nginx: Fix for CVE-2026-28755

Pick patch from [1] which mentioned in debian report [2] [1] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 [2] https://security-tracker.debian.org/tracker/CVE-2026-28755 Note: Add different patch for both version to resolve fuzz issue. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-04-06 11:06:11 +05:30
parent 9310c3b1a4
commit d086d0b43e
4 changed files with 102 additions and 1 deletions
@@ -0,0 +1,48 @@
+From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-28755
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index 1ba1825..c8e8323 100644
+--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
+@@ -335,6 +335,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+     long                    rc;
+     X509                   *cert;
+     ngx_int_t               rv;
+    const char		    *str;
+     ngx_connection_t       *c;
+     ngx_stream_ssl_conf_t  *sslcf;
+ 
+@@ -385,6 +386,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ 
+             X509_free(cert);
+         }
+
+        if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client SSL certificate verify error: %s", str);
+
+            ngx_ssl_remove_cached_session(c->ssl->session_ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+            return NGX_ERROR;
+        }
+     }
+ 
+     return NGX_OK;
+-- 
+2.50.1
+
@@ -0,0 +1,48 @@
+From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-28755
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index 6dee106..9357d09 100644
+--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
+@@ -342,6 +342,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+     long                        rc;
+     X509                       *cert;
+     ngx_int_t                   rv;
+    const char			*str;
+     ngx_connection_t           *c;
+     ngx_stream_ssl_srv_conf_t  *sscf;
+ 
+@@ -392,6 +393,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ 
+             X509_free(cert);
+         }
+
+        if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client SSL certificate verify error: %s", str);
+
+            ngx_ssl_remove_cached_session(c->ssl->session_ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+            return NGX_ERROR;
+        }
+     }
+ 
+     return NGX_OK;
+-- 
+2.50.1
+
@@ -2,7 +2,10 @@ require nginx.inc

 LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"

-SRC_URI:append = " file://CVE-2023-44487.patch"
+SRC_URI:append = " \
+                  file://CVE-2023-44487.patch \
+                  file://CVE-2026-28755.patch \
+"

 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"

@@ -6,5 +6,7 @@ DEFAULT_PREFERENCE = "-1"

 LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628"

+SRC_URI:append = " file://CVE-2026-28755.patch"
+
 SRC_URI[sha256sum] = "2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0"