new file mode 100644
@@ -0,0 +1,48 @@
+From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-28755
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index 1ba1825..c8e8323 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -335,6 +335,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ long rc;
+ X509 *cert;
+ ngx_int_t rv;
++ const char *str;
+ ngx_connection_t *c;
+ ngx_stream_ssl_conf_t *sslcf;
+
+@@ -385,6 +386,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+
+ X509_free(cert);
+ }
++
++ if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client SSL certificate verify error: %s", str);
++
++ ngx_ssl_remove_cached_session(c->ssl->session_ctx,
++ (SSL_get0_session(c->ssl->connection)));
++ return NGX_ERROR;
++ }
+ }
+
+ return NGX_OK;
+--
+2.50.1
+
new file mode 100644
@@ -0,0 +1,48 @@
+From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-28755
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index 6dee106..9357d09 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -342,6 +342,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ long rc;
+ X509 *cert;
+ ngx_int_t rv;
++ const char *str;
+ ngx_connection_t *c;
+ ngx_stream_ssl_srv_conf_t *sscf;
+
+@@ -392,6 +393,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+
+ X509_free(cert);
+ }
++
++ if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client SSL certificate verify error: %s", str);
++
++ ngx_ssl_remove_cached_session(c->ssl->session_ctx,
++ (SSL_get0_session(c->ssl->connection)));
++ return NGX_ERROR;
++ }
+ }
+
+ return NGX_OK;
+--
+2.50.1
+
@@ -2,7 +2,10 @@ require nginx.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
-SRC_URI:append = " file://CVE-2023-44487.patch"
+SRC_URI:append = " \
+ file://CVE-2023-44487.patch \
+ file://CVE-2026-28755.patch \
+ "
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
@@ -6,5 +6,7 @@ DEFAULT_PREFERENCE = "-1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628"
+SRC_URI:append = " file://CVE-2026-28755.patch"
+
SRC_URI[sha256sum] = "2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0"
Pick patch from [1] which mentioned in debian report [2] [1] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 [2] https://security-tracker.debian.org/tracker/CVE-2026-28755 Note: Add different patch for both version to resolve fuzz issue. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../nginx/nginx-1.24.0/CVE-2026-28755.patch | 48 +++++++++++++++++++ .../nginx/nginx-1.25.5/CVE-2026-28755.patch | 48 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 5 +- .../recipes-httpd/nginx/nginx_1.25.5.bb | 2 + 4 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2026-28755.patch