diff --git a/SOURCES/libxml2-2.9.7-CVE-2016-3709.patch b/SOURCES/libxml2-2.9.7-CVE-2016-3709.patch
new file mode 100644
index 0000000..1306320
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2016-3709.patch
@@ -0,0 +1,88 @@
+From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 15 Aug 2020 18:32:29 +0200
+Subject: [PATCH] Revert "Do not URI escape in server side includes"
+
+This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
+
+This commit introduced
+
+- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
+- an algorithm with quadratic runtime
+- a security issue, see
+  https://bugzilla.gnome.org/show_bug.cgi?id=769760
+
+A better approach is to add an option not to escape URLs at all
+which libxml2 should have possibly done in the first place.
+---
+ HTMLtree.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+diff --git a/HTMLtree.c b/HTMLtree.c
+index 8d236bb3..cdb7f86a 100644
+--- a/HTMLtree.c
++++ b/HTMLtree.c
+@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
+ 		 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
+ 		 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
+ 		  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
++		xmlChar *escaped;
+ 		xmlChar *tmp = value;
+-		/* xmlURIEscapeStr() escapes '"' so it can be safely used. */
+-		xmlBufCCat(buf->buffer, "\"");
+ 
+ 		while (IS_BLANK_CH(*tmp)) tmp++;
+ 
+-		/* URI Escape everything, except server side includes. */
+-		for ( ; ; ) {
+-		    xmlChar *escaped;
+-		    xmlChar endChar;
+-		    xmlChar *end = NULL;
+-		    xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
+-		    if (start != NULL) {
+-			end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
+-			if (end != NULL) {
+-			    *start = '\0';
+-			}
+-		    }
+-
+-		    /* Escape the whole string, or until start (set to '\0'). */
+-		    escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
+-		    if (escaped != NULL) {
+-		        xmlBufCat(buf->buffer, escaped);
+-		        xmlFree(escaped);
+-		    } else {
+-		        xmlBufCat(buf->buffer, tmp);
+-		    }
+-
+-		    if (end == NULL) { /* Everything has been written. */
+-			break;
+-		    }
+-
+-		    /* Do not escape anything within server side includes. */
+-		    *start = '<'; /* Restore the first character of "<!--". */
+-		    end += 3; /* strlen("-->") */
+-		    endChar = *end;
+-		    *end = '\0';
+-		    xmlBufCat(buf->buffer, start);
+-		    *end = endChar;
+-		    tmp = end;
++		/*
++		 * the < and > have already been escaped at the entity level
++		 * And doing so here breaks server side includes
++		 */
++		escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
++		if (escaped != NULL) {
++		    xmlBufWriteQuotedString(buf->buffer, escaped);
++		    xmlFree(escaped);
++		} else {
++		    xmlBufWriteQuotedString(buf->buffer, value);
+ 		}
+-
+-		xmlBufCCat(buf->buffer, "\"");
+ 	    } else {
+ 		xmlBufWriteQuotedString(buf->buffer, value);
+ 	    }
+-- 
+GitLab
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 78c1b5f..9bb97c1 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -7,7 +7,7 @@
 
 Name:           libxml2
 Version:        2.9.7
-Release:        13%{?dist}.1
+Release:        15%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -48,8 +48,10 @@ Patch14:        libxml2-2.9.7-CVE-2021-3537.patch
 Patch15:        libxml2-2.9.7-CVE-2021-3541.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2057664
 Patch16:        libxml2-2.9.7-CVE-2022-23308.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2082297
+# https://bugzilla.redhat.com/show_bug.cgi?id=2082298
 Patch17:        libxml2-2.9.7-CVE-2022-29824.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2120781
+Patch18:        libxml2-2.9.7-CVE-2016-3709.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@@ -221,8 +223,11 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
-* Thu May 12 2022 David King <dking@redhat.com> - 2.9.7-13.1
-- Fix CVE-2022-29824 (#2082297)
+* Wed Aug 24 2022 David King <dking@redhat.com> - 2.9.7-15
+- Fix CVE-2016-3709 (#2120781)
+
+* Thu May 12 2022 David King <dking@redhat.com> - 2.9.7-14
+- Fix CVE-2022-29824 (#2082298)
 
 * Thu Feb 24 2022 David King <dking@redhat.com> - 2.9.7-13
 - Bump release (#2057664)