diff --git a/exim.changes b/exim.changes
index 7c945eb..bf4a8d8 100644
--- a/exim.changes
+++ b/exim.changes
@@ -1,3 +1,24 @@
+Mon Jun  8 11:24:08 CEST 2020 - wullinger@rz.uni-kiel.de
+
+- bring in changes from current +fixes (lots of taint check fixes)
+  * Bug 1329: Fix format of Maildir-format filenames to match other mail-
+    related applications.  Previously an "H" was used where available info
+    says that "M" should be, so change to match.
+
+  * Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
+    as arguments, so an implementation trying to copy these into a local
+    buffer was taking a taint-enforcement trap.  Fix by using dynamically
+    created buffers.
+
+  * Bug 2586: Fix listcount expansion operator.  Using tainted arguments is
+    reasonable, eg. to count headers.  Fix by using dynamically created
+    buffers rather than a local.  Do similar fixes for ACL actions "dcc",
+    "log_reject_target", "malware" and "spam"; the arguments are expanded
+    so could be handling tainted values.
+  * Bug 2590: Fix -bi (newaliases).  A previous code rearrangement had
+    broken the (no-op) support for this sendmail command.  Restore it
+    to doing nothing, silently, and returning good status.
+
 Tue Jun  2 07:12:55 CEST 2020 - wullinger@rz.uni-kiel.de
 
 - update to exim 4.94
diff --git a/exim.spec b/exim.spec
index b2d903c..e6a11fc 100644
--- a/exim.spec
+++ b/exim.spec
@@ -73,7 +73,7 @@ Requires(pre):  group(mail)
 Requires(pre):  fileutils textutils
 %endif
 Version:        4.94
-Release:        1
+Release:        2
 %if %{with_mysql}
 BuildRequires:  mysql-devel
 %endif
@@ -102,6 +102,7 @@ Source32:       eximstats.conf-2.2
 Source40:       exim.service
 Patch0:         exim-tail.patch
 Patch1:         gnu_printf.patch
+Patch2:         patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99
 
 %package -n eximon
 Summary:        Eximon, an graphical frontend to administer Exim's mail queue
@@ -145,6 +146,7 @@ once, if at all. The rest is done by logrotate / cron.)
 %setup -q -n exim-%{version}
 %patch0
 %patch1 -p1
+%patch2 -p1
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
 fPIE="-fPIE"
diff --git a/patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99 b/patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99
new file mode 100644
index 0000000..d5043a7
--- /dev/null
+++ b/patch-exim-4.94+fixes-0e8319c3edebfec2158fbaa4898af27cb3225c99
@@ -0,0 +1,112 @@
+diff -ru a/README.UPDATING b/README.UPDATING
+--- a/README.UPDATING	2020-05-30 22:35:38.000000000 +0200
++++ b/README.UPDATING	2020-06-08 10:36:12.136106000 +0200
+@@ -31,9 +31,9 @@
+ 
+ Some Transports now refuse to use tainted data in constructing their delivery
+ location; this WILL BREAK configurations which are not updated accordingly.
+-In particular: any Transport use of $local_user which has been relying upon
++In particular: any Transport use of $local_part which has been relying upon
+ check_local_user far away in the Router to make it safe, should be updated to
+-replace $local_user with $local_part_data.
++replace $local_part with $local_part_data.
+ 
+ Attempting to remove, in router or transport, a header name that ends with
+ an asterisk (which is a standards-legal name) will now result in all headers
+diff -ru a/src/acl.c b/src/acl.c
+--- a/src/acl.c	2020-05-30 22:35:38.000000000 +0200
++++ b/src/acl.c	2020-06-08 10:36:13.865973000 +0200
+@@ -3349,11 +3349,11 @@
+       {
+       /* Separate the regular expression and any optional parameters. */
+       const uschar * list = arg;
+-      uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
++      uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
+       /* Run the dcc backend. */
+       rc = dcc_process(&ss);
+       /* Modify return code based upon the existence of options. */
+-      while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
++      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+         if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
+           rc = FAIL;   /* FAIL so that the message is passed to the next ACL */
+       }
+@@ -3514,7 +3514,7 @@
+       int sep = 0;
+       const uschar *s = arg;
+       uschar * ss;
+-      while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size)))
++      while ((ss = string_nextinlist(&s, &sep, NULL, 0)))
+         {
+         if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
+         else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
+@@ -3567,7 +3567,7 @@
+       {
+       /* Separate the regular expression and any optional parameters. */
+       const uschar * list = arg;
+-      uschar * ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
++      uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
+       uschar * opt;
+       BOOL defer_ok = FALSE;
+       int timeout = 0;
+@@ -3672,11 +3672,11 @@
+       {
+       /* Separate the regular expression and any optional parameters. */
+       const uschar * list = arg;
+-      uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
++      uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
+ 
+       rc = spam(CUSS &ss);
+       /* Modify return code based upon the existence of options. */
+-      while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
++      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+         if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
+           rc = FAIL;	/* FAIL so that the message is passed to the next ACL */
+       }
+diff -ru a/src/auths/call_pam.c b/src/auths/call_pam.c
+--- a/src/auths/call_pam.c	2020-05-30 22:35:38.000000000 +0200
++++ b/src/auths/call_pam.c	2020-06-08 10:36:12.138178000 +0200
+@@ -83,8 +83,7 @@
+     {
+     case PAM_PROMPT_ECHO_ON:
+     case PAM_PROMPT_ECHO_OFF:
+-      arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
+-      if (!arg)
++      if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0)))
+ 	{
+ 	arg = US"";
+ 	pam_arg_ended = TRUE;
+@@ -155,7 +154,7 @@
+ fail. PAM doesn't support authentication with an empty user (it prompts for it,
+ causing a potential mis-interpretation). */
+ 
+-user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
++user = string_nextinlist(&pam_args, &sep, NULL, 0);
+ if (user == NULL || user[0] == 0) return FAIL;
+ 
+ /* Start off PAM interaction */
+diff -ru a/src/exim.c b/src/exim.c
+--- a/src/exim.c	2020-05-30 22:35:38.000000000 +0200
++++ b/src/exim.c	2020-06-08 10:36:13.871593000 +0200
+@@ -2148,7 +2148,7 @@
+ 	concept of *the* alias file, but since Sun's YP make script calls
+ 	sendmail this way, some support must be provided. */
+ 	case 'i':
+-	  if (!*++argrest) bi_option = TRUE;
++	  if (!*argrest) bi_option = TRUE;
+ 	  else badarg = TRUE;
+ 	  break;
+ 
+diff -ru a/src/expand.c b/src/expand.c
+--- a/src/expand.c	2020-05-30 22:35:38.000000000 +0200
++++ b/src/expand.c	2020-06-08 10:36:13.873752000 +0200
+@@ -7208,9 +7208,8 @@
+         {
+ 	int cnt = 0;
+ 	int sep = 0;
+-	uschar buffer[256];
+ 
+-	while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++;
++	while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++;
+ 	yield = string_fmt_append(yield, "%d", cnt);
+         continue;
+         }