diff --git a/sblim-sfcb-1.3.16-escape.patch b/sblim-sfcb-1.3.16-escape.patch
new file mode 100644
index 0000000..ab12c48
--- /dev/null
+++ b/sblim-sfcb-1.3.16-escape.patch
@@ -0,0 +1,49 @@
+diff -up sblim-sfcb-1.3.16/cimXmlGen.c.escape sblim-sfcb-1.3.16/cimXmlGen.c
+--- sblim-sfcb-1.3.16/cimXmlGen.c.escape	2013-04-29 14:29:14.084335007 +0200
++++ sblim-sfcb-1.3.16/cimXmlGen.c	2013-04-29 14:28:44.000000000 +0200
+@@ -70,6 +70,23 @@ const char *opGetClassNameChars(CMPIObje
+   data2xml((data),(obj),(name),(refname),(btag),sizeof(btag)-1,(etag), \
+ 	   sizeof(etag)-1,(sb),(qsb),(inst),(param))
+ 
++static int add_escaped_instance(UtilStringBuffer *sb, CMPIInstance *inst)
++{
++    UtilStringBuffer *instance;
++
++    _SFCB_ENTER(TRACE_CIMXMLPROC, "add_escaped_instance");
++
++    instance = UtilFactory->newStrinBuffer(1024);
++    if (!instance)
++        _SFCB_RETURN(1);
++
++    instance2xml(inst, instance, 0);
++    char *escaped = XMLEscape((char *) instance->ft->getCharPtr(instance), NULL);
++    sb->ft->appendChars(sb, escaped);
++    free(escaped);
++    instance->ft->release(instance);
++    _SFCB_RETURN(0);
++}
+ 
+ char *XMLEscape(char *in, int *outlen)
+ {
+@@ -542,9 +559,7 @@ int value2xml(CMPIData d, UtilStringBuff
+ 	 }
+       }
+       else if(d.type == CMPI_instance) {
+-         SFCB_APPENDCHARS_BLOCK(sb, "<![CDATA[");
+-         instance2xml(d.value.inst, sb, 0);
+-         SFCB_APPENDCHARS_BLOCK(sb, "]]>");
++         add_escaped_instance(sb, d.value.inst);
+ 	 splen = 0;
+       }
+       else {
+@@ -754,9 +769,7 @@ void data2xml(CMPIData * data, void *obj
+          else SFCB_APPENDCHARS_BLOCK(sb, "\" TYPE=\"string\">\n");
+          if(data->value.inst) {
+ 	         SFCB_APPENDCHARS_BLOCK(sb, "<VALUE>");
+-	         SFCB_APPENDCHARS_BLOCK(sb, "<![CDATA[");
+-	         instance2xml(data->value.inst, sb, 0);
+-	         SFCB_APPENDCHARS_BLOCK(sb, "]]>");
++	         add_escaped_instance(sb, data->value.inst);
+ 	         SFCB_APPENDCHARS_BLOCK(sb, "</VALUE>\n");
+          }
+      }
diff --git a/sblim-sfcb.spec b/sblim-sfcb.spec
index 1711345..a0c3909 100644
--- a/sblim-sfcb.spec
+++ b/sblim-sfcb.spec
@@ -27,6 +27,8 @@ Patch4: sblim-sfcb-1.3.15-fix-provider-debugging.patch
 Patch5: sblim-sfcb-1.3.16-invalid-read.patch
 Patch6: sblim-sfcb-1.3.16-invalid-read2.patch
 Patch7: sblim-sfcb-1.3.16-embedded-crash.patch
+# Patch8: already upstream, http://sourceforge.net/p/sblim/sfcb-tix/44/
+Patch8: sblim-sfcb-1.3.16-escape.patch
 Source1: sfcb.service
 Provides: cim-server
 Requires: cim-schema
@@ -59,6 +61,7 @@ Programming Interface (CMPI).
 %patch5 -p1 -b .invalid-read
 %patch6 -p1 -b .invalid-read2
 %patch7 -p1 -b .embedded-crash
+%patch8 -p1 -b .escape
 
 %build
 %configure --enable-debug --enable-uds --enable-ssl --enable-pam --enable-ipv6 CFLAGS="$CFLAGS -D_GNU_SOURCE -fPIE -DPIE" LDFLAGS="$LDFLAGS -Wl,-z,now -pie"
@@ -116,6 +119,8 @@ fi;
 * Mon May 20 2013 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.3.16-3
 - Fix indCIMXmlHandler crash in IndCIMXMLHandlerInvokeMethod with Embedded Instances 
   Resolves: #957747
+- Fix sfcb creates invalid XML with embedded object inside embedded object
+  Resolves: #957742
 
 * Tue Jan 29 2013 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.3.16-2
 - Fix URL in the spec file