diff --git a/CVE-2023-23009.patch b/CVE-2023-23009.patch
new file mode 100644
index 0000000000000000000000000000000000000000..65d64d38e82923340159f650644e29b4e158724d
--- /dev/null
+++ b/CVE-2023-23009.patch
@@ -0,0 +1,16 @@
+diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
+index 3f7519ca38..f06c40ba46 100644
+--- a/programs/pluto/ikev2_ts.c
++++ b/programs/pluto/ikev2_ts.c
+@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
+ 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
+ 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
+ 
++		if (d != NULL) {
++			llog_diag(RC_LOG, logger, &d, "%s", "");
++			return false;
++		}
++
+ 		switch (ts_h.isath_type) {
+ 		case IKEv2_TS_IPV4_ADDR_RANGE:
+ 		case IKEv2_TS_IPV6_ADDR_RANGE:
diff --git a/libreswan.spec b/libreswan.spec
index 2a831708c965313f04e388e4d8bf952ac3668d60..0f61ceb51d78025932e6fc1400813521919cf138 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -26,7 +26,7 @@
 Name: libreswan
 Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
 Version: 4.5
-Release: 2
+Release: 3
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{name}-%{version}.tar.gz
@@ -36,6 +36,8 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 Source4: openeuler-libreswan-sysctl.conf
 #https://libreswan.org/security/CVE-2022-23094/
 Patch0:  CVE-2022-23094.patch
+#https://libreswan.org/security/CVE-2023-23009/
+Patch1:  CVE-2023-23009.patch
 
 
 BuildRequires: audit-libs-devel
@@ -190,6 +192,9 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
+* Tue Mar 07 2023 yaoxin <yaoxin30@h-partners.com> - 4.5-3
+- Fix CVE-2023-23009
+
 * Tue Jun 28 2022 yaoxin <yaoxin30@h-partners.com> - 4.5-2
 - Fix CVE-2022-23094