diff --git a/CVE-2023-41080.patch b/CVE-2023-41080.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6b7ab80b8bfa2e433a044a37a5f1010becd54890
--- /dev/null
+++ b/CVE-2023-41080.patch
@@ -0,0 +1,29 @@
+From 77c0ce2d169efa248b64b992e547aad549ec906b Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 22 Aug 2023 11:31:23 -0700
+Subject: [PATCH] Avoid protocol relative redirects
+
+Origin: https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b
+
+---
+ .../apache/catalina/authenticator/FormAuthenticator.java    | 6 ++++++
+ webapps/docs/changelog.xml                                  | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+index a57db51776b..d54cc62182e 100644
+--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
++++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
+@@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
+             sb.append('?');
+             sb.append(saved.getQueryString());
+         }
++
++        // Avoid protocol relative redirects
++        while (sb.length() > 1 && sb.charAt(1) == '/') {
++            sb.deleteCharAt(0);
++        }
++
+         return sb.toString();
+     }
+ }
diff --git a/tomcat.spec b/tomcat.spec
index 88ae475ee5eb39561f89f8620ab463702f762a56..1fab7e5133fb80a67e1974a2afbd911c9d2ba22b 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -13,7 +13,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       28
+Release:       29
 Summary:       Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
 License:       ASL 2.0
 URL:           http://tomcat.apache.org/
@@ -104,6 +104,7 @@ Patch6069: CVE-2022-23181.patch
 Patch6070: CVE-2022-42252.patch
 Patch6071: CVE-2023-28708-pre.patch
 Patch6072: CVE-2023-28708.patch
+Patch6073: CVE-2023-41080.patch
 
 BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon
 BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant
@@ -111,9 +112,8 @@ BuildRequires: jpackage-utils >= 0:1.7.0 java-devel >= 1:1.8.0 junit javapackage
 BuildRequires: geronimo-saaj aqute-bndlib aqute-bnd systemd-units wsdl4j geronimo-jaxrpc
 
 Requires:      procps jpackage-utils java-headless >= 1:1.8.0 apache-commons-daemon
-Requires:      tomcat-taglibs-standard >= 0:1.1 ecj
-
-Requires:      libtcnative-1-0 >= 1.2.14
+Requires:      tomcat-taglibs-standard >= 0:1.1 ecj libtcnative-1-0 >= 1.2.14
+Requires:      apache-commons-dbcp apache-commons-pool apache-commons-collections
 
 Requires(pre):    shadow-utils
 Requires(post):   chkconfig
@@ -505,6 +505,10 @@ fi
 %{_javadocdir}/%{name}
 
 %changelog
+* Thu Sep 07 2023 wangkai <13474090681@163.com> - 1:9.0.10-29
+- Fix CVE-2023-41080
+- Add requires apache-commons-dbcp,pool,collections for fix path error
+
 * Mon Apr 17 2023 wangkai <13474090681@163.com> - 1:9.0.10-28
 - Fix CVE-2023-28708