diff --git a/community/libreswan/APKBUILD b/community/libreswan/APKBUILD
index 9820234f1c2f754794f8734d4c71c59f4fabe29a..9d2c642741143d137ca651f3893c27909219d6b6 100644
--- a/community/libreswan/APKBUILD
+++ b/community/libreswan/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libreswan
 pkgver=4.9
-pkgrel=0
+pkgrel=1
 pkgdesc="IPsec implementation for Linux"
 url="https://libreswan.org/"
 arch="all"
@@ -28,11 +28,14 @@ makedepends="
 	"
 subpackages="$pkgname-doc $pkgname-openrc"
 source="https://download.libreswan.org/libreswan-$pkgver.tar.gz
+	CVE-2023-23009-libreswan-4.2-4.9.patch
 	initd-runscript.patch
 	Makefile.inc.local
 	"
 
 # secfixes:
+#   4.9-r1:
+#     - CVE-2023-23009
 #   4.6-r0:
 #     - CVE-2022-23094
 #   3.32-r0:
@@ -65,6 +68,7 @@ package() {
 
 sha512sums="
 4a43b09b0ef1bacc64ca1b74e7c268df7f024d8b6a9633a489f373ecd9327b173e9508dbc13c4d25ee74f3e2ba569d9d38dfd851fd98cf3cde4a61ef90a1d9d5  libreswan-4.9.tar.gz
+98bf86c5e45de1de0ada47b391039a5bba89f31febf2747009edb3db7ba141952e12dc475b4794d6e5e4f23231aeb86a1651aecca4ce7ebc24162246f9a6329b  CVE-2023-23009-libreswan-4.2-4.9.patch
 50bba031d0342695727f520840d3e3650bd9ffae918374f03b122573152d08399128e9fb04e6a52321801f3d5dc7c9eab96364ae581f3e673c947dc283e45c04  initd-runscript.patch
 94bcde573fc320450864394f3824bfe23e6ac8528a7b0b8a7d97d02a3883b6f47951f8a89a2c46cc394c65c5b3f9788b644f7f911f90ac78540e6479715e0a11  Makefile.inc.local
 "
diff --git a/community/libreswan/CVE-2023-23009-libreswan-4.2-4.9.patch b/community/libreswan/CVE-2023-23009-libreswan-4.2-4.9.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3c9cf577b336ac8c5dadfd8dca4a13e90d0b5e7d
--- /dev/null
+++ b/community/libreswan/CVE-2023-23009-libreswan-4.2-4.9.patch
@@ -0,0 +1,16 @@
+diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
+index 3f7519ca38..f06c40ba46 100644
+- - --- a/programs/pluto/ikev2_ts.c
++++ b/programs/pluto/ikev2_ts.c
+@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
+ 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
+ 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
+ 
++		if (d != NULL) {
++			llog_diag(RC_LOG, logger, &d, "%s", "");
++			return false;
++		}
++
+ 		switch (ts_h.isath_type) {
+ 		case IKEv2_TS_IPV4_ADDR_RANGE:
+ 		case IKEv2_TS_IPV6_ADDR_RANGE: