diff -Nru strongswan-5.9.5/debian/changelog strongswan-5.9.5/debian/changelog
--- strongswan-5.9.5/debian/changelog	2022-02-03 15:49:49.000000000 +0000
+++ strongswan-5.9.5/debian/changelog	2022-03-18 18:24:34.000000000 +0000
@@ -1,3 +1,11 @@
+strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
+
+  * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
+    segmentation fault; don't access OpenSSL objects inside atexit()
+    handlers. (LP: #1964977)
+
+ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 18 Mar 2022 14:24:34 -0400
+
 strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
 
   * Merge with Debian unstable. Remaining changes:
diff -Nru strongswan-5.9.5/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch strongswan-5.9.5/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch
--- strongswan-5.9.5/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch	1970-01-01 00:00:00.000000000 +0000
+++ strongswan-5.9.5/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch	2022-03-18 18:22:04.000000000 +0000
@@ -0,0 +1,89 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Wed, 23 Feb 2022 17:29:02 +0100
+Subject: openssl: Don't unload providers
+
+There is a conflict between atexit() handlers registered by OpenSSL and
+some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
+Because plugins are usually loaded after atexit() has been called, the
+handler registered by OpenSSL will run before our handler.  So when the
+latter destroys the plugins it's a bad idea to try to access any OpenSSL
+objects as they might already be invalid.
+
+Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
+Closes strongswan/strongswan#921
+
+Origin: upstream, https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524
+Bug: https://github.com/strongswan/strongswan/issues/921
+Bug: https://github.com/openssl/openssl/issues/15915
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1964977
+Applied-Upstream: 6.0dr14
+---
+ src/libstrongswan/plugins/openssl/openssl_plugin.c | 27 +++-------------------
+ 1 file changed, 3 insertions(+), 24 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+index c93ea60..f1d0ad8 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@ struct private_openssl_plugin_t {
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int,
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create()
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
diff -Nru strongswan-5.9.5/debian/patches/series strongswan-5.9.5/debian/patches/series
--- strongswan-5.9.5/debian/patches/series	2022-02-03 15:49:49.000000000 +0000
+++ strongswan-5.9.5/debian/patches/series	2022-03-18 18:22:04.000000000 +0000
@@ -3,3 +3,4 @@
 03_systemd-service.patch
 04_disable-libtls-tests.patch
 dont-load-kernel-libipsec-plugin-by-default.patch
+lp1964977-fix-ipsec-pki-segfault.patch