diff -urN ../exim-4.94.2.orig/doc/ChangeLog ./doc/ChangeLog
--- ../exim-4.94.2.orig/doc/ChangeLog	2021-04-30 15:08:21.000000000 +0300
+++ ./doc/ChangeLog	2021-07-11 14:43:19.270534000 +0300
@@ -220,6 +220,17 @@
 QS/04 Always die if requested from internal logging, even is logging is
       disabled.
 
+JH/52 Fix ${ip6norm:} operator.  Previously, any trailing line text was dropped,
+      making it unusable in complex expressions.
+
+JH/53 Bug 2743: fix immediate-delivery via named queue.  Previously this would
+      fail with a taint-check on the spoolfile name, and leave the message
+      queued.
+
+JH/57 Fix control=fakreject for a custom message containing tainted data.
+      Previously this resulted in a log complaint, due to a re-expansion present
+      since fakereject was originally introduced.
+
 
 Exim version 4.94
 -----------------
diff -urN ../exim-4.94.2.orig/src/acl.c ./src/acl.c
--- ../exim-4.94.2.orig/src/acl.c	2021-04-30 15:08:21.000000000 +0300
+++ ./src/acl.c	2021-07-11 14:43:19.292314000 +0300
@@ -3137,7 +3137,9 @@
 	    {
 	    const uschar *pp = p + 1;
 	    while (*pp) pp++;
-	    fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
+	    /* The entire control= line was expanded at top so no need to expand
+	    the part after the / */
+	    fake_response_text = string_copyn(p+1, pp-p-1);
 	    p = pp;
 	    }
 	   else /* Explicitly reset to default string */
diff -urN ../exim-4.94.2.orig/src/exim.c ./src/exim.c
--- ../exim-4.94.2.orig/src/exim.c	2021-04-30 15:08:21.000000000 +0300
+++ ./src/exim.c	2021-07-11 14:43:19.311552000 +0300
@@ -2789,9 +2789,11 @@
 		  else badarg = TRUE;
 		  break;
 
-    /* -MCG: set the queue name, to a non-default value */
+    /* -MCG: set the queue name, to a non-default value. Arguably, anything
+       from the commandline should be tainted - but we will need an untainted
+       value for the spoolfile when doing a -odi delivery process. */
 
-	case 'G': if (++i < argc) queue_name = string_copy_taint(exim_str_fail_toolong(argv[i], EXIM_DRIVERNAME_MAX, "-MCG"), TRUE);
+	case 'G': if (++i < argc) queue_name = string_copy_taint(exim_str_fail_toolong(argv[i], EXIM_DRIVERNAME_MAX, "-MCG"), FALSE);
 		  else badarg = TRUE;
 		  break;
 
diff -urN ../exim-4.94.2.orig/src/host.c ./src/host.c
--- ../exim-4.94.2.orig/src/host.c	2021-04-30 15:08:21.000000000 +0300
+++ ./src/host.c	2021-07-11 14:43:19.320765000 +0300
@@ -1197,9 +1197,9 @@
   c++;
   }
 
-c[-1] = '\0';	/* drop trailing colon */
+*--c = '\0';	/* drop trailing colon */
 
-/* debug_printf("%s: D k %d <%s> <%s>\n", __FUNCTION__, k, d, d + 2*(k+1)); */
+/* debug_printf("%s: D k %d <%s> <%s>\n", __FUNCTION__, k, buffer, buffer + 2*(k+1)); */
 if (k >= 0)
   {			/* collapse */
   c = d + 2*(k+1);
@@ -1581,7 +1581,7 @@
 
   if (hosts->h_aliases)
     {
-    int count = 1;
+    int count = 1;  /* need 1 more for terminating NULL */
     uschar **ptr;
 
     for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) count++;
@@ -1690,7 +1690,7 @@
       {
       uschar **aptr = NULL;
       int ssize = 264;
-      int count = 0;
+      int count = 1;  /* need 1 more for terminating NULL */
       int old_pool = store_pool;
 
       sender_host_dnssec = dns_is_secure(dnsa);
diff -urN ../exim-4.94.2.orig/src/transports/smtp.c ./src/transports/smtp.c
--- ../exim-4.94.2.orig/src/transports/smtp.c	2021-04-30 15:08:21.000000000 +0300
+++ ./src/transports/smtp.c	2021-07-11 14:43:19.356821000 +0300
@@ -2015,7 +2015,7 @@
       {
       case OK:		sx->conn_args.dane = TRUE;
 			ob->tls_tempfail_tryclear = FALSE;	/* force TLS */
-			ob->tls_sni = sx->first_addr->domain;	/* force SNI */
+                        ob->tls_sni = sx->conn_args.host->name; /* force SNI */
 			break;
       case FAIL_FORCED:	break;
       default:		set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
@@ -2097,7 +2097,7 @@
 	  {
 	  case OK:		sx->conn_args.dane = TRUE;
 				ob->tls_tempfail_tryclear = FALSE;	/* force TLS */
-				ob->tls_sni = sx->first_addr->domain;	/* force SNI */
+				ob->tls_sni = sx->conn_args.host->name; /* force SNI */
 				break;
 	  case FAIL_FORCED:	break;
 	  default:		set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
diff -urN ../exim-4.94.2.orig/src/version.h ./src/version.h
--- ../exim-4.94.2.orig/src/version.h	2021-04-30 15:11:38.000000000 +0300
+++ ./src/version.h	2021-07-11 14:43:20.105137000 +0300
@@ -1,5 +1,5 @@
 /* automatically generated file - see ../scripts/reversion */
-#define EXIM_RELEASE_VERSION "4.94.2"
+#define EXIM_RELEASE_VERSION "4.94.2-8-c819f3bca"
 #ifdef EXIM_VARIANT_VERSION
 #define EXIM_VERSION_STR EXIM_RELEASE_VERSION "-" EXIM_VARIANT_VERSION
 #else
diff -urN ../exim-4.94.2.orig/src/version.sh ./src/version.sh
--- ../exim-4.94.2.orig/src/version.sh	2021-04-30 15:11:38.000000000 +0300
+++ ./src/version.sh	2021-07-11 14:43:20.104801000 +0300
@@ -1,3 +1,3 @@
 # automatically generated file - see ../scripts/reversion
-EXIM_RELEASE_VERSION="4.94.2"
+EXIM_RELEASE_VERSION="4.94.2-8-c819f3bca"
 EXIM_COMPILE_NUMBER="1"