nginx: upgrade 1.28.2 -> 1.28.3

Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
   request in a location with "alias", allowing an attacker to modify
   the source or destination path outside of the document root
   (CVE-2026-27654).

*) Security: processing of a specially crafted mp4 file by the
   ngx_http_mp4_module on 32-bit platforms might cause a worker process
   crash, or might have potential other impact (CVE-2026-27784).

*) Security: processing of a specially crafted mp4 file by the
   ngx_http_mp4_module might cause a worker process crash, or might have
   potential other impact (CVE-2026-32647).

*) Security: a segmentation fault might occur in a worker process if the
   CRAM-MD5 or APOP authentication methods were used and authentication
   retry was enabled (CVE-2026-27651).

*) Security: an attacker might use PTR DNS records to inject data in
   auth_http requests, as well as in the XCLIENT command in the backend
   SMTP connection (CVE-2026-28753).

*) Security: SSL handshake might succeed despite OCSP rejecting a client
   certificate in the stream module (CVE-2026-28755).

*) Change: now nginx limits the size and rate of QUIC stateless reset
   packets.

*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
   the connection to terminate.

*) Bugfix: in the ngx_http_mp4_module.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>

meta-webserver/recipes-httpd/nginx/nginx_1.28.3.bb

@@ -2,6 +2,6 @@ require nginx.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593"
 
-SRC_URI[sha256sum] = "20e5e0f2c917acfb51120eec2fba9a4ba4e1e10fd28465067cc87a7d81a829a3"
+SRC_URI[sha256sum] = "2c96a946bfb0882a21744ed429770a2123ae1828c7c48665092993ddee91a918"
 
 CVE_STATUS[CVE-2025-53859] = "cpe-stable-backport: Fix is included in 1.28.1"