Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 apt-cacher-ng (2-2) testing; urgency=high
 .
   * Special version only for Debian Stretch, solving moderate security issues:
     + hardening against HTTP header splitting attack (no user input printed in
       the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
     + hardening against unintended or malicious triggering of hidden space
       allocation, by disabling the fallocate completely. This is ultima ratio,
       trading code simplicity for fragmentation avoiding efforts; a smarter
       solution is found in upstream version 3; closes: #856635)
     + handle a corner case of bad TLS handshake with invalid certificate
       (related to #839751)
Author: Eduard Bloch <blade@debian.org>
Bug-Debian: https://bugs.debian.org/856635

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2017-05-08

--- apt-cacher-ng-2.orig/source/fileio.cc
+++ apt-cacher-ng-2/source/fileio.cc
@@ -17,7 +17,7 @@ using namespace std;
 namespace acng
 {
 
-#ifdef HAVE_LINUX_FALLOCATE
+#ifdef DISABLED_FOR_NOW
 
 int falloc_helper(int fd, off_t start, off_t len)
 {
--- apt-cacher-ng-2.orig/source/job.cc
+++ apt-cacher-ng-2/source/job.cc
@@ -712,9 +712,7 @@ report_overload:
     return ;
 
 report_notallowed:
-	SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
-			nullptr, "403 Forbidden file type or location");
-//    USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
+	SetErrorResponse("403 Forbidden file type or location");
     return ;
 
 report_offlineconf:
--- apt-cacher-ng-2.orig/source/tcpconnect.cc
+++ apt-cacher-ng-2/source/tcpconnect.cc
@@ -585,11 +585,19 @@ bool tcpconnect::SSLinit(mstring &sErr,
 	if(!cfg::nsafriendly)
 	{
 		hret=SSL_get_verify_result(ssl);
-		if( hret != X509_V_OK)
+		if(hret != X509_V_OK)
 		{
 			perr=X509_verify_cert_error_string(hret);
 			goto ssl_init_fail;
 		}
+		auto server_cert = SSL_get_peer_certificate(ssl);
+		if(server_cert)
+			X509_free(server_cert);
+		else
+		{
+			perr="Incompatible remote certificate";
+			goto ssl_init_fail;
+		}
 	}
 
 	return true;
