introduced in 4.5.3 release.
Applies to third-party players.
- Incorrect serial number shown on the OSD that appears when the power button is pressed.
Updated Linux kernel from 4.19.80 to 4.19.127 to fix security issues.
- These could potentially affect the firmware: CVE-2019-17133, CVE-2019-19532, CVE-2019-18282, CVE-2019-0155, CVE-2019-0154, CVE-2019-19922, CVE-2019-11135, CVE-2019-19767, CVE-2019-19252, CVE-2019-19447, CVE-2019-20812, CVE-2020-0305, CVE-2019-20636, CVE-2019-14615, CVE-2019-19059, CVE-2019-19058, CVE-2019-5108, CVE-2020-8428, CVE-2019-16234, CVE-2020-8647, CVE-2020-8649, CVE-2020-8648, CVE-2020-11565, CVE-2020-12826, CVE-2019-19768, CVE-2020-12464, CVE-2020-10732, CVE-2019-19462
- These do not affect the firmware: CVE-2019-19075, CVE-2019-17075, CVE-2019-19060, CVE-2019-19065, CVE-2019-17666, CVE-2019-15098, CVE-2019-19048, CVE-2020-10773, CVE-2019-19526, CVE-2019-16233, CVE-2019-19049, CVE-2019-19045, CVE-2019-19052, CVE-2019-18813, CVE-2019-19529, CVE-2018-12207, CVE-2019-16231, CVE-2019-19534, CVE-2019-19524, CVE-2019-18660, CVE-2019-15291, CVE-2019-18683, CVE-2019-12614, CVE-2019-19062, CVE-2019-19227, CVE-2019-19071, CVE-2019-19079, CVE-2019-19332, CVE-2019-18786, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947, CVE-2019-16230, CVE-2019-16232, CVE-2019-16229, CVE-2020-10690, CVE-2019-18809, CVE-2019-19965, CVE-2019-14901, CVE-2019-14895, CVE-2019-19066, CVE-2019-19068, CVE-2019-19056, CVE-2019-9445, CVE-2019-20096, CVE-2019-15217, CVE-2019-19077, CVE-2020-12652, CVE-2019-19046, CVE-2019-20806, CVE-2019-14896, CVE-2019-14897, CVE-2020-14416, CVE-2020-12769, CVE-2019-3016, CVE-2020-12653, CVE-2020-12654, CVE-2020-9383, CVE-2020-2732, CVE-2020-0009, CVE-2020-10942, CVE-2020-12465, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11494, CVE-2020-12657, CVE-2020-11669, CVE-2020-12659, CVE-2020-1749, CVE-2020-0067, CVE-2020-11884, CVE-2020-10751, CVE-2020-13143, CVE-2020-10711, CVE-2020-12770, CVE-2020-12768, CVE-2019-18814, CVE-2020-10757
More security fixes:
- openssl: CVE-2019-1543
- bluez5: CVE-2018-10910
- libsndfile1: changed fix for CVE-2017-14245 and CVE-2017-14246, fixed CVE-2017-12562, CVE-2018-19758, CVE-2019-3832
- glibc: CVE-2019-9169, CVE-2016-10739, CVE-2018-19591, CVE-2019-6488, CVE-2019-7309; fix for incomplete CVE-2016-10739
- elfutils: CVE-2019-7146, CVE-2019-7149, CVE-2019-7150, CVE-2019-7664, CVE-2019-7665
- busybox: CVE-2018-20679, CVE-2019-5747
- sqlite3: CVE-2018-20505, CVE-2018-20506, CVE-2019-8457
- cairo: CVE-2018-19876, CVE-2019-6461, CVE-2019-6462
- tar: CVE-2019-0023, CVE-2018-20482
- glib2: CVE-2019-12450, CVE-2019-9633, CVE-2019-13012
- curl: CVE-2019-5435, CVE-2019-5436, CVE-2018-16890, CVE-2019-3822, CVE-2019-3823, CVE-2019-5482
- bzip2: CVE-2019-12900
- expat: CVE-2018-20843
- dbus: CVE-2019-12749
- gcc: CVE-2019-14250
- bind libraries: updated from 9.11.4 to 9.11.5-P4, CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465
- pango: CVE-2019-1010238
- gnutls: CVE-2019-3829 and CVE-2019-3836
- libgcrypt: CVE-2019-12904
- apache httpd: update from 2.4.34 to 2.4.41, fixes CVE-2018-17189, CVE-2018-17199, CVE-2019-0190, CVE-2019-0220, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0211, CVE-2019-10081, CVE-2019-9517, CVE-2019-10098, CVE-2019-10092, CVE-2019-10097, CVE-2019-10082
- The fix for CVE-2020-15809 in 4.5.3 was incomplete, URI validation in the rssProxy.php missed a few possible cases.
- RPC API - new commands for Wi-Fi:
deviceInfoglobal object with two new methods, mostly relevant for Wi-Fi:
- Calendar widgets do not show data from Google.
- HMP400 serial number doesn't work as Multiscreen ID
- CORS requests are now allowed for endpoints other than RPC, provided the RPC API key is used.
- Changed the display message when the player license expires or is missing, now a black screen is shown instead of the "no valid license" floating text.
- The content server was not disabled when a player was added to ARYA, leading to confusing errors in Elementi if a publish was attempted.
- Importing X.509 server certificates with unknown extensions would make the network page display an error and be unusable until the certificate was removed.
- RTP (not MPEG2TS) streaming will stop after a few minutes.
- AJAX POST requests would use chunked transfer encoding since firmware 4.5.0, but many simple devices do not support them, which broke communications; now chunked transfer encoding is not used in AJAX requests.
- HTTP requests to server whose name started with vN, N being an integer, would be modified to be within square brackets, breaking the request
- Video modes could be incorrectly programmed when the attached display did not return a valid EDID, due to an internal DisplayPort link rate being incorrectly programmed.
- The hardware watchdog would not fire if the system hung during shutdown, as it got disabled when the software watchdog exited, now the hardware watchdog never disables.
- The unused rssProxy.php, i18njs.php and timezones.php were incorrectly included in the firmware image, which increases the attack surface, they are no longer included.
- Visual stutter could occur with looping videos.
- Player could hang after video playback.
- Fixed CVE-2020-15809, the spxmanage component would allow requests that access unintended resources because of SSRF and Path Traversal.
- The dropdown listing the time zones in Control Center is empty for HMP400, HMP400W, and third-party players.
- The workaround is to use the
<timezone>configuration tag. This is a regression introduced in 4.5.3 release.
- The workaround is to use the
- No proxy support in HTML rendering engine.
- The RTC is now calibrated for improved time accuracy while the player is powered off.
Applies to all models.
- Facebook widgets were no longer working due to a Facebook API change.
- The default gateway in static IPv6 configurations conflicted with IPv6 routes added from router advertisements resulting in unpredictable routing, the default gateway now uses a lower metric and has precedence.
- Fixed various minor presentation problems in Control Center, such as:
- Configurations deployed via USB sticks including a reboot directive could cause a reboot loop.
- Recovery Console updated to version 2.8.1, fixing the player rebooting after a couple of minutes when a reset to factory defaults operation was pending.
- On HMP400W, the local link IPv6 addresses in static DNS configurations would get the wrong interface identifier when Wi-Fi was the selected interface.
- Enabling capturing the HTTP traffic for Pull Mode would generate no or incomplete capture files.
- HTTP PUT requests with an empty body where incorrectly done as GET requests.
- Enabled Wi-Fi connections with support for personal (pre-shared key) and enterprise authentication, as well as open/unauthenticated networks. Wi-Fi is enabled from Control Center, and the configuration is done via a configuration backup file.
- Configurations can now be deployed via USB sticks - inserting a USB stick with a configuration backup file on a not-yet configured player will automatically apply the configuration; this feature is automatically disabled once the player has been fully configured for security reasons.
- Added support for 802.1x authentication on Ethernet; configuration is done via the configuration backup file.
- The Recovery Console has been updated to version 2.8.0, to support Wi-Fi connections and 802.1x authentication on Ethernet. The Recovery Console is now updated during the regular firmware update, if an older console version is installed on the player; also, it can now be installed via a .pkg file, just as the firmware.
- The player report includes more readable license data to aid in diagnostics.
Applies to third-party players.
- Names corresponding to the labels on the device are now shown in Control Center's video and audio output selectors.
- Licenses were incorrectly included in the configuration backup, which can invalidate a valid license received from the license server when restoring the configuration backup at a later time; licenses are no longer included in the configuration backup as they are distributed directly by the license server. Configuration backups saved from firmware 4.5.0 for units which had a license should be manually edited to remove the license before restoring.
Applies to all models.
- Streaming was not working properly with some sources.
- An HTTP proxy on port 80 could not be used. This was a regression introduced in 4.5.0.
- Some web services, like RSS feeds, behave differently when the referrer is about:blank, a full URL is now used to avoid problems.
- Solved incompatibility with myDrive.ch file storage service.
- Webp images could crash the player causing a reboot.
- RPC responses to failed calls were not returned to the RPC concentrator (regression introduced in 4.5.0); in addition any HTTP level RPC call errors are also returned to the RPC concentrator.
- The player could reboot during network state changes due to races in the restart of the NTP daemon.
- Credentials to access resources on AWS could be renewed just after they expired, instead of a few minutes before, causing temporary problems with ARYA.
- The license texts in Control Center's about page were not properly tagged as UTF-8 plain text and could display garbled.
- EULA and third-party licenses updated to reflect current ones.
- On full HD deinterlaced videos, the bottom of the 1088 coded lines were outputted instead of the top 1080.
- The player was not restarted when the audio configuration changed, although a restart was required.
- Network default routes installed by the DHCP client may conflict with existing default routes and not become effective, they are now replaced.
- The NTP daemon no longer restarts on IP address changes as it is no longer necessary.
- The report did not properly dump the TPM2 public data of persistent handles.
Applies to all players.
- Configuration API new tags:
- RPC API - the
get_infocommand has been extended to support Wi-Fi.
- Status API - the
infoendpoint has been extended to support Wi-Fi.
- Added DSOS support for the new hardware models: HMP400/HMP400W and selected 3rd-party players.
- Added support for the DSOS activation licenses; the player license information is displayed on the Control Center home page and included within the configuration backup.
- New HTML5 rendering engine, based on Chromium 74, with support for hardware accelerated video decoding and WebGL. Applies only to players with DSOS Kiosk and DSOS Systems licenses.
- New Pull Mode engine that supports faster downloads, end-to-end content integrity checking with SHA-256, and processing of RPC commands.
- JPEG images are now automatically rotated and flipped according to EXIF data.
- Added support merging multiple calendars on the same view for Google calendar and Outlook online.
- Added support for underlined text.
- HTTP traffic capturing can be enabled from Control Center or RPC, for improved diagnostics. The captures are also included in the player report. Credentials are masked in the captures.
- Added video and audio output selectors in Control Center and Configuration Wizard for players with multiple video/audio outputs.
- Added support Hyperlink and Picture columns in SharePoint lists.
- Firmware updater now checks that update source is compatible with product's model before applying any updates.
- Bonjour and SSDP announcements now include additional serial numbers for the benefit of the newly supported models.
- JS locale files are now compressed, reducing the firmware size.
- Updated some internal libraries:
- ffmpeg to version 4.0.2 (was 3.4.5)
- libical to version 2.0.0 (was 1.0.1)
- Yii PHP framework to version 1.1.21 (was 1.1.17)
- Removed support for Instagram widgets because Instagram has discontinued the Legacy API.
- Session cookies now expire after 2 days (used to never expire before).
- Pull Mode with ICS executed after being disabled.
- Cookies for public top level domains were incorrectly allowed in the Pull Mode daemon (uploader).
- Crash when pressing blue button when playing a project with asynchronous audio player event handlers.
- Events widget - long event titles were not showing correctly.
- JSignage Graph plugin: Axis grid were not shown in some cases because of missing min and max values.
- If there is any text in an editable text area, editing was broken.
- Enrollment to SpinetiX cloud services now uses the TPM to authenticate third-party devices.
- Protected from XEE attacks in XML files.
- Use HTTPS protocol for the ECB exchange rate data source.
- CORS violations and other errors in HTML5 content are reported in the log.
- Credentials can now be used on AJAX requests to the player from web pages not hosted on the player (i.e., the authorization headers are now allowed for CORS).
- Uploader process logs more messages at trace level to diagnose replication issues in Pull Mode.
- New tags for the Configuration API:
<video-output-selector>to select the video output connector on DSOS devices.
<pullmode-http-capture-log>to capture HTTP traffic for the uploader process.
<http-capture-log>to capture HTTP traffic for the player.
- New options for the
videoConnectors: trueto report the list of attached screens
audioConnectors: trueto report the list of attached audio connectors