libcurl: update to 7.73.0

1 files changed, 1801 insertions, 1849 deletions

diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES
index 51a99f4d52..b5bc305951 100644
--- a/libs/libcurl/docs/CHANGES
+++ b/libs/libcurl/docs/CHANGES
@@ -6,6 +6,1806 @@
 
                                   Changelog
 
+Version 7.73.0 (14 Oct 2020)
+
+Daniel Stenberg (14 Oct 2020)
+- RELEASE-NOTES: synced
+  
+  for 7.73.0
+
+- THANKS: from 7.73.0 and .mailmap fixes
+
+- mailmap: fixups of some contributors
+
+- projects/build-wolfssl.bat: fix the copyright year range
+
+Marc Hoersken (14 Oct 2020)
+- [Sergei Nikulov brought this change]
+
+  CI/tests: fix invocation of tests for CMake builds
+  
+  Update appveyor.yml to set env variable TFLAGS and run tests
+  Remove curly braces due to CMake error (${TFLAGS} -> $TFLAGS)
+  Move testdeps build to build step (per review comments)
+  
+  Reviewed-by: Marc Hörsken
+  
+  Closes #6066
+  Fixes #6052
+
+- tests/server/util.c: fix support for Windows Unicode builds
+  
+  Detected via #6066
+  Closes #6070
+
+Daniel Stenberg (13 Oct 2020)
+- [Jay Satiro brought this change]
+
+  strerror: Revert to local codepage for Windows error string
+  
+  - Change get_winapi_error() to return the error string in the local
+    codepage instead of UTF-8 encoding.
+  
+  Two weeks ago bed5f84 fixed get_winapi_error() to work on xbox, but it
+  also changed the error string's encoding from local codepage to UTF-8.
+  
+  We return the local codepage version of the error string because if it
+  is output to the user's terminal it will likely be with functions which
+  expect the local codepage (eg fprintf, failf, infof).
+  
+  This is essentially a partial revert of bed5f84. The support for xbox
+  remains but the error string is reverted back to local codepage.
+  
+  Ref: https://github.com/curl/curl/pull/6005
+  
+  Reviewed-by: Marcel Raad
+  Closes #6065
+
+Marc Hoersken (13 Oct 2020)
+- CI/tests: use verification curl for test reporting APIs
+  
+  Avoid using our own, potentially installed, curl for
+  the test reporting APIs in case it is broken.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Preparation for #6049
+  Closes #6063
+
+Viktor Szakats (12 Oct 2020)
+- windows: fix comparison of mismatched types warning
+  
+  clang 10, mingw-w64:
+  ```
+  vtls/openssl.c:2917:33: warning: comparison of integers of different signs: 'DWORD' (aka 'unsigned long') and 'HRESULT' (aka 'long')
+        [-Wsign-compare]
+                if(GetLastError() != CRYPT_E_NOT_FOUND)
+                   ~~~~~~~~~~~~~~ ^  ~~~~~~~~~~~~~~~~~
+  ```
+  
+  Approved-by: Daniel Stenberg
+  Closes #6062
+
+Daniel Stenberg (11 Oct 2020)
+- [Viktor Szakats brought this change]
+
+  src/Makefile.m32: fix undefined curlx_dyn_* errors
+  
+  by linking `lib/dynbuf.c` when building a static curl binary.
+  Previously this source file was only included when building
+  a dynamic curl binary. This was likely possibly because no
+  functions from the `src/Makefile.inc` / `CURLX_CFILES` sources
+  were actually required for a curl tool build. This has
+  recently changed with the introduction of `curlx_dyn_*()`
+  memory functions and their use by the tool sources.
+  
+  Closes #6060
+
+- HISTORY: curl verifies SSL certs by default since version 7.10
+
+Marc Hoersken (8 Oct 2020)
+- runtests.pl: use $LIBDIR variable instead of hardcoded path
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #6051
+
+Daniel Stenberg (7 Oct 2020)
+- checksrc: detect // comments on column 0
+  
+  Spotted while working on #6045
+  
+  Closes #6048
+
+- [Frederik Wedel-Heinen brought this change]
+
+  mbedtls: add missing header when defining MBEDTLS_DEBUG
+  
+  Closes #6045
+
+- curl: make sure setopt CURLOPT_IPRESOLVE passes on a long
+  
+  Previously, it would pass on a define (int) which could make libcurl
+  read junk as a value - which prevented the CURLOPT_IPRESOLVE option to
+  "take". This could then make test 2100 do two DoH requests instead of
+  one!
+  
+  Fixes #6042
+  Closes #6043
+
+- RELEASE-NOTES: synced
+
+- scripts/release-notes.pl: don't "embed" $ in format string for printf()
+  
+  ... since they might contain %-codes that mess up the output!
+
+Jay Satiro (5 Oct 2020)
+- [M.R.T brought this change]
+
+  build-wolfssl: fix build with Visual Studio 2019
+  
+  Closes https://github.com/curl/curl/pull/6033
+
+Daniel Stenberg (4 Oct 2020)
+- runtests: add %repeat[]% for test files
+  
+  ... and use this new keywords in all the test files larger than 50K to reduce
+  their sizes and make them a lot easier to read and understand.
+  
+  Closes #6040
+
+- [Emil Engler brought this change]
+
+  --help: move two options from the misc category
+  
+  The cmdline opts delegation and suppress-connect-headers
+  fit better into auth and proxy rather than misc.
+  
+  Follow-up to aa8777f63febc
+  Closes #6038
+
+- [Samanta Navarro brought this change]
+
+  docs/opts: fix typos in two manual pages
+  
+  Closes #6039
+
+- ldap: reduce the amount of #ifdefs needed
+  
+  Closes #6035
+
+- runtests: provide curl's version string as %VERSION for tests
+  
+  ... so that we can check HTTP requests for User-Agent: curl/%VERSION
+  
+  Update 600+ test cases accordingly.
+  
+  Closes #6037
+
+- checksrc: warn on space after exclamation mark
+  
+  Closes #6034
+
+- test1465: verify --libcurl with binary POST data
+
+- runtests: allow generating a binary sequence from hex
+
+- tool_setopt: escape binary data to hex, not octal
+
+- curl: make --libcurl show binary posts correctly
+  
+  Reported-by: Stephan Mühlstrasser
+  Fixes #6031
+  Closes #6032
+
+Jay Satiro (1 Oct 2020)
+- strerror: fix null deref on winapi out-of-memory
+  
+  Follow-up to bed5f84 from several days ago.
+  
+  Ref: https://github.com/curl/curl/pull/6005
+
+Daniel Stenberg (1 Oct 2020)
+- [Kamil Dudka brought this change]
+
+  vtls: deduplicate some DISABLE_PROXY ifdefs
+  
+  ... in the code of gtls, nss, and openssl
+  
+  Closes #5735
+
+- RELEASE-NOTES: synced
+
+- [Emil Engler brought this change]
+
+  TODO: Add OpenBSD libtool notice
+  
+  See #5862
+  Closes #6030
+
+- tests/unit/README: convert to markdown
+  
+  ... and add to dist!
+  
+  Closes #6028
+
+- tests/README: convert to markdown
+  
+  Closes #6028
+
+- include/README: convert to markdown
+  
+  Closes #6028
+
+- examples/README: convert to markdown
+  
+  Closes #6028
+
+- configure: don't say HTTPS-proxy is enabled when disabled!
+  
+  Reported-by: Kamil Dudka
+  Reviewed-by: Kamil Dudka
+  Bug: https://github.com/curl/curl/pull/5735#issuecomment-701376388
+  Closes #6029
+
+Daniel Gustafsson (30 Sep 2020)
+- src: Consistently spell whitespace without whitespace
+  
+  Whitespace is spelled without a space between white and space, so
+  make sure to consistently spell it that way across the codebase.
+  
+  Closes #6023
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Emil Engler <me@emilengler.com>
+
+- MANUAL: update examples to resolve without redirects
+  
+  www.netscape.com is redirecting to a cookie consent form on Aol, and
+  cool.haxx.se isn't responding to FTP anymore. Replace with examples
+  that resolves in case users try out the commands when reading the
+  manual.
+  
+  Closes #6024
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Emil Engler <me@emilengler.com>
+
+Daniel Stenberg (30 Sep 2020)
+- HISTORY: add some 2020 events
+
+- sectransp: make it build with --disable-proxy
+  
+  Follow-up from #5466 and f3d501dc678d80
+  Reported-by: Javier Navarro
+  Fixes #6025
+  Closes #6026
+
+- ECH: renamed from ESNI in docs and configure
+  
+  Encrypted Client Hello (ECH) is the current name.
+  
+  Closes #6022
+
+- configure: use "no" instead of "disabled" for the end summary
+  
+  ... for consistency but also to make them more distinctly stand out next
+  to the "enabled" lines.
+
+- TODO: SSH over HTTPS proxy with more backends
+  
+  ... as right now only the libssh2 backend supports it.
+
+- libssh2: handle the SSH protocols done over HTTPS proxy
+  
+  Reported-by: Robin Douine
+  Fixes #4295
+  Closes #6021
+
+- [Emil Engler brought this change]
+
+  memdebug: remove 9 year old unused debug function
+  
+  There used to be a way to have memdebug fill allocated memory. 9 years
+  later this has no value there (valgrind and ASAN etc are way better). If
+  people need to know about it they can have a look at VCS logs.
+  
+  Closes #5973
+
+- sendf: move Curl_sendf to dict.c and make it static
+  
+  ... as the only remaining user of that function. Also fix gopher.c to
+  instead use Curl_write()
+  
+  Closes #6020
+
+- ROADMAP: updates and cleanups
+  
+  Fix the HSTS PR
+  
+  Remove DoT, thread-safe init and hard-coded localhost. I feel very
+  little interest for these with users so I downgrade them to plain "TODO"
+  entries again.
+
+- schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
+  
+  This matches what is returned in other TLS backends in the same
+  situation.
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Emil Engler
+  Follow-up to 5a3efb1
+  Reported-by: iammrtau on github
+  Fixes #6003
+  Closes #6018
+
+- RELEASE-NOTES: synced
+
+- ftp: make a 552 response return CURLE_REMOTE_DISK_FULL
+  
+  Added test 348 to verify. Added a 'STOR' command to the test FTP
+  server to enable test 348. Documented the command in FILEFORMAT.md
+  
+  Reported-by: Duncan Wilcox
+  Fixes #6016
+  Closes #6017
+
+- pause: only trigger a reread if the unpause sticks
+  
+  As an unpause might itself get paused again and then triggering another
+  reread doesn't help.
+  
+  Follow-up from e040146f22608fd9 (shipped since 7.69.1)
+  
+  Bug: https://curl.haxx.se/mail/lib-2020-09/0081.html
+  Patch-by: Kunal Chandarana
+  Fixes #5988
+  Closes #6013
+
+- test163[12]: require http to be built-in to run
+  
+  ... as speaking over an HTTPS proxy implies http!
+  
+  Closes #6014
+
+- ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define
+  
+  Closes #6012
+
+- [Javier Blazquez brought this change]
+
+  strerror: honor Unicode API choice on Windows
+  
+  Closes #6005
+
+- imap: make imap_send use dynbuf for the send buffer management
+  
+  Reuses the buffer and thereby reduces number of mallocs over a transfer.
+  
+  Closes #6010
+
+- Curl_send: return error when pre_receive_plain can't malloc
+  
+  ... will probably trigger some false DEAD CODE positives on non-windows
+  code analyzers for the conditional code.
+  
+  Closes #6011
+
+- ftp: separate FTPS from FTP over "HTTPS proxy"
+  
+  When using HTTPS proxy, SSL is used but not in the view of the FTP
+  protocol handler itself so separate the connection's use of SSL from the
+  FTP control connection's sue.
+  
+  Reported-by: Mingtao Yang
+  Fixes #5523
+  Closes #6006
+
+Dan Fandrich (23 Sep 2020)
+- tests/data: Fix some mismatched XML tags in test cases
+  
+  This allows these test files to pass xmllint.
+
+Daniel Stenberg (23 Sep 2020)
+- pingpong: use a dynbuf for the *_pp_sendf() function
+  
+  ... reuses the same dynamic buffer instead of doing repeated malloc/free
+  cycles.
+  
+  Test case 100 (FTP dir list PASV) does 7 fewer memory allocation calls
+  after this change in my test setup (132 => 125), curl 7.72.0 needed 140
+  calls for this.
+  
+  Test case 103 makes 9 less allocations now (130). Down from 149 in
+  7.72.0.
+  
+  Closes #6004
+
+- dynbuf: add Curl_dyn_vaddf
+  
+  Closes #6004
+
+- dynbuf: make *addf() not require extra mallocs
+  
+  ... by introducing a printf() function that appends directly into a
+  dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if
+  the buffer is already big enough it can just printf directly into it.
+  
+  Since this less-malloc version requires tthe use of a library internal
+  printf function, we only provide this version when building libcurl and
+  not for the dynbuf code that is used when building the curl tool.
+  
+  Closes #5998
+
+- KNOWN_BUGS: Unable to use PKCS12 certificate with Secure Transport
+  
+  Closes #5403
+
+- pingpong: remove a malloc per Curl_pp_vsendf call
+  
+  This typically makes 7-9 fewer mallocs per FTP transfer.
+  
+  Closes #5997
+
+- symbian: drop support
+  
+  The OS is deprecated. I see no traces of anyone having actually built
+  curl for Symbian after 2012.
+  
+  The public headers are unmodified.
+  
+  Closes #5989
+
+- RELEASE-NOTES: synced
+
+- curl_krb5.h: rename from krb5.h
+  
+  Follow-up from f4873ebd0be32cf
+  
+  Turns out some older openssl installations go bananas otherwise.
+  Reported-by: Tom van der Woerdt
+  Fixes #5995
+  Closes #5996
+
+- test1297: verify GOT_NOTHING with http proxy tunnel
+
+- http_proxy: do not count proxy headers in the header bytecount
+  
+  ... as that counter is subsequently used to detect if nothing was
+  returned from the peer. This made curl return CURLE_OK when it should
+  have returned CURLE_GOT_NOTHING.
+  
+  Fixes #5992
+  Reported-by: Tom van der Woerdt
+  Closes #5994
+
+- setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument
+  
+  Fixed two return code mixups. CURLE_UNKNOWN_OPTION is saved for when the
+  option is, yeah, not known. Clarified this in the setopt man page too.
+  
+  Closes #5993
+
+- krb5: merged security.c and krb specific FTP functions in here
+  
+  These two files were always tightly connected and it was hard to
+  understand what went into which. This also allows us to make the
+  ftpsend() function static (moved from ftp.c).
+  
+  Removed security.c
+  Renamed curl_sec.h to krb5.h
+  
+  Closes #5987
+
+- Curl_handler: add 'family' to each protocol
+  
+  Makes get_protocol_family() faster and it moves the knowledge about the
+  "families" to each protocol handler, where it belongs.
+  
+  Closes #5986
+
+- parsedate: tune the date to epoch conversion
+  
+  By avoiding an unnecessary error check and the temp use of the tm
+  struct, the time2epoch conversion function gets a little bit faster.
+  When repeating test 517, the updated version is perhaps 1% faster (on
+  one particular build on one particular architecture).
+  
+  Closes #5985
+
+- cmake: remove scary warning
+  
+  Remove the text saying
+  
+  "the curl cmake build system is poorly maintained. Be aware"
+  
+  ... not because anything changed just now, but to encourage users to use
+  it and subsequently improve it.
+  
+  Closes #5984
+
+- docs/MQTT: remove outdated paaragraphs
+
+- docs/MQTT: not experimental anymore
+  
+  Follow-up to e37e4468688d8f
+
+- docs/RESOURCES: remove
+  
+  This document is not maintained and rather than trying to refresh it,
+  let's kill it. A more up-to-date document with relevant RFCs is this
+  page on the curl website: https://curl.haxx.se/rfc/
+  
+  Closes #5980
+
+- docs/TheArtOfHttpScripting: convert to markdown
+  
+  Makes it easier to browse on github etc. Offers (better) links.
+  
+  It should be noted that this document is already mostly outdated and
+  "Everything curl" at https://ec.haxx.se/ is a better resource and
+  tutorial.
+  
+  Closes #5981
+
+- BUGS: convert document to markdown
+  
+  Closes #5979
+
+- --help: strdup the category
+  
+  ... since it is converted and the original pointer is freed on Windows
+  unicode handling.
+  
+  Follow-up to aa8777f63febc
+  Fixes #5977
+  Closes #5978
+  Reported-by: xwxbug on github
+
+- CHECKSRC: document two missing warnings
+
+- RELEASE-NOTES: synced
+
+- ftp: avoid risk of reading uninitialized integers
+  
+  If the received PASV response doesn't match the expected pattern, we
+  could end up reading uninitialized integers for IP address and port
+  number.
+  
+  Issue pointed out by muse.dev
+  Closes #5972
+
+- [Quentin Balland brought this change]
+
+  easy_reset: clear retry counter
+  
+  Closes #5975
+  Fixes #5974
+
+- ftp: get rid of the PPSENDF macro
+  
+  The use of such a macro hides some of what's actually going on to the
+  reader and is generally disapproved of in the project.
+  
+  Closes #5971
+
+- man pages: switch to https://example.com URLs
+  
+  Since HTTPS is "the new normal", this update changes a lot of man page
+  examples to use https://example.com instead of the previous "http://..."
+  
+  Closes #5969
+
+- github: remove the duplicate "Security vulnerability" entry
+  
+  ... since github adds an entry automatically by itself.
+  
+  Closes #5970
+
+- [Emil Engler brought this change]
+
+  github: use new issue template feature
+  
+  This helps us to avoid getting feature requests as well as security
+  bugs reported into the issue tracker.
+  
+  Closes #5936
+
+- [Emil Engler brought this change]
+
+  urlapi: use more Curl_safefree
+  
+  Closes #5968
+
+Marc Hoersken (17 Sep 2020)
+- multi: align WinSock mask variables in Curl_multi_wait
+  
+  Also skip pre-checking sockets to set timeout_ms to 0
+  after the first socket has been detected to be ready.
+  
+  Reviewed-by: rcombs on github
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5886
+
+- multi: reuse WinSock events variable in Curl_multi_wait
+  
+  Since the struct is quite large (1 long and 10 ints) we
+  declare it once at the beginning of the function instead
+  of multiple times inside loops to avoid stack movements.
+  
+  Reviewed-by: Viktor Szakats
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5886
+
+Daniel Stenberg (16 Sep 2020)
+- TODO: dynamically decide to use socketpair
+  
+  Suggested-by: Anders Bakken
+  
+  Closes #4829
+
+- TODO: add PR reference for native IDN support on macOS
+  
+  As there was work started on this that never got completed.
+  
+  Closes #5371
+
+- tool_help.h: update copyright year range
+  
+  Follow-up from aa8777f63febca
+
+- CI/azure: disable test 571 in the msys2 builds
+  
+  It's just too flaky there
+  
+  Reviewed-by: Marc Hoersken
+  Closes #5954
+
+- tool_writeout: protect fputs() from NULL
+  
+  When the code was changed to do fputs() instead of fprintf() it got
+  sensitive for NULL pointers; add checks for that.
+  
+  Follow-up from 0c1e767e83ec66
+  
+  Closes #5963
+
+- test3015: verify stdout "as text"
+  
+  Follow-up from 0c1e767e83e to please win32 tests
+  
+  Closes #5962
+
+- travis: use libressl v3.1.4 instead of master
+  
+  ... as their git master seems too fragile to use (and 3.2.1 which is the
+  latest has a build failure).
+  
+  Closes #5964
+
+- tests/FILEFORMAT: document type=shell for <command>
+
+- tests/FILEFORMAT: document nonewline support for <file>
+  
+  The one in <client>, that creates files.
+  
+  Follow-up from b83947c8df7
+
+- [anio brought this change]
+
+  tool_writeout: add new writeout variable, %{num_headers}
+  
+  This variable gives the number of headers.
+  
+  Closes #5947
+
+- tool_urlglob: fix compiler warning "unreachable code"
+  
+  (On Windows builds.)
+  
+  Follow-up to 70a3b003d9
+
+- [Gergely Nagy brought this change]
+
+  vtls: deduplicate client certificates in ssl_config_data
+  
+  Closes #5629
+
+- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
+  
+  This is primarily interesting for cases where CURLOPT_NOBODY is set as
+  previously curl would not return an error for this case.
+  
+  MDTM getting 550 now also returns this error (it returned
+  CURLE_FTP_COULDNT_RETR_FILE before) in order to unify return codes for
+  missing files across protocols and specific FTP commands.
+  
+  libcurl already returns error on a 550 as a MDTM response (when
+  CURLOPT_FILETIME is set). If CURLOPT_NOBODY is not set, an error would
+  happen subsequently anyway since the RETR command would fail.
+  
+  Add test 1913 and 1914 to verify. Updated several tests accordingly due
+  to the updated SIZE behavior.
+  
+  Reported-by: Tomas Berger
+  Fixes #5953
+  Closes #5957
+
+- curl: make checkpasswd use dynbuf
+  
+  Closes #5952
+
+- curl: make glob_match_url use dynbuf
+  
+  Closes #5952
+
+- curl: make file2memory use dynbuf
+  
+  Closes #5952
+
+- curl: make file2string use dynbuf
+  
+  Closes #5952
+
+- [Antarpreet Singh brought this change]
+
+  imap: set cselect_bits to CURL_CSELECT_IN initially
+  
+  ... when continuing a transfer from a FETCH response.
+  
+  When the size of the file was small enough that the entirety of the
+  transfer happens in a single go and schannel buffers holds the entire
+  data. However, it wasn't completely read in Curl_pp_readresp since a
+  line break was found before that could happen. So, by the time we are in
+  imap_state_fetch_resp - there's data in buffers that needs to be read
+  via Curl_read but nothing to read from the socket. After we setup a
+  transfer (Curl_setup_transfer), curl just waits on the socket state to
+  change - which doesn't happen since no new data ever comes.
+  
+  Closes #5961
+
+- RELEASE-NOTES: synced
+
+- test434: test -K use in a single line without newline
+  
+  Closes #5946
+
+- runtests: allow creating files without newlines
+  
+  Closes #5946
+
+- curl: use curlx_dynbuf for realloc when loading config files
+  
+  ... fixes an integer overflow at the same time.
+  
+  Reported-by: ihsinme on github
+  Assisted-by: Jay Satiro
+  
+  Closes #5946
+
+- dynbuf: provide curlx_ names for reuse by the curl tool
+  
+  Closes #5946
+
+- dynbuf: make sure Curl_dyn_tail() zero terminates
+  
+  Closes #5959
+
+- tests: add test1912 to the dist
+  
+  Follow-up to 70984ce1be4cab6c
+
+- docs/LICENSE-MIXING: remove
+  
+  This document is not maintained and I feel that it doesn't provide much
+  value to users anymore (if it ever did).
+  
+  Closes #5955
+
+- [Laramie Leavitt brought this change]
+
+  http: consolidate nghttp2_session_mem_recv() call paths
+  
+  Previously there were several locations that called
+  nghttp2_session_mem_recv and handled responses slightly differently.
+  Those have been converted to call the existing
+  h2_process_pending_input() function.
+  
+  Moved the end-of-session check to h2_process_pending_input() since the
+  only place the end-of-session state can change is after nghttp2
+  processes additional input frames.
+  
+  This will likely fix the fuzzing error. While I don't have a root cause
+  the out-of-bounds read seems like a use after free, so moving the
+  nghttp2_session_check_request_allowed() call to a location with a
+  guaranteed nghttp2 session seems reasonable.
+  
+  Also updated a few nghttp2 callsites to include error messages and added
+  a few additional error checks.
+  
+  Closes #5648
+
+- HISTORY: mention alt-svc added in 2019
+  
+  ... and make 1996 the first year subtitle
+
+- base64: also build for pop3 and imap
+  
+  Follow-up to the fix in 20417a13fb8f83
+  
+  Reported-by: Michael Olbrich
+  Fixes #5937
+  Closes #5948
+
+- base64: enable in build with SMTP
+  
+  The oauth2 support is used with SMTP and it uses base64 functions.
+  
+  Reported-by: Michael Olbrich
+  Fixes #5937
+  Closes #5938
+
+- curl_mime_headers.3: fix the example's use of curl_slist_append
+  
+  Reported-by: sofaboss on github
+  Fixes #5942
+  Closes #5943
+
+- lib583: fix enum mixup
+  
+  grrr the previous follow-up to 17fcdf6a31 was wrong
+
+- libtest: fix build errors
+  
+  Follow-up from 17fcdf6a310d4c8076
+
+- lib: fix -Wassign-enum warnings
+  
+  configure --enable-debug now enables -Wassign-enum with clang,
+  identifying several enum "abuses" also fixed.
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/879007f8118771f4896334731aaca5850a154675#commitcomment-42087553
+  
+  Closes #5929
+
+- RELEASE-NOTES: synced
+
+- [Diven Qi brought this change]
+
+  url: use blank credentials when using proxy w/o username and password
+  
+  Fixes proxy regression brought in commit ad829b21ae (7.71.0)
+  
+  Fixed #5911
+  Closes #5914
+
+- travis: add a build using libressl (from git master)
+  
+  The v3.2.1 tag (latest release atm) results in a broken build.
+  
+  Closes #5932
+
+- configure: let --enable-debug set -Wenum-conversion with gcc >= 10
+  
+  Unfortunately, this option is not detecting the same issues as clang's
+  -Wassign-enum flag, but should still be useful to detect future
+  mistakes.
+  
+  Closes #5930
+
+- openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
+  
+  If the error reason from the lib is
+  SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return
+  CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR.
+  
+  This unifies the libcurl return code and makes libressl run test 313
+  (CRL testing) fine.
+  
+  Closes #5934
+
+- FAQ: refreshed some very old language
+
+- cmake: make HTTP_ONLY also disable MQTT
+  
+  ... and alphasort the order of disabling protocols to make it easier to
+  browse.
+  
+  Closes #5931
+
+- libtest: remove lib1541 leftovers
+  
+  Caused automake errors.
+  
+  Follow-up to 8ca54a03ea08a
+
+- tests/libtests: remove test 1900 and 2033
+  
+  We already remove the test files, now remove the libtest codes as well.
+  
+  Follow-up to e50a877df74
+
+Marc Hoersken (7 Sep 2020)
+- CI/azure: add test number to title for display in analytics
+  
+  To ease identification of tests the test number is added to
+  the test case title in order to have it on the Azure DevOps
+  Analytics pages and reports which currently do not show it.
+  
+  Bump test case revision to make Azure DevOps update titles.
+  
+  Closes #5927
+
+Daniel Stenberg (6 Sep 2020)
+- altsvc: clone setting in curl_easy_duphandle
+  
+  The cache content is not duplicated, like other caches, but the setting
+  and specified file name are.
+  
+  Test 1908 is extended to verify this somewhat. Since the duplicated
+  handle gets the same file name, the test unfortunately overwrites the
+  same file twice (with different contents) which makes it hard to check
+  automatically.
+  
+  Closes #5923
+
+- test1541: remove since it is a known bug
+  
+  A shared connection cache is not thread-safe is a known issue. Stop
+  testing this until we believe this issue is addressed. Reduces
+  occasional test failures we don't care about.
+  
+  The test code in lib1541.c is left in git to allow us to restore it when
+  we get to fix this.
+  
+  Closes #5922
+
+- tests: remove pipelining tests
+  
+  Remove the tests 530, 584, 1900, 1901, 1902, 1903 and 2033. They were
+  previously disabled.
+  
+  The Pipelining code was removed from curl in commit 2f44e94efb3df8e,
+  April 2019.
+  
+  Closes #5921
+
+- curl: retry delays in parallel mode no longer sleeps blocking
+  
+  The previous sleep for retries would block all other concurrent
+  transfers. Starting now, the retry will instead be properly marked to
+  not get restarted until after the delay time but other transfers can
+  still continue in the mean time.
+  
+  Closes #5917
+
+- curl:parallel_transfers: make sure retry readds the transfer
+  
+  Reported-by: htasta on github
+  Fixes #5905
+  Closes #5917
+
+- build: drop support for building with Watcom
+  
+  These files are not maintained, they seem to have no users, Watcom
+  compilers look like not having users nor releases anymore.
+  
+  Closes #5918
+
+- winbuild/rundebug.cmd: remove
+  
+  Seems to have been added by mistake? Not included in dists.
+  
+  Closes #5919
+
+- curl: in retry output don't call all problems "transient"
+  
+  ... because when --retry-all-errors is used, the error isn't necessarily
+  transient at all.
+  
+  Closes #5916
+
+- easygetopt: pass a valid enum to avoid compiler warning
+  
+  "integer constant not in range of enumerated type 'CURLoption'"
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/6ebe63fac23f38df911edc348e8ccc72280f9434#commitcomment-42042843
+  
+  Closes #5915
+
+- [Emil Engler brought this change]
+
+  tests: Add tests for new --help
+  
+  This commit is a part of "--help me if you can"
+  
+  Closes #5680
+
+- [Emil Engler brought this change]
+
+  tool: update --help with categories
+  
+  This commit is a part of "--help me if you can"
+  
+  Closes #5680
+
+- [Emil Engler brought this change]
+
+  docs: add categories to all cmdline opts
+  
+  Adapted gen.pl with 'listcats'
+  
+  This commit is a part of "--help me if you can"
+  
+  Closes #5680
+
+- RELEASE-NOTES: synced
+
+- [ihsinme brought this change]
+
+  connect.c: remove superfluous 'else' in Curl_getconnectinfo
+  
+  Closes #5912
+
+- [Samuel Marks brought this change]
+
+  CMake: remove explicit `CMAKE_ANSI_CFLAGS`
+  
+  This variable was removed from cmake in commit
+  https://gitlab.kitware.com/cmake/cmake/commit/5a834b0bb0bc288. A later
+  CMake commit removes the variable from the tests, claiming that it was
+  removed in CMake 2.6
+  
+  Reviewed-By: Peter Wu
+  Closes #5439
+
+- [cbe brought this change]
+
+  libssh2: pass on the error from ssh_force_knownhost_key_type
+  
+  Closes #5909
+
+- scripts/delta: add diffstat summary
+  
+  ... and make output more table-like
+
+- [Martin Bašti brought this change]
+
+  http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+  
+  ... in case NO_PROXY takes an effect
+  
+  Without this patch, the following command crashes:
+  
+      $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+          git clone https://github.com/curl/curl.git
+  
+  Minimal libcurl-based reproducer:
+  
+      #include <curl/curl.h>
+  
+      int main() {
+        CURL *curl = curl_easy_init();
+        if(curl) {
+          CURLcode ret;
+          curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+          curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+          /* set the proxy type */
+          curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+          curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+          curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+          ret = curl_easy_perform(curl);
+          curl_easy_cleanup(curl);
+          return ret;
+        }
+        return -1;
+      }
+  
+  Assisted-by: Kamil Dudka
+  Bug: https://bugzilla.redhat.com/1873327
+  Closes #5902
+
+- travis: add a CI job with openssl3 (from git master)
+  
+  Closes #5908
+
+- openssl: avoid error conditions when importing native CA
+  
+  The code section that is OpenSSL 3+ specific now uses the same logic as
+  is used in the version < 3 section. It caused a compiler error without
+  it.
+  
+  Closes #5907
+
+- setopt: avoid curl_ on local variable
+  
+  Closes #5906
+
+- mqtt.c: avoid curl_ prefix on local variable
+  
+  Closes #5906
+
+- wildcard: strip "curl_" prefix from private symbols
+  
+  Closes #5906
+
+- vtls: make it 'struct Curl_ssl_session'
+  
+  Use uppercase C for internal symbols.
+  
+  Closes #5906
+
+- curl_threads: make it 'struct Curl_actual_call'
+  
+  Internal names should not be prefixed "curl_"
+  
+  Closes #5906
+
+- schannel: make it 'struct Curl_schannel*'
+  
+  As internal global names should use captical C.
+  
+  Closes #5906
+
+- hash: make it 'struct Curl_hash'
+  
+  As internal global names should use captical C.
+  
+  Closes #5906
+
+- llist: make it "struct Curl_llist"
+  
+  As internal global names should use captical C.
+  
+  Closes #5906
+
+Marc Hoersken (2 Sep 2020)
+- telnet.c: depend on static requirement of WinSock version 2
+  
+  Drop dynamic loading of ws2_32.dll and instead rely on the
+  imported version which is now required to be at least 2.2.
+  
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Viktor Szakats
+  
+  Closes #5854
+
+- win32: drop support for WinSock version 1, require version 2
+  
+  IPv6, telnet and now also the multi API require WinSock
+  version 2 which is available starting with Windows 95.
+  
+  Therefore we think it is time to drop support for version 1.
+  
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Viktor Szakats
+  
+  Follow up to #5634
+  Closes #5854
+
+- select: align poll emulation to return all relevant events
+  
+  The poll emulation via select already consumes POLLRDNORM,
+  POLLWRNORM and POLLRDBAND as input events. Therefore it
+  should also return them as output events if signaled.
+  
+  Also fix indentation in input event handling block.
+  
+  Assisted-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Replaces #5852
+  Closes #5883
+
+- CI/azure: MQTT is now enabled by default
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5858
+  Closes #5903
+
+Daniel Stenberg (2 Sep 2020)
+- copyright.pl: ignore buildconf
+
+- test971: show test mismatches "inline"
+
+- lib/Makefile.am: bump VERSIONINFO due to new functions
+  
+  ... we're generally bad at this, but we are adding new functions for
+  this release.
+  
+  Closes #5899
+
+- optiontable: use DEBUGBUILD
+  
+  Follow-up to commit 6e18568ba38 (#5877)
+
+- cmdline-opts/gen.pl: generate nicer "See Also" in curl.1
+  
+  If there are more than two items in the list, use commas for all but the
+  last separator which is set to 'and'. Reads better.
+  
+  Closes #5898
+
+- curl.1: add see also no-progress-meter on two spots
+  
+  Ref: #5894
+  
+  Closes #5897
+
+- RELEASE-NOTES: synced
+
+- mqtt: enable by default
+  
+  No longer considered experimental.
+  
+  Closes #5858
+
+- [Michael Baentsch brought this change]
+
+  tls: add CURLOPT_SSL_EC_CURVES and --curves
+  
+  Closes #5892
+
+- url: remove funny embedded comments in Curl_disonnect calls
+
+- [Chris Paulson-Ellis brought this change]
+
+  conn: check for connection being dead before reuse
+  
+  Prevents incorrect reuse of an HTTP connection that has been prematurely
+  shutdown() by the server.
+  
+  Partial revert of 755083d00deb16
+  
+  Fixes #5884
+  Closes #5893
+
+Marc Hoersken (29 Aug 2020)
+- buildconf: exec autoreconf to avoid additional process
+  
+  Also make buildconf exit with the return code of autoreconf.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5853
+  Closes #5890
+
+- CI/azure: no longer ignore results of test 1013
+  
+  Follow up to #5771
+  Closes #5889
+
+- docs: add description about CI platforms to CONTRIBUTE.md
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
+  
+  Closes #5882
+
+Daniel Stenberg (29 Aug 2020)
+- tests/getpart: use MIME::Base64 instead of home-cooked
+  
+  Since we already use the base64 package since a while back, we can just
+  as well switch to that here too.
+  
+  It also happens to use the exact same function name, which otherwise
+  causes a run-time warning.
+  
+  Reported-by: Marc Hörsken
+  Fixes #5885
+  Closes #5887
+
+Marcel Raad (29 Aug 2020)
+- ntlm: fix condition for curl_ntlm_core usage
+  
+  `USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES
+  backend is fine, but was excluded before.
+  
+  This also fixes test 1013 as the condition for SMB support in
+  configure.ac didn't match the condition in the source code. Now it
+  does.
+  
+  Fixes https://github.com/curl/curl/issues/1262
+  Closes https://github.com/curl/curl/pull/5771
+
+- AppVeyor: switch 64-bit Schannel Debug CMake builds to Unicode
+  
+  The Schannel builds are the most useful to verify as they make the most
+  use of the Windows API. Classic MinGW doesn't support Unicode at all,
+  only MinGW-w64 and MSVC do.
+  
+  Closes https://github.com/curl/curl/pull/5843
+
+- CMake: add option to enable Unicode on Windows
+  
+  As already existing for winbuild.
+  
+  Closes https://github.com/curl/curl/pull/5843
+
+Marc Hoersken (29 Aug 2020)
+- select: simplify return code handling for poll and select
+  
+  poll and select already return -1 on error according to POSIX,
+  so there is no need to perform a <0 to -1 conversion in code.
+  
+  Also we can just use one check with <= 0 on the return code.
+  
+  Assisted-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Replaces #5852
+  Closes #5880
+
+Daniel Stenberg (28 Aug 2020)
+- RELEASE-NOTES: synced
+
+- [Jeroen Ooms brought this change]
+
+  tests: add test1912 with typechecks
+  
+  Validates that gcc-typecheck macros match the new option type API.
+  
+  Closes #5873
+
+- easyoptions: provide debug function when DEBUGBUILD
+  
+  ... not CURLDEBUG as they're not always set in conjunction.
+  
+  Follow-up to 6ebe63fac23f38df
+  
+  Fixes #5877
+  Closes #5878
+
+Marc Hoersken (28 Aug 2020)
+- sockfilt: handle FD_CLOSE winsock event on write socket
+  
+  Learn from the way Cygwin handles and maps the WinSock events
+  to simulate correct and complete poll and select behaviour
+  according to Richard W. Stevens Network Programming book.
+  
+  Follow up to #5867
+  Closes #5879
+
+- multi: handle connection state winsock events
+  
+  Learn from the way Cygwin handles and maps the WinSock events
+  to simulate correct and complete poll and select behaviour
+  according to Richard W. Stevens Network Programming book.
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Follow up to #5634
+  Closes #5867
+
+Daniel Stenberg (28 Aug 2020)
+- Curl_pgrsTime - return new time to avoid timeout integer overflow
+  
+  Setting a timeout to INT_MAX could cause an immediate error to get
+  returned as timeout because of an overflow when different values of
+  'now' were used.
+  
+  This is primarily fixed by having Curl_pgrsTime() return the "now" when
+  TIMER_STARTSINGLE is set so that the parent function will continue using
+  that time.
+  
+  Reported-by: Ionuț-Francisc Oancea
+  Fixes #5583
+  Closes #5847
+
+- TLS: fix SRP detection by using the proper #ifdefs
+  
+  USE_TLS_SRP will be true if *any* selected TLS backend can use SRP
+  
+  HAVE_OPENSSL_SRP is defined when OpenSSL can use it
+  
+  HAVE_GNUTLS_SRP is defined when GnuTLS can use it
+  
+  Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
+  set if at least one of the supported backends offers SRP.
+  
+  Reported-by: Stefan Strogin
+  Fixes #5865
+  Closes #5870
+
+- [Dan Kenigsberg brought this change]
+
+  docs: SSLCERTS: fix English syntax
+  
+  Signed-off-by: Dan Kenigsberg <danken@redhat.com>
+  
+  Closes #5876
+
+- [Alessandro Ghedini brought this change]
+
+  docs: non-existing macros in man pages
+  
+  As reported by man(1) when invoked as:
+  
+    man --warnings -E UTF-8 -l -Tutf8 -Z <file> >/dev/null
+  
+  Closes #5846
+
+- [Alessandro Ghedini brought this change]
+
+  curl.1: fix typo invokved -> invoked
+  
+  Closes #5846
+
+- buildconf: invoke 'autoreconf -fi' instead
+  
+  The custom script isn't necessary anymore - but remains for simplicity
+  and just invokes autoreconf.
+  
+  Closes #5853
+
+- [Emil Engler brought this change]
+
+  lib: make Curl_gethostname accept a const pointer
+  
+  The address of that variable never gets changed, only the data in it so
+  why not make it a "char * const"?
+  
+  Closes #5866
+
+- docs/libcurl: update "Added in" version for curl_easy_option*
+  
+  Follow-up to 6ebe63fac23f38
+
+- scripts: improve the "get latest curl release tag" logic
+  
+  ... by insiting on it matching "^curl-".
+
+- configure: added --disable-get-easy-options
+  
+  To allow disabling of the curl_easy_option APIs in a build.
+  
+  Closes #5365
+
+- options: API for meta-data about easy options
+  
+   const struct curl_easyoption *curl_easy_option_by_name(const char *name);
+  
+   const struct curl_easyoption *curl_easy_option_by_id (CURLoption id);
+  
+   const struct curl_easyoption *
+   curl_easy_option_next(const struct curl_easyoption *prev);
+  
+  The purpose is to provide detailed enough information to allow for
+  example libcurl bindings to get option information at run-time about
+  what easy options that exist and what arguments they expect.
+  
+  Assisted-by: Jeroen Ooms
+  Closes #5365
+
+- [Eric Curtin brought this change]
+
+  HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29
+  
+  Closes #5871
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (26 Aug 2020)
+- openssl: Fix wincrypt symbols conflict with BoringSSL
+  
+  OpenSSL undefines the conflicting symbols but BoringSSL does not so we
+  must do it ourselves.
+  
+  Reported-by: Samuel Tranchet
+  Assisted-by: Javier Blazquez
+  
+  Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371
+  Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73
+  
+  Fixes https://github.com/curl/curl/issues/5669
+  Closes https://github.com/curl/curl/pull/5857
+
+Daniel Stenberg (26 Aug 2020)
+- socketpair: allow CURL_DISABLE_SOCKETPAIR
+  
+  ... to completely disable the use of socketpair
+  
+  Closes #5850
+
+- curl_get_line: build only if cookies or alt-svc are enabled
+  
+  Closes #5851
+
+- [fullincome brought this change]
+
+  schannel: fix memory leak when using get_cert_location
+  
+  The get_cert_location function allocates memory only on success.
+  Previously get_cert_location was able to allocate memory and return
+  error. It wasn't obvious and in this case the memory wasn't
+  released.
+  
+  Fixes #5855
+  Closes #5860
+
+- [Emil Engler brought this change]
+
+  git: ignore libtests in 3XXX area
+  
+  Currently the file tests/libtest/lib3010 is not getting
+  ignored by git. This fixes it by adding the 3XXX area to
+  the according .gitignore file.
+  
+  Closes #5859
+
+- [Emil Engler brought this change]
+
+  doh: add error message for DOH_DNS_NAME_TOO_LONG
+  
+  When this error code was introduced in b6a53fff6c1d07e8a9, it was
+  forgotten to be added in the errors array and doh_strerror function.
+  
+  Closes #5863
+
+- ngtcp2: adapt to the new pkt_info arguments
+  
+  Guidance-by: Tatsuhiro Tsujikawa
+  
+  Closes #5864
+
+- winbuild/README.md: make <options> visible
+  
+  Follow-up to be753add31c2d8c
+
+- winbuild: convert the instruction text to README.md
+  
+  Closes #5861
+
+- lib1560: verify "redirect" to double-slash leading URL
+  
+  Closes #5849
+
+Marc Hoersken (25 Aug 2020)
+- multi: expand pre-check for socket readiness
+  
+  Check readiness of all sockets before waiting on them
+  to avoid locking in case the one-time event FD_WRITE
+  was already consumed by a previous wait operation.
+  
+  More information about WinSock network events:
+  https://docs.microsoft.com/en-us/windows/win32/api/
+     winsock2/nf-winsock2-wsaeventselect#return-value
+  
+  Closes #5634
+
+- [rcombs brought this change]
+
+  multi: implement wait using winsock events
+  
+  This avoids using a pair of TCP ports to provide wakeup functionality
+  for every multi instance on Windows, where socketpair() is emulated
+  using a TCP socket on loopback which could in turn lead to socket
+  resource exhaustion.
+  
+  A previous version of this patch failed to account for how in WinSock,
+  FD_WRITE is set only once when writing becomes possible and not again
+  until after a send has failed due to the buffer filling. This contrasts
+  to how FD_READ and FD_OOB continue to be set until the conditions they
+  refer to no longer apply. This meant that if a user wrote some data to
+  a socket, but not enough data to completely fill its send buffer, then
+  waited on that socket to become writable, we'd erroneously stall until
+  their configured timeout rather than returning immediately.
+  
+  This version of the patch addresses that issue by checking each socket
+  we're waiting on to become writable with select() before the wait, and
+  zeroing the timeout if it's already writable.
+  
+  Assisted-by: Marc Hörsken
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Tested-by: Gergely Nagy
+  Tested-by: Rasmus Melchior Jacobsen
+  Tested-by: Tomas Berger
+  
+  Replaces #5397
+  Reverts #5632
+  Closes #5634
+
+- select: reduce duplication of Curl_poll in Curl_socket_check
+  
+  Change Curl_socket_check to use select-fallback in Curl_poll
+  instead of implementing it in Curl_socket_check and Curl_poll.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Replaces #5262 and #5492
+  Closes #5707
+
+- select: fix poll-based check not detecting connect failure
+  
+  This commit changes Curl_socket_check to use POLLPRI to
+  check for connect failure on the write socket, because
+  POLLPRI maps to fds_err. This is in line with select(2).
+  
+  The select-based socket check correctly checks for connect
+  failures by adding the write socket also to fds_err.
+  
+  The poll-based implementation (which internally can itself
+  fallback to select again) did not previously check for
+  connect failure by using POLLPRI with the write socket.
+  
+  See the follow up commit to this for more information.
+  
+  This commit makes sure connect failures can be detected
+  and handled if HAVE_POLL_FINE is defined, eg. on msys2-devel.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Replaces #5509
+  Prepares #5707
+
+- select.h: make socket validation macros test for INVALID_SOCKET
+  
+  With Winsock the valid range is [0..INVALID_SOCKET-1] according to
+  https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5760
+
+Daniel Stenberg (24 Aug 2020)
+- docs: --output-dir is added in 7.73.0, nothing else
+  
+  Follow-up to 5620d2cc78c0
+
+- curl: add --output-dir
+  
+  Works with --create-dirs and with -J
+  
+  Add test 3008, 3009, 3011, 3012 and 3013 to verify.
+  
+  Closes #5637
+
+- configure: fix pkg-config detecting wolfssl
+  
+  When amending the include path with "/wolfssl", this now properly strips
+  off all whitespace from the path variable! Previously this would lead to
+  pkg-config builds creating bad command lines.
+  
+  Closes #5848
+
+- [Michael Musset brought this change]
+
+  sftp: add the option CURLKHSTAT_FINE_REPLACE
+  
+  Replace the old fingerprint of the host with a new.
+  
+  Closes #5685
+
+- RELEASE-NOTES: synced
+  
+  The next release is now to become 7.73.0
+
+- checksrc: verify do-while and spaces between the braces
+  
+  Updated mprintf.c to comply
+  
+  Closes #5845
+
+- curl: support XDG_CONFIG_HOME to find .curlrc
+  
+  Added test433 to verify. Updated documentation.
+  
+  Reviewed-by: Jay Satiro
+  Suggested-by: Eli Schwartz
+  Fixes #5829
+  Closes #5837
+
+- etag: save and use the full received contents
+  
+  ... which makes it support weak tags and non-standard etags too!
+  
+  Added test case 347 to verify blank incoming ETag:
+  
+  Fixes #5610
+  Closes #5833
+
+- setopt: if the buffer exists, refuse the new BUFFERSIZE
+  
+  The buffer only exists during transfer and then we shouldn't change the
+  size (the setopt is not documented to work then).
+  
+  Reported-by: Harry Sintonen
+  Closes #5842
+
+- [COFFEETALES brought this change]
+
+  sftp: add new quote commands 'atime' and 'mtime'
+  
+  Closes #5810
+
+- CURLE_PROXY: new error code
+  
+  Failures clearly returned from a (SOCKS) proxy now causes this return
+  code. Previously the situation was not very clear as what would be
+  returned and when.
+  
+  In addition: when this error code is returned, an application can use
+  CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then
+  returns a value from the new 'CURLproxycode' enum.
+  
+  Closes #5770
+
+- runtests: make cleardir() erase dot files too
+  
+  Because test cases might use dot files.
+  
+  Closes #5838
+
+- KNOWN_BUGS:  'no_proxy' string-matches IPv6 numerical addreses
+  
+  Also: the current behavior is now documented in the curl.1 and
+  CURLOPT_NOPROXY.3 man pages.
+  
+  Reported-by: Andrew Barnes
+  Closes #5745
+  Closes #5841
+
+Viktor Szakats (22 Aug 2020)
+- Makefile.m32: add ability to override zstd libs [ci skip]
+  
+  Similarly to brotli, where this was already possible.
+  E.g. it allows to link zstd statically to libcurl.dll.
+  
+  Ref: https://github.com/curl/curl-for-win/issues/12
+  Ref: https://github.com/curl/curl-for-win/commit/d9b266afd2e5d3f5604483010ef62340b5918c89
+  
+  Closes https://github.com/curl/curl/pull/5840
+
+Daniel Stenberg (21 Aug 2020)
+- runtests: avoid 'fail to start' repeated messages in attempt loops
+  
+  Closes #5834
+
+- runtests: clear pid variables when failing to start a server
+  
+  ... as otherwise the parent doesn't detect the failure and believe it
+  actually worked to start.
+  
+  Reported-by: Christian Weisgerber
+  Bug: https://curl.haxx.se/mail/lib-2020-08/0018.html
+  Closes #5834
+
+- TODO: Virtual external sockets
+  
+  Closes #5835
+
+- [Don J Olmstead brought this change]
+
+  dist: add missing CMake Find modules to the distribution
+  
+  Closes #5836
+
+- RELEASE-NOTES: synced
+  
+  ... and version bumped to 7.72.1
+
+- tls: provide the CApath verbose log on its own line
+  
+  ... not newline separated from the previous line. This makes it output
+  asterisk prefixed properly like other verbose putput!
+  
+  Reported-by: jmdavitt on github
+  Fixes #5826
+  Closes #5827
+
 Version 7.72.0 (19 Aug 2020)
 
 Daniel Stenberg (19 Aug 2020)
@@ -3530,7 +5330,7 @@ Daniel Stenberg (20 Apr 2020)
   Closes #5264
 
 Daniel Gustafsson (19 Apr 2020)
-- [Tom brought this change]
+- [Mipsters on github brought this change]
 
   src: Remove C99 constructs to ensure C89 compliance
   
@@ -5650,1851 +7450,3 @@ Marc Hoersken (1 Mar 2020)
   
   For security reasons the access token is not available to PR builds.
   Therefore we should not try to use the DevOps API with an empty token.
-
-Daniel Stenberg (1 Mar 2020)
-- build: remove all HAVE_OPENSSL_ENGINE_H defines
-  
-  ... as there's nothing in the code that actually uses the define! The
-  last reference was removed in 38203f158.
-  
-  Closes #5007
-
-Jay Satiro (29 Feb 2020)
-- [Rolf Eike Beer brought this change]
-
-  CMake: clean up and improve build procedures
-  
-  - remove check for unsupported old CMake versions
-  
-  - do not link to c-ares library twice
-  
-  - modernize custom Find modules
-  
-      - FindLibSSH2:
-          - pass version to FPHSA to show it in the output
-          - use LIBSSH2_VERSION define to extract the version number in
-            one shot. This variable exists in the header for 10 years.
-          - remove unneeded code
-  
-      - FindNGHTTP2.cmake:
-          - drop needless FPHSA argument
-          - mark found variables as advanced
-  
-      - FindNSS.cmake:
-          - show version number
-  
-      - FindCARES.cmake:
-          - drop default paths
-          - use FPHSA instead of checking things by hand
-  
-  - remove needless explict variable dereference
-  
-  - simplify count_true()
-  
-  - allow all policies up to version 3.16 to be set to NEW
-  
-  - do not rerun check for -Wstrict-aliasing=3 every time
-  
-  In contrast to every other compiler flag this has a = in it, which CMake
-  can't have in a variable name.
-  
-  - only read the interesting strings from curlver.h
-  
-  Reviewed-by: Peter Wu
-  
-  Closes https://github.com/curl/curl/pull/4975
-
-- runtests: fix output to command log
-  
-  - Record only the command of the most recently ran test in the command
-    log.
-  
-  This is a follow-up to 02988b7 from several weeks ago which fixed
-  writing to the command log, however it saved all commands for all tests
-  instead of just the most recently ran test as we would now expect.
-  
-  Fixes https://github.com/curl/curl/commit/02988b7#commitcomment-37546876
-  Closes https://github.com/curl/curl/pull/5001
-
-Steve Holme (1 Mar 2020)
-- polarssl: Additional removal
-  
-  Follow up to 6357a19f.
-  
-  Reviewed-by: Daniel Stenberg
-  Closes #5004
-
-- [Jonathan Cardoso Machado brought this change]
-
-  docs: fix typo on CURLINFO_RETRY_AFTER - alwaus -> always
-  
-  Reviewed-by: Steve Holme
-  Closes #5005
-
-- md5: Added implementation for mbedTLS
-  
-  Reviewed-by: Jay Satiro
-  Closes #4980
-
-- md5: Use pointer notation for array parameters in GnuTLS implementation
-
-- md4: Use non-deprecated functions in mbedTLS >= 2.7.0
-  
-  Closes #4983
-
-Marc Hoersken (29 Feb 2020)
-- ci/tests: Send test results to Azure DevOps for reporting
-
-Daniel Stenberg (29 Feb 2020)
-- pause: force-drain the transfer on unpause
-  
-  ... since the socket might not actually be readable anymore when for
-  example the data is already buffered in the TLS layer.
-  
-  Fixes #4966
-  Reported-by: Anders Berg
-  Closes #5000
-
-- TODO: curl --proxycommand
-  
-  Suggested-by: Kristian Mide
-  Closes #4941
-
-- smtp: overwriting 'from' leaks memory
-  
-  Detected by Coverity. CID 1418139.
-  
-  Also, make sure to return error if the new 'from' allocation fails.
-  
-  Closes #4997
-
-- CIfuzz: switch off 'dry_run' mode
-  
-  Follow-up from #4960: now make it fail if it detects problems.
-  
-  Closes #4998
-
-Marc Hoersken (28 Feb 2020)
-- ci/tests: Increase timeouts of Windows builds due to new tests
-  
-  Recently added tests increased their runtime above the limit of 60min.
-
-- ci/tests: align Azure Pipeline job names with each other
-
-- ci/tests: Add Windows builds via Azure Pipelines using Docker
-
-- tests: fix Python 3 compatibility of smbserver.py
-
-Daniel Stenberg (27 Feb 2020)
-- runtests: restore the command log
-  
-  The log file with all command lines for the invoked command lines is now
-  called logs/commands.log
-  
-  Fixes #4911
-  Closes #4989
-
-- smtp: fix memory leak on exit path
-  
-  Detected by Coverity. CID 1418139. "leaked_storage: Variable 'from'
-  going out of scope leaks the storage it points to"
-  
-  Closes #4990
-
-Steve Holme (27 Feb 2020)
-- gtls: Fixed compilation when using GnuTLS < 3.5.0
-  
-  Reverts the functionality from 41fcb4f when compiling with GnuTLS older
-  than 3.5.0.
-  
-  Reviewed-by: Daniel Stenberg
-  Closes #4984
-
-- RELEASE-NOTES: Corrected the link to issue #4892
-
-Daniel Stenberg (27 Feb 2020)
-- Curl_is_ASCII_name: handle a NULL argument
-  
-  Make the function tolerate a NULL pointer input to avoid dereferencing
-  that pointer.
-  
-  Follow-up to efce3ea5a85126d
-  Detected by OSS-Fuzz
-  Reviewed-By: Steve Holme
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20907
-  Fixes #4985
-  Closes #4986
-
-- RELEASE-NOTES: synced
-
-- http2: make pausing/unpausing set/clear local stream window
-  
-  This reduces the HTTP/2 window size to 32 MB since libcurl might have to
-  buffer up to this amount of data in memory and yet we don't want it set
-  lower to potentially impact tranfer performance on high speed networks.
-  
-  Requires nghttp2 commit b3f85e2daa629
-  (https://github.com/nghttp2/nghttp2/pull/1444) to work properly, to end
-  up in the next release after 1.40.0.
-  
-  Fixes #4939
-  Closes #4940
-
-- [Anderson Toshiyuki Sasaki brought this change]
-
-  libssh: improve known hosts handling
-  
-  Previously, it was not possible to get a known hosts file entry due to
-  the lack of an API.  ssh_session_get_known_hosts_entry(), introduced in
-  libssh-0.9.0, allows libcurl to obtain such information and behave the
-  same as when compiled with libssh2.
-  
-  This also tries to avoid the usage of deprecated functions when the
-  replacements are available.  The behaviour will not change if versions
-  older than libssh-0.8.0 are used.
-  
-  Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-  
-  Fixes #4953
-  Closes #4962
-
-Steve Holme (27 Feb 2020)
-- tests: Automatically deduce the tool name from the test case for unit tests
-  
-  It is still possible to override the executable to run during the test,
-  using the <tool> tag, but this patch removes the requirement that the
-  tag must be present for unit tests.
-  
-  It also removes the possibility of human error when existing test cases
-  are used as the basis for new tests, as recently witnessed in 81c37124.
-  
-  Reviewed-by: Daniel Stenberg
-  Closes #4976
-
-- test1323: Added the missing 'unit test' feature requirement in the test case
-
-Daniel Stenberg (26 Feb 2020)
-- cookie: remove unnecessary check for 'out != 0'
-  
-  ... as it will always be non-NULL at this point.
-  
-  Detected by Coverity: CID 1459009
-
-- http: added 417 response treatment
-  
-  When doing a request with a body + Expect: 100-continue and the server
-  responds with a 417, the same request will be retried immediately
-  without the Expect: header.
-  
-  Added test 357 to verify.
-  
-  Also added a control instruction to tell the sws test server to not read
-  the request body if Expect: is present, which the new test 357 uses.
-  
-  Reported-by: bramus on github
-  Fixes #4949
-  Closes #4964
-
-Steve Holme (26 Feb 2020)
-- smtp: Tidy up, following recent changes, to maintain the coding style
-  
-  Closes #4892
-
-- smtp: Support the SMTPUTF8 extension for the EXPN command
-  
-  Simply notify the server we support the SMTPUTF8 extension if it does.
-
-- smtp: Support the SMTPUTF8 extension in the VRFY command
-
-- smtp: Support the SMTPUTF8 extension in the RCPT TO command
-  
-  Note: The RCPT TO command isn't required to advertise to the server that
-  it contains UTF-8 characters, instead the server is told that a mail may
-  contain UTF-8 in any envelope command via the MAIL command.
-
-- smtp: Support the SMTPUTF8 extension in the MAIL command
-  
-  Support the SMTPUTF8 extension when sending mailbox information in the
-  MAIL command (FROM and AUTH parameters). Non-ASCII domain names will
-  be ACE encoded, if IDN is supported, whilst non-ASCII characters in
-  the local address part are passed to the server.
-  
-  Reported-by: ygthien on github
-  Fixes #4828
-
-- smtp: Detect server support for the UTF-8 extension as defined in RFC-6531
-
-- smtp: Support UTF-8 based host names in the VRFY command
-
-- smtp: Support UTF-8 based host names in the RCPT TO command
-
-- smtp: Support UTF-8 based host names in the MAIL command
-  
-  Non-ASCII host names will be ACE encoded if IDN is supported.
-
-- url: Make the IDN conversion functions available to others
-
-- smtp: Added UTF-8 mailbox tests to verify existing behaviour
-
-- ftpserver: Updated VRFY_smtp() so the response isn't necessary in the test case
-
-- ftpserver: Corrected the e-mail address regex in MAIL_smtp() and RCTP_smtp()
-  
-  The dot character between the host and the tld was not being escaped,
-  which meant it specified a match of 'any' character rather than an
-  explicit dot separator.
-  
-  Additionally removed the dot character from the host name as it allowed
-  the following to be specified as a valid address in our test cases:
-  
-  <bad@example......com>
-  
-  Both are typos from 98f7ca7 and 8880f84 :(
-  
-  I can't remember whether my intention was to allow sub-domains to be
-  specified in the host or not with these additional dots, but by placing
-  it outside of the host means it can only be specified once per domain
-  and by placing a + after the new grouping support for sub-domains is
-  kept.
-  
-  Closes #4912
-
-- hmac: Added a unit test for the HMAC hash generation
-  
-  Closes #4973
-
-- ntlm: Moved the HMAC MD5 function into the HMAC module as a generic function
-
-- tests: Added a unit test for MD4 digest generation
-  
-  Closes #4970
-
-- md4: Use const for the length input parameter
-  
-  This keeps the interface the same as md5 and sha256.
-
-- test1610: Fixed the link to the unit test
-  
-  Typo from 81c37124.
-
-- ntlm: Removed the dependency on the TLS libaries when using MD5
-  
-  As we have our own MD5 implementation use the MD5 wrapper to remove the
-  TLS dependency.
-  
-  Closes #4967
-
-- md5/sha256: Updated the functions to allow non-string data to be hashed
-
-- digest: Corrected the name of the local HTTP digest function
-  
-  Follow up to 2b5b37cb. Local static functions do not require the Curl
-  prefix.
-
-- tests: Added a unit test for SHA256 digest generation
-  
-  Follow up to 2b5b37c.
-  
-  Closes #4968
-
-- md4: Fixed compilation issues when using GNU TLS gcrypt
-  
-  * Don't include 'struct' in the gcrypt MD4_CTX typedef
-  * The call to gcry_md_read() should use a dereferenced ctx
-  * The call to gcry_md_close() should use a dereferenced ctx
-  
-  Additional minor whitespace issue in the USE_WIN32_CRYPTO code.
-  
-  Closes #4959
-
-Daniel Stenberg (21 Feb 2020)
-- RELEASE-NOTES: synced
-
-- http2: now require nghttp2 >= 1.12.0
-  
-  To simplify our code and since earlier versions lack important function
-  calls libcurl needs to function correctly.
-  
-  nghttp2 1.12.0 was relased on June 26, 2016.
-  
-  Closes #4961
-
-- gtls: fix the copyright year
-  
-  Follow-up from 41fcb4f609
-
-- [jethrogb brought this change]
-
-  GnuTLS: Always send client cert
-  
-  TLS servers may request a certificate from the client. This request
-  includes a list of 0 or more acceptable issuer DNs. The client may use
-  this list to determine which certificate to send. GnuTLS's default
-  behavior is to not send a client certificate if there is no
-  match. However, OpenSSL's default behavior is to send the configured
-  certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL
-  behavior.
-  
-  Authored-by: jethrogb on github
-  Fixes #1411
-  Closes #4958
-
-- [Leo Neat brought this change]
-
-  github action: add CIFuzz
-  
-  Closes #4960
-
-- cleanup: comment typos
-  
-  Spotted by 'codespell'
-  
-  Closes #4957
-
-Steve Holme (20 Feb 2020)
-- win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256 functions
-  
-  Whilst lib\md4.c used this pre-processor, lib\md5.c and
-  src\tool_metalink.c did not and simply relied on the WIN32
-  pre-processor directive.
-  
-  Reviewed-by: Marcel Raad
-  Closes #4955
-
-Daniel Stenberg (19 Feb 2020)
-- connect: remove some spurious infof() calls
-  
-  As they were added primarily for debugging, they provide little use for
-  users.
-  
-  Closes #4951
-
-- HTTP-COOKIES: mention that a trailing newline is required
-  
-  ... so that we know we got the whole and not a partial line.
-  
-  Also, changed the formatting of the fields away from a table again since
-  the table format requires a github-markdown tool version that we don't
-  run on the web server atm.
-  
-  Reported-by: Sunny Bean
-  Fixes #4946
-  Closes #4947
-
-- nit: Copyright year out of date
-  
-  Follow-up to 1fc0617dcc
-
-Jay Satiro (18 Feb 2020)
-- tool_util: Improve Windows version of tvnow()
-  
-  - Change tool_util.c tvnow() for Windows to match more closely to
-    timeval.c Curl_now().
-  
-  - Create a win32 init function for the tool, since some initialization
-    is required for the tvnow() changes.
-  
-  Prior to this change the monotonic time function used by curl in Windows
-  was determined at build-time and not runtime. That was a problem because
-  when curl was built targeted for compatibility with old versions of
-  Windows (eg _WIN32_WINNT < 0x0600) it would use GetTickCount which wraps
-  every 49.7 days that Windows has been running.
-  
-  This change makes curl behave similar to libcurl's tvnow function, which
-  determines at runtime whether the OS is Vista+ and if so calls
-  QueryPerformanceCounter instead. (Note QueryPerformanceCounter is used
-  because it has higher resolution than the more obvious candidate
-  GetTickCount64). The changes to tvnow are basically a copy and paste but
-  the types in some cases are different.
-  
-  Ref: https://github.com/curl/curl/issues/3309
-  
-  Closes https://github.com/curl/curl/pull/4847
-
-Daniel Stenberg (18 Feb 2020)
-- SOCKS: fix typo in printf formatting
-  
-  Follow-up to 4a4b63daa
-  
-  Reported-by: Peter Piekarski
-  Bug: https://github.com/curl/curl/commit/4a4b63daaa01ef59b131d91e8e6e6dfe275c0f08#r37351330
-
-- CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
-  
-  to be in sync with the description above
-  
-  Reported-by: Joonas Kuorilehto
-  Fixes #4943
-  Closes #4945
-
-- docs/GOVERNANCE: refreshed + added "donations" and "commercial support"
-
-- altsvc: make saving the cache an atomic operation
-  
-  ... by writing the file to temp name then rename to the final when done.
-  
-  Assisted-by: Jay Satiro
-  Fixes #4936
-  Closes #4942
-
-- rename: a new file for Curl_rename()
-  
-  And make the cookie save function use it.
-
-- cookies: make saving atomic with a rename
-  
-  Saves the file as "[filename].[8 random hex digits].tmp" and renames
-  away the extension when done.
-  
-  Co-authored-by: Jay Satiro
-  Reported-by: Mike Frysinger
-  Fixes #4914
-  Closes #4926
-
-- RELEASE-NOTES: synced
-
-- socks: make the connect phase non-blocking
-  
-  Removes two entries from KNOWN_BUGS.
-  
-  Closes #4907
-
-- multi: if Curl_readwrite sets 'comeback' use expire, not loop
-  
-  Otherwise, a very fast single transfer ricks starving out other
-  concurrent transfers.
-  
-  Closes #4927
-
-- ftp: convert 'sock_accepted' to a plain boolean
-  
-  This was an array indexed with sockindex but it was only ever used for
-  the secondary socket.
-  
-  Closes #4929
-
-Jay Satiro (15 Feb 2020)
-- CURLINFO_COOKIELIST.3: Fix example
-  
-  Prior to this change the example would try to import cookies from stdin,
-  which wasn't what was intended.
-  
-  Reported-by: 3dyd@users.noreply.github.com
-  
-  Fixes https://github.com/curl/curl/issues/4930
-
-Daniel Stenberg (14 Feb 2020)
-- TODO: Paged searches on LDAP server
-  
-  Closes #4452
-
-- TODO: CURLOPT_SSL_CTX_FUNCTION for LDAPS
-  
-  Closes #4108
-
-- azure: disable brotli on the macos debug-builds
-  
-  Because of:
-  
-  brotli/decode.h:204:33: error: variable length array used [-Werror,-Wvla]
-      const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
-  
-  Closes #4925
-
-Steve Holme (13 Feb 2020)
-- tool_home: Fix the copyright year being out of date
-  
-  Follow up to 9dc350b6.
-
-Jay Satiro (12 Feb 2020)
-- tool_homedir: Change GetEnv() to use libcurl's curl_getenv()
-  
-  - Deduplicate GetEnv() code.
-  
-  - On Windows change ultimate call to use Windows API
-    GetEnvironmentVariable() instead of C runtime getenv().
-  
-  Prior to this change both libcurl and the tool had their own GetEnv
-  which over time diverged. Now the tool's GetEnv is a wrapper around
-  curl_getenv (libcurl API function which is itself a wrapper around
-  libcurl's GetEnv).
-  
-  Furthermore this change fixes a bug in that Windows API
-  GetEnvironmentVariable() is called instead of C runtime getenv() to get
-  the environment variable since some changes aren't always visible to the
-  latter.
-  
-  Reported-by: Christoph M. Becker
-  
-  Fixes https://github.com/curl/curl/issues/4774
-  Closes https://github.com/curl/curl/pull/4863
-
-Daniel Stenberg (12 Feb 2020)
-- strerror.h: Copyright year out of date
-  
-  Follow-up to 1c4fa67e8a8fcf6
-
-Jay Satiro (12 Feb 2020)
-- strerror: Increase STRERROR_LEN 128 -> 256
-  
-  STRERROR_LEN is the constant used throughout the library to set the size
-  of the buffer on the stack that the curl strerror functions write to.
-  
-  Prior to this change some extended length Windows error messages could
-  be truncated.
-  
-  Closes https://github.com/curl/curl/pull/4920
-
-- multi: fix outdated comment
-  
-  - Do not say that conn->data is "cleared" by multi_done().
-  
-  If the connection is in use then multi_done assigns another easy handle
-  still using the connection to conn->data, therefore in that case it is
-  not cleared.
-  
-  Closes https://github.com/curl/curl/pull/4901
-
-- easy: remove dead code
-  
-  multi is already assigned to data->multi by curl_multi_add_handle.
-  
-  Closes https://github.com/curl/curl/pull/4900
-
-Daniel Stenberg (12 Feb 2020)
-- create-dirs.d: mention the mode
-  
-  Reported-by: Dan Jacobson
-  Fixes #4766
-  Closes #4916
-
-- CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
-  
-  Assisted-by: Jay Satiro
-  Reported-by: Craig Andrews
-  Fixes #4909
-  Closes #4910
-
-- RELEASE-NOTES: synced
-
-Steve Holme (9 Feb 2020)
-- smtp: Simplify the MAIL command and avoid a duplication of send strings
-  
-  This avoids the duplication of strings when the optional AUTH and SIZE
-  parameters are required. It also assists with the modifications that
-  are part of #4892.
-  
-  Closes #4903
-
-Daniel Stenberg (9 Feb 2020)
-- altsvc: keep a copy of the file name to survive handle reset
-  
-  The alt-svc cache survives a call to curl_easy_reset fine, but the file
-  name to use for saving the cache was cleared. Now the alt-svc cache has
-  a copy of the file name to survive handle resets.
-  
-  Added test 1908 to verify.
-  
-  Reported-by: Craig Andrews
-  Fixes #4898
-  Closes #4902
-
-Steve Holme (9 Feb 2020)
-- url: Include the failure reason when curl_win32_idn_to_ascii() fails
-  
-  Provide the failure reason in the failf() info just as we do for the
-  libidn2 version of code.
-  
-  Closes #4899
-
-Jay Satiro (9 Feb 2020)
-- asyn-thread: remove dead code
-
-Daniel Stenberg (8 Feb 2020)
-- [Emil Engler brought this change]
-
-  github: Instructions to post "uname -a" on Unix systems in issues
-  
-  Closes #4896
-
-- [Cristian Greco brought this change]
-
-  configure.ac: fix comments about --with-quiche
-  
-  A simple s/nghttp3/quiche in some comments of --with-quiche.
-  Looks like a copy-paste error from --with-nghttp3.
-  
-  Closes #4897
-
-Steve Holme (7 Feb 2020)
-- checksrc.bat: Fix not being able to run script from the main curl directory
-  
-  If the script was ran from the main curl directory rather then the
-  projects directory then the script would simply exit without error:
-  
-  C:\url> projects\checksrc.bat
-  
-  The user would either need to change to the projects directory,
-  explicitly specify the current working directory, or perform a
-  oneline hacky workaround:
-  
-  C:\url> cd projects
-  C:\url\projects> checksrc.bat
-  
-  C:\url> checksrc.bat %cd%
-  
-  C:\url> pushd projects & checksrc.bat & popd
-  
-  Closes #4894
-
-Daniel Stenberg (7 Feb 2020)
-- [Pierre-Yves Bigourdan brought this change]
-
-  digest: Do not quote algorithm in HTTP authorisation
-  
-  RFC 7616 section 3.4 (The Authorization Header Field) states that "For
-  historical reasons, a sender MUST NOT generate the quoted string syntax
-  for the following parameters: algorithm, qop, and nc". This removes the
-  quoting for the algorithm parameter.
-  
-  Reviewed-by: Steve Holme
-  Closes #4890
-
-- ftp: remove the duplicated user/password struct fields
-  
-  Closes #4887
-
-- ftp: remove superfluous checking for crlf in user or pwd
-  
-  ... as this is already done much earlier in the URL parser.
-  
-  Also add test case 894 that verifies that pop3 with an encodedd CR in
-  the user name is rejected.
-  
-  Closes #4887
-
-Steve Holme (6 Feb 2020)
-- ntlm_wb: Use Curl_socketpair() for greater portability
-  
-  Reported-by: Daniel Stenberg
-  Closes #4886
-
-Daniel Stenberg (5 Feb 2020)
-- [Frank Gevaerts brought this change]
-
-  contributors: Also include people who contributed to curl-www
-  
-  Closes #4884
-
-- [Frank Gevaerts brought this change]
-
-  contrithanks: Use the most recent tag by default
-  
-  (similar to 5296abe)
-  
-  Closes #4883
-
-- scripts: use last set tag if none given
-  
-  Makes 'delta' and 'contributors.sh' easier to use.
-  
-  Make the delta script invoke contrithanks to get current number of
-  contributors instead of counting THANKS, for accuracy.
-  
-  Closes #4881
-
-- ftp: shrink temp buffers used for PORT
-  
-  These two stack based buffers only need to be 46 + 66 bytes instead of
-  256 + 1024.
-  
-  Closes #4880
-
-- curl: error on --alt-svc use w/o support
-  
-  Make the tool check for alt-svc support at run-time and return error
-  accordingly if not present when the option is used.
-  
-  Reported-by: Harry Sintonen
-  Closes #4878
-
-- docs/HTTP3: add --enable-alt-svc to curl's configure
-
-- RELEASE-PROCEDURE: feature win is closed post-release a few days
-  
-  We've tried to uphold this already but let's make it official by
-  publicly stating this is the way we do it.
-  
-  Closes #4877
-
-- altsvc: set h3 version at a common single spot
-  
-  ... and move the #ifdefs out of the functions. Addresses the fact they
-  were different before this change.
-  
-  Reported-by: Harry Sintonen
-  Closes #4876
-
-- [Harry Sintonen brought this change]
-
-  altsvc: improved header parser
-  
-  - Fixed the flag parsing to apply to specific alternative entry only, as
-  per RFC. The earlier code would also get totally confused by
-  multiprotocol header, parsing flags from the wrong part of the header.
-  
-  - Fixed the parser terminating on unknown protocols, instead of skipping
-  them.
-  
-  - Fixed a busyloop when protocol-id was present without an equal sign.
-  
-  Closes #4875
-
-- [Harry Sintonen brought this change]
-
-  ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
-
-- docs/HTTP3: update the OpenSSL branch to use for ngtcp2
-  
-  Reported-by: James Fuller
-
-Steve Holme (4 Feb 2020)
-- ntlm: Pass the Curl_easy structure to the private winbind functions
-  
-  ...rather than the full conndata structure.
-
-Daniel Stenberg (4 Feb 2020)
-- RELEASE-NOTES: synced
-
-- tool_operhlp: Copyright year out of date, should be 2020
-  
-  Follow-up from 2bc373740a3
-
-- [Orgad Shaneh brought this change]
-
-  curl: avoid using strlen for testing if a string is empty
-  
-  Closes #4873
-
-Steve Holme (3 Feb 2020)
-- ntlm: Ensure the HTTP header data is not stored in the challenge/response
-
-Marcel Raad (3 Feb 2020)
-- openssl: remove redundant assignment
-  
-  Fixes a scan-build failure on Bionic.
-  
-  Closes https://github.com/curl/curl/pull/4872
-
-- travis: update non-OpenSSL Linux jobs to Bionic
-  
-  For the OpenSSL builds, test 323 [TLS-SRP to non-TLS-SRP server] is
-  failing with "curl returned 52, when expecting 35".
-  
-  Closes https://github.com/curl/curl/pull/4872
-
-Dan Fandrich (3 Feb 2020)
-- cirrus: Add some missing semicolons
-  
-  Newlines aren't preserved in this section so they're needed to separate
-  commands. The exports luckily worked anyway as a single long line, but
-  erroneously exported a variable called "export"
-  [skip ci]
-
-Daniel Gustafsson (2 Feb 2020)
-- [Pedro Monreal brought this change]
-
-  cleanup: fix typos and wording in docs and comments
-  
-  Closes #4869
-  Reviewed-by: Emil Engler and Daniel Gustafsson
-
-Steve Holme (2 Feb 2020)
-- ntlm: Move the winbind data into the NTLM data structure
-  
-  To assist with adding winbind support to the SASL NTLM authentication,
-  move the winbind specific data out of conndata into ntlmdata.
-
-Daniel Stenberg (30 Jan 2020)
-- quiche: Copyright year out of date
-  
-  Follow-up to 7fc63d72333a
-
-- altsvc: use h3-25
-  
-  Closes #4868
-
-- [Alessandro Ghedini brought this change]
-
-  quiche: update to draft-25
-  
-  Closes #4867
-
-- ngtcp2: update to git master and its draft-25 support
-  
-  Closes #4865
-
-- cookie: check __Secure- and __Host- case sensitively
-  
-  While most keywords in cookies are case insensitive, these prefixes are
-  specified explicitly to get checked "with a case-sensitive match".
-  
-  (From the 6265bis document in progress)
-  
-  Ref: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-04
-  Closes #4864
-
-- KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
-
-- oauth2-bearer.d: works for HTTP too
-  
-  Reported-by: Mischa Salle
-  Bug: https://curl.haxx.se/mail/lib-2020-01/0070.html
-  Closes #4862
-
-- multi_done: if multiplexed, make conn->data point to another transfer
-  
-  ... since the current transfer is being killed. Setting to NULL is
-  wrong, leaving it pointing to 'data' is wrong since that handle might be
-  about to get freed.
-  
-  Fixes #4845
-  Closes #4858
-  Reported-by: dmitrmax on github
-
-- location.d: the method change is from POST to GET only
-  
-  Not from generic non-GET to GET.
-  
-  Reported-by: Andrius Merkys
-  Ref: #4859
-  Closes #4861
-
-- urlapi: guess scheme correct even with credentials given
-  
-  In the "scheme-less" parsing case, we need to strip off credentials
-  first before we guess scheme based on the host name!
-  
-  Assisted-by: Jay Satiro
-  Fixes #4856
-  Closes #4857
-
-- global_init: move the IPv6 works status bool to multi handle
-  
-  Previously it was stored in a global state which contributed to
-  curl_global_init's thread unsafety. This boolean is now instead figured
-  out in curl_multi_init() and stored in the multi handle. Less effective,
-  but thread safe.
-  
-  Closes #4851
-
-- [Jay Satiro brought this change]
-
-  README: mention that the docs is in docs/
-  
-  Reported-by: Austin Green
-  Fixes #4830
-  Closes #4853
-
-- curl.h: define CURL_WIN32 on windows
-  
-  ... so that the subsequent logic below can use a single known define to know
-  when built on Windows (as we don't define WIN32 anymore).
-  
-  Follow-up to 1adebe7886ddf20b
-  
-  Reported-by: crazydef on github
-  Assisted-by: Marcel Raad
-  Fixes #4854
-  Closes #4855
-
-- RELEASE-NOTES: synced
-
-- [Jon Rumsey brought this change]
-
-  urldata: do string enums without #ifdefs for build scripts
-  
-  ... and check for inconsistencies for OS400 at build time with the new
-  chkstrings tool.
-  
-  Closes #4822
-
-- curl: make the -# spaceship bar not wrap the line
-  
-  The fixed-point math made us lose precision and thus a too high index
-  value could be used for outputting the hashtags which could overwrite
-  the newline.
-  
-  The fix increases the precision in the sine table (*100) and the
-  associated position math.
-  
-  Reported-by: Andrew Potter
-  Fixes #4849
-  Closes #4850
-
-- global_init: assume the EINTR bit by default
-  
-  - Removed from global_init since it isn't thread-safe. The symbol will
-    still remain to not break compiles, it just won't have any effect going
-    forward.
-  
-  - make the internals NOT loop on EINTR (the opposite from previously).
-    It only risks returning from the select/poll/wait functions early, and that
-    should be risk-free.
-  
-  Closes #4840
-
-- [Peter Piekarski brought this change]
-
-  conn: do not reuse connection if SOCKS proxy credentials differ
-  
-  Closes #4835
-
-- llist: removed unused Curl_llist_move()
-  
-  (and the corresponding unit test)
-  
-  Closes #4842
-
-- conncache: removed unused Curl_conncache_bundle_size()
-
-- strcase: turn Curl_raw_tolower into static
-  
-  Only ever used from within this file.
-
-- singleuse.pl: support new API functions, fix curl_dbg_ handling
-
-- wolfssh: make it init properly via Curl_ssh_init()
-  
-  Closes #4846
-
-- [Aron Rotteveel brought this change]
-
-  form.d: fix two minor typos
-  
-  Closes #4843
-
-- openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
-  
-  Avoid "reparsing" the content and instead deliver more exactly what is
-  provided in the certificate and avoid truncating the data after 512
-  bytes as done previously. This no longer removes embedded newlines.
-  
-  Fixes #4837
-  Reported-by: bnfp on github
-  Closes #4841
-
-Jay Satiro (23 Jan 2020)
-- CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
-  
-  - Copy CURLOPT_SSL_OPTIONS.3 description to CURLOPT_PROXY_SSL_OPTIONS.3.
-  
-  Prior to this change CURLSSLOPT_NO_PARTIALCHAIN was missing from the
-  CURLOPT_PROXY_SSL_OPTIONS description.
-
-Daniel Stenberg (22 Jan 2020)
-- mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
-  
-  For now, no cert in the bundle actually sets a date there...
-  
-  Co-Authored-by: Jay Satiro
-  Reported-by: Christian Heimes
-  Fixes #4834
-  Closes #4836
-
-- RELEASE-NOTES: synced
-
-- [Pavel Volgarev brought this change]
-
-  smtp: Allow RCPT TO command to fail for some recipients
-  
-  Introduces CURLOPT_MAIL_RCPT_ALLLOWFAILS.
-  
-  Verified with the new tests 3002-3007
-  
-  Closes #4816
-
-- copyright: fix year ranges
-  
-  follow-up from dea17b519d (one of these days I'll learn to check before
-  I push)
-
-- [nao brought this change]
-
-  http: move "oauth_bearer" from connectdata to Curl_easy
-  
-  Fixes the bug where oauth_bearer gets deallocated when we re-use a
-  connection.
-  
-  Closes #4824
-
-- [Emil Engler brought this change]
-
-  curl: Let -D merge headers in one file again
-  
-  Closes #4762
-  Fixes #4753
-
-- data.d: remove "Multiple files can also be specified"
-  
-  It is superfluous and could even be misleading.
-  
-  Bug: https://curl.haxx.se/mail/archive-2020-01/0016.html
-  Reported-by: Mike Norton
-  Closes #4832
-
-Marcel Raad (20 Jan 2020)
-- CMake: support specifying the target Windows version
-  
-  Previously, it was only possible to set it to Windows Vista or XP by
-  setting the option `ENABLE_INET_PTON` to `ON` resp. `OFF`.
-  Use a new cache variable `CURL_TARGET_WINDOWS_VERSION` to be able to
-  explicitly set the target Windows version. `ENABLE_INET_PTON` is
-  ignored in this case.
-  
-  Ref: https://github.com/curl/curl/pull/1639#issuecomment-313039352
-  Ref: https://github.com/curl/curl/pull/4607#issuecomment-557541456
-  Closes https://github.com/curl/curl/pull/4815
-
-Daniel Stenberg (20 Jan 2020)
-- http.h: Copyright year out of date, should be 2020
-  
-  Follow-up to 7ff9222ced8c
-
-- [加藤郁之 brought this change]
-
-  HTTP: increase EXPECT_100_THRESHOLD to 1Mb
-  
-  Mentioned: https://curl.haxx.se/mail/lib-2020-01/0050.html
-  
-  Closes #4814
-
-- ROADMAP: thread-safe `curl_global_init()`
-  
-  I'd like to see this happen.
-
-- RELEASE-NOTES: synced
-
-- wolfssl: use the wc-prefixed symbol alternatives
-  
-  The symbols without wc_ prefix are not always provided.
-  
-  Ref: https://github.com/wolfSSL/wolfssl/issues/2744
-  
-  Closes #4827
-
-- polarssl: removed
-  
-  As detailed in DEPRECATE.md, the polarssl support is now removed after
-  having been disabled for 6 months and nobody has missed it.
-  
-  The threadlock files used by mbedtls are renamed to an 'mbedtls' prefix
-  instead of the former 'polarssl' and the common functions that
-  previously were shared between mbedtls and polarssl and contained the
-  name 'polarssl' have now all been renamed to instead say 'mbedtls'.
-  
-  Closes #4825
-
-Marcel Raad (16 Jan 2020)
-- libssh2: fix variable type
-  
-  This led to a conversion warning on 64-bit MinGW, which has 32-bit
-  `long` but 64-bit `size_t`.
-  
-  Closes https://github.com/curl/curl/pull/4823
-
-Daniel Stenberg (16 Jan 2020)
-- curl:progressbarinit: ignore column width from terminals < 20
-  
-  To avoid division by zero - or other issues.
-  
-  Reported-by: Daniel Marjamäki
-  Closes #4818
-
-- wolfssh: set the password correctly for PASSWORD auth
-
-- wolfssh: remove fprintf() calls (and uses of __func__)
-
-Marcel Raad (14 Jan 2020)
-- CMake: use check_symbol_exists also for inet_pton
-  
-  It doesn't make much sense to only check if the function can be linked
-  when it's not declared in any header and that is treated as an error.
-  With the correct target Windows version set, the function is declared
-  in ws2tcpip.h and the comment above the modified block is invalid.
-  
-  Also, move the definition of `_WIN32_WINNT` up to before all symbol
-  availability checks so that we don't have to care which ones must be
-  done after it.
-  
-  Tested with Visual Studio 2019 and current MinGW-w64.
-  
-  Closes https://github.com/curl/curl/pull/4808
-
-Jay Satiro (13 Jan 2020)
-- schannel_verify: Fix alt names manual verify for UNICODE builds
-  
-  Follow-up to 29e40a6 from two days ago, which added that feature for
-  Windows 7 and earlier. The bug only occurred in same.
-  
-  Ref: https://github.com/curl/curl/pull/4761
-
-Daniel Stenberg (13 Jan 2020)
-- HTTP-COOKIES.md: describe the cookie file format
-  
-  ... and refer to that file from from CURLOPT_COOKIEFILE.3 and
-  CURLOPT_COOKIELIST.3
-  
-  Assisted-by: Jay Satiro
-  Reported-by: bsammon on github
-  Fixes #4805
-  Closes #4806
-
-- [Tobias Hieta brought this change]
-
-  CMake: Add support for CMAKE_LTO option.
-  
-  This enables Link Time Optimization. LTO is a proven technique for
-  optimizing across compilation units.
-  
-  Closes #4799
-
-- RELEASE-NOTES: synced
-
-- ConnectionExists: respect the max_concurrent_streams limits
-  
-  A regression made the code use 'multiplexed' as a boolean instead of the
-  counter it is intended to be. This made curl try to "over-populate"
-  connections with new streams.
-  
-  This regression came with 41fcdf71a1, shipped in curl 7.65.0.
-  
-  Also, respect the CURLMOPT_MAX_CONCURRENT_STREAMS value in the same
-  check.
-  
-  Reported-by: Kunal Ekawde
-  Fixes #4779
-  Closes #4784
-
-- curl: make #0 not output the full URL
-  
-  It was not intended nor documented!
-  
-  Added test 1176 to verify.
-  
-  Reported-by: vshmuk on hackerone
-  
-  Closes #4812
-
-- wolfSSH: new SSH backend
-  
-  Adds support for SFTP (not SCP) using WolfSSH.
-  
-  Closes #4231
-
-- curl: remove 'config' field from OutStruct
-  
-  As it was just unnecessary duplicated information already stored in the
-  'per_transfer' struct and that's around mostly anyway.
-  
-  The duplicated pointer caused problems when the code flow was aborted
-  before the dupe was filled in and could cause a NULL pointer access.
-  
-  Reported-by: Brian Carpenter
-  Fixes #4807
-  Closes #4810
-
-- misc: Copyright year out of date, should be 2020
-  
-  Follow-up to recent commits
-  
-  [skip ci]
-
-Jay Satiro (11 Jan 2020)
-- [Santino Keupp brought this change]
-
-  libssh2: add support for forcing a hostkey type
-  
-  - Allow forcing the host's key type found in the known_hosts file.
-  
-  Currently, curl (with libssh2) does not take keys from your known_hosts
-  file into account when talking to a server. With this patch the
-  known_hosts file will be searched for an entry matching the hostname
-  and, if found, libssh2 will be told to claim this key type from the
-  server.
-  
-  Closes https://github.com/curl/curl/pull/4747
-
-- [Nicolas Guillier brought this change]
-
-  cmake: Improve libssh2 check on Windows
-  
-  - Add "libssh2" name to FindLibSSH2 library search.
-  
-  On Windows systems, libSSH2 CMake installation may name the library
-  "LibSSH2".
-  
-  Prior to this change cmake only checked for name "ssh2". On Linux that
-  works fine because it will prepend the "lib", but it doesn't do that on
-  Windows.
-  
-  Closes https://github.com/curl/curl/pull/4804
-
-- [Faizur Rahman brought this change]
-
-  schannel: Make CURLOPT_CAINFO work better on Windows 7
-  
-  - Support hostname verification via alternative names (SAN) in the
-    peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier.
-  
-  CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a
-  result CertGetNameString doesn't quite work on those versions of
-  Windows. This change provides an alternative solution for
-  CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier
-  versions of Windows.
-  
-  Prior to this change many certificates failed the hostname validation
-  when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates
-  now represent multiple hostnames and rely on the alternative names field
-  exclusively to represent their hostnames.
-  
-  Reported-by: Jeroen Ooms
-  
-  Fixes https://github.com/curl/curl/issues/3711
-  Closes https://github.com/curl/curl/pull/4761
-
-- [Emil Engler brought this change]
-
-  ngtcp2: Add an error code for QUIC connection errors
-  
-  - Add new error code CURLE_QUIC_CONNECT_ERROR for QUIC connection
-    errors.
-  
-  Prior to this change CURLE_FAILED_INIT was used, but that was not
-  correct.
-  
-  Closes https://github.com/curl/curl/pull/4754
-
-- multi: Change curl_multi_wait/poll to error on negative timeout
-  
-  - Add new error CURLM_BAD_FUNCTION_ARGUMENT and return that error when
-    curl_multi_wait/poll is passed timeout param < 0.
-  
-  Prior to this change passing a negative value to curl_multi_wait/poll
-  such as -1 could cause the function to wait forever.
-  
-  Reported-by: hamstergene@users.noreply.github.com
-  
-  Fixes https://github.com/curl/curl/issues/4763
-  
-  Closes https://github.com/curl/curl/pull/4765
-
-- [Marc Aldorasi brought this change]
-
-  cmake: Enable SMB for Windows builds
-  
-  - Define USE_WIN32_CRYPTO by default. This enables SMB.
-  
-  - Show whether SMB is enabled in the "Enabled features" output.
-  
-  - Fix mingw compiler warning for call to CryptHashData by casting away
-    const param. mingw CryptHashData prototype is wrong.
-  
-  Closes https://github.com/curl/curl/pull/4717
-
-- vtls: Refactor Curl_multissl_version to make the code clearer
-  
-  Reported-by: Johannes Schindelin
-  
-  Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121
-  
-  Closes https://github.com/curl/curl/pull/4803
-
-Daniel Stenberg (10 Jan 2020)
-- fix: Copyright year out of date, should be 2020
-  
-  Follow-up to 875314ed0bf3b
-
-Marcel Raad (10 Jan 2020)
-- hostip: move code to resolve IP address literals to `Curl_resolv`
-  
-  The code was duplicated in the various resolver backends.
-  
-  Also, it was called after the call to `Curl_ipvalid`, which matters in
-  case of `CURLRES_IPV4` when called from `connect.c:bindlocal`. This
-  caused test 1048 to fail on classic MinGW.
-  
-  The code ignores `conn->ip_version` as done previously in the
-  individual resolver backends.
-  
-  Move the call to the `resolver_start` callback up to appease test 655,
-  which wants it to be called also for literal addresses.
-  
-  Closes https://github.com/curl/curl/pull/4798
-
-Daniel Stenberg (9 Jan 2020)
-- scripts/delta: adapt to new public header layout
-
-- test1167: verify global symbols in public headers are curl prefixed
-  
-  ... using the new badsymbols.pl perl script
-  
-  Fixes #4793
-  Closes #4794
-
-- libtest/mk-lib1521: adapt to new public header layout
-
-- include: remove non-curl prefixed defines
-  
-  ...requires some rearranging of the setup of CURLOPT_ and CURLMOPT_
-  enums.
-
-- curl.h: remove WIN32 define
-  
-  It isn't our job to define this in a public header - and it defines a
-  name outside of our naming scope.
-
-- tool_dirhie.c: fix the copyright year range
-  
-  Follow-up to: 4027bd72d9
-
-- bump: work towards 7.69.0 is started
-
-Jay Satiro (9 Jan 2020)
-- tool_dirhie: Allow directory traversal during creation
-  
-  - When creating a directory hierarchy do not error when mkdir fails due
-    to error EACCESS (13) "access denied".
-  
-  Some file systems allow for directory traversal; in this case that it
-  should be possible to create child directories when permission to the
-  parent directory is restricted.
-  
-  This is a regression caused by me in f16bed0 (precedes curl-7_61_1).
-  Basically I had assumed that if a directory already existed it would
-  fail only with error EEXIST, and not error EACCES. The latter may
-  happen if the directory exists but has certain restricted permissions.
-  
-  Reported-by: mbeifuss@users.noreply.github.com
-  
-  Fixes https://github.com/curl/curl/issues/4796
-  Closes https://github.com/curl/curl/pull/4797
-
-Daniel Stenberg (9 Jan 2020)
-- KNOWN_BUGS: AUTH PLAIN for SMTP is not working on all servers
-  
-  Closes #4080
-
-- docs/RELEASE-PROCEDURE.md: pushed some release dates
-  
-  Ref: https://curl.haxx.se/mail/lib-2020-01/0031.html
-
-- runtests: make random seed fixed for a month
-  
-  When using randomized features of runtests (-R and --shallow) it is
-  useful to have a fixed random seed to make sure for example extra
-  commits in a branch or a rebase won't change the seed that would make
-  repeated runs work differently.
-  
-  As it is also useful to change seed sometimes, the default seed is now
-  determined based on the current month (and first line curl -V
-  output). When the month changes, so will the random seed.
-  
-  The specific seed is also shown in the standard test suite top header
-  and it can be set explictly with the new --seed=[num] option so that the
-  exact order of a previous run can be achieved.
-  
-  Closes #4734
-
-- RELEASE-PROCEDURE.md: fix next release date (Feb 26)
-  
-  [skip ci]
-
-Version 7.68.0 (8 Jan 2020)
-
-Daniel Stenberg (8 Jan 2020)
-- RELEASE-NOTES: 7.68.0
-
-- THANKS: updated with names from the 7.68.0 release
-
-- RELEASE-PROCEDURE: add four future release dates
-  
-  and remove four past release dates
-  
-  [skip ci]
-
-Marcel Raad (6 Jan 2020)
-- TrackMemory tests: always remove CR before LF
-  
-  It was removed for output containing ' =' via `s/ =.*//`. With classic
-  MinGW, this made lines with `free()` end with CRLF, but lines with e.g.
-  `malloc()` end with only LF. The tests expect LF only.
-  
-  Closes https://github.com/curl/curl/pull/4788
-
-Daniel Stenberg (6 Jan 2020)
-- multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public header
-  
-  ... to the private multihhandle.h. It is not for public use and it
-  wasn't prefixed correctly anyway!
-  
-  Closes #4790
-
-- file: fix copyright year range
-  
-  Follow-up to 1b71bc532bd
-
-- curl -w: handle a blank input file correctly
-  
-  Previously it would end up with an uninitialized memory buffer that
-  would lead to a crash or junk getting output.
-  
-  Added test 1271 to verify.
-  
-  Reported-by: Brian Carpenter
-  Closes #4786
-
-- file: on Windows, refuse paths that start with \\
-  
-  ... as that might cause an unexpected SMB connection to a given host
-  name.
-  
-  Reported-by: Fernando Muñoz
-  CVE-2019-15601
-  Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
-
-Jay Satiro (6 Jan 2020)
-- CURLOPT_READFUNCTION.3: fix fopen params in example
-
-- CURLOPT_READFUNCTION.3: fix variable name in example
-  
-  Reported-by: Paul Joyce
-  
-  Fixes https://github.com/curl/curl/issues/4787
-
-Daniel Stenberg (5 Jan 2020)
-- curl:getparameter return error for --http3 if libcurl doesn't support
-  
-  Closes #4785
-
-- docs: mention CURL_MAX_INPUT_LENGTH restrictions
-  
-  ... for curl_easy_setopt() and curl_url_set().
-  
-  [skip ci]
-  
-  Closes #4783
-
-- curl: properly free mimepost data
-  
-  ... as it could otherwise leak memory when a transfer failed.
-  
-  Added test 1293 to verify.
-  
-  Reported-by: Brian Carpenter
-  Fixes #4781
-  Closes #4782
-
-- curl: cleanup multi handle on failure
-  
-  ... to fix memory leak in error path.
-  
-  Fixes #4772
-  Closes #4780
-  Reported-by: Brian Carpenter
-
-Marcel Raad (3 Jan 2020)
-- lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
-  
-  Closes https://github.com/curl/curl/pull/4775
-
-Daniel Stenberg (3 Jan 2020)
-- COPYING: it's 2020!
-  
-  [skip ci]
-
-Jay Satiro (3 Jan 2020)
-- [Marc Aldorasi brought this change]
-
-  tests: Fix bounce requests with truncated writes
-  
-  Prior to this change the swsbounce check in service_connection could
-  fail because prevtestno and prevpartno were not set, which would cause
-  the wrong response data to be sent to some tests and cause them to fail.
-  
-  Ref: https://github.com/curl/curl/pull/4717#issuecomment-570240785
-
-Marcel Raad (31 Dec 2019)
-- tool: make a few char pointers point to const char instead
-  
-  These are read-only.
-  
-  Closes https://github.com/curl/curl/pull/4771
-
-Jay Satiro (31 Dec 2019)
-- tests: Change NTLM tests to require SSL
-  
-  Prior to this change tests that required NTLM feature did not require
-  SSL feature.
-  
-  There are pending changes to cmake builds that will allow enabling NTLM
-  in non-SSL builds in Windows. In that case the NTLM auth strings created
-  are different from what is expected by the NTLM tests and they fail:
-  
-  "The issue with NTLM is that previous non-SSL builds would not enable
-  NTLM and so the NTLM tests would be skipped."
-  
-  Assisted-by: marc-groundctl@users.noreply.github.com
-  
-  Ref: https://github.com/curl/curl/pull/4717#issuecomment-566218729
-  
-  Closes https://github.com/curl/curl/pull/4768
-
-- [Michael Forney brought this change]
-
-  bearssl: Improve I/O handling
-  
-  Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
-  records until the desired engine state is reached. This is now used for
-  the handshake, read, write, and close.
-  
-  Match OpenSSL SSL_write behavior, and don't return the number of bytes
-  written until the corresponding records have been completely flushed
-  across the socket. This involves keeping track of the length of data
-  buffered into the TLS engine, and assumes that when CURLE_AGAIN is
-  returned, the write function will be called again with the same data
-  and length arguments. This is the same requirement of SSL_write.
-  
-  Handle TLS close notify as EOF when reading by returning 0.
-  
-  Closes https://github.com/curl/curl/pull/4748
-
-- travis: Fix error detection
-  
-  - Stop using inline shell scripts for before_script and script sections.
-  
-  Prior to this change Travis could ignore errors from commands in inline
-  scripts. I don't understand how or why it happens. This is a workaround.
-  
-  Assisted-by: Simon Warta
-  
-  Ref: https://github.com/travis-ci/travis-ci/issues/1066
-  
-  Fixes https://github.com/curl/curl/issues/3730
-  Closes https://github.com/curl/curl/pull/3755
-
-- tool_operate: fix mem leak when failed config parse
-  
-  Found by fuzzing the config file.
-  
-  Reported-by: Geeknik Labs
-  
-  Fixes https://github.com/curl/curl/issues/4767
-
-- [Xiang Xiao brought this change]
-
-  lib: remove erroneous +x file permission on some c files
-  
-  Modified by commit eb9a604 accidentally.
-  
-  Closes https://github.com/curl/curl/pull/4756
-
-- [Xiang Xiao brought this change]
-
-  lib: fix warnings found when porting to NuttX
-  
-  - Undefine DEBUGASSERT in curl_setup_once.h in case it was already
-    defined as a system macro.
-  
-  - Don't compile write32_le in curl_endian unless
-    CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le.
-  
-  - Include <arpa/inet.h> in socketpair.c.
-  
-  Closes https://github.com/curl/curl/pull/4756
-
-- os400: Add missing CURLE error constants
-  
-  Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922
-  Reported-by: Emil Engler
-
-- CURLOPT_HEADERFUNCTION.3: Document that size is always 1
-  
-  For compatibility with `fwrite`, the `CURLOPT_HEADERFUNCTION` callback
-  is passed two `size_t` parameters which, when multiplied, designate the
-  number of bytes of data passed in. In practice, CURL always sets the
-  first parameter (`size`) to 1.
-  
-  This practice is also enshrined in documentation and cannot be changed
-  in future. The documentation states that the default callback is
-  `fwrite`, which means `fwrite` must be a suitable function for this
-  purpose. However, the documentation also states that the callback must
-  return the number of *bytes* it successfully handled, whereas ISO C
-  `fwrite` returns the number of items (each of size `size`) which it
-  wrote. The only way these numbers can be equal is if `size` is 1.
-  
-  Since `size` is 1 and can never be changed in future anyway, document
-  that fact explicitly and let users rely on it.
-  
-  Reported-by: Frank Gevaerts
-  Commit-message-by: Christopher Head
-  
-  Ref: https://github.com/curl/curl/pull/2787
-  
-  Fixes https://github.com/curl/curl/issues/4758
-
-- examples/postinmemory.c: Call curl_global_cleanup always
-  
-  Prior to this change curl_global_cleanup was not called if
-  curl_easy_init failed.
-  
-  Reported-by: kouzhudong@users.noreply.github.com
-  
-  Fixes https://github.com/curl/curl/issues/4751
-
-Daniel Stenberg (21 Dec 2019)
-- url2file.c: fix copyright year
-  
-  Follow-up to 525787269599b5
-
-- [Rickard Hallerbäck brought this change]
-
-  examples/url2file.c: corrected a comment
-  
-  The comment was confusing and suggested that setting CURLOPT_NOPROGRESS
-  to 0L would both enable and disable debug output at the same time, like
-  a Schrödinger's cat of CURLOPTs.
-  
-  Closes #4745
-
-- HISTORY: OSS-Fuzz started fuzzing libcurl in 2017
-
-- RELEASE-NOTES: synced
-
-Jay Satiro (20 Dec 2019)
-- ngtcp2: Support the latest update key callback type
-  
-  - Remove our cb_update_key in favor of ngtcp2's new
-    ngtcp2_crypto_update_key_cb which does the same thing.
-  
-  Several days ago the ngtcp2_update_key callback function prototype was
-  changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to
-  fix up our cb_update_key for that change they also added
-  ngtcp2_crypto_update_key_cb which does the same thing so we'll use that
-  instead.
-  
-  Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c
-  
-  Closes https://github.com/curl/curl/pull/4735
-
-Daniel Stenberg (19 Dec 2019)
-- sws: search for "Testno:" header uncondtionally if no testno
-  
-  Even if the initial request line wasn't found. With the fix to 1455, the
-  test number is now detected correctly.
-  
-  (Problem found when running tests in random order.)
-  
-  Closes #4744
-
-- tests: set LC_ALL in more tests
-  
-  Follow-up to 23208e330ac0c21
-  
-  Closes #4743
-
-- test165: set LC_ALL=en_US.UTF-8 too
-  
-  On my current Debian Unstable with libidn2 2.2.0, I get an error if
-  LC_ALL is set to blank. Then curl errors out with:
-  
-  curl: (3) Failed to convert www.åäö.se to ACE; could not convert string to UTF-8
-  
-  Closes #4738
-
-- curl.h: add two defines for the "pre ISO C" case
-  
-  Without this fix, this caused a compilation failure on AIX with IBM xlc
-  13.1.3 compiler.
-  
-  Reported-by: Ram Krushna Mishra
-  Fixes #4739
-  Closes #4740
-
-- create_conn: prefer multiplexing to using new connections
-  
-  ... as it would previously prefer new connections rather than
-  multiplexing in most conditions! The (now removed) code was a leftover
-  from the Pipelining code that was translated wrongly into a
-  multiplex-only world.
-  
-  Reported-by: Kunal Ekawde
-  Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html
-  Closes #4732
-
-- test1456: remove the use of a fixed local port
-  
-  Fixup the test to instead not compare the port number. It sometimes
-  caused problems like this:
-  
-  "curl: (45) bind failed with errno 98: Address already in use"
-  
-  Closes #4733
-
-Jay Satiro (18 Dec 2019)
-- CURLOPT_QUOTE.3: fix typos
-  
-  Prior to this change the EXAMPLE in the QUOTE/PREQUOTE/POSTQUOTE man
-  pages would not compile because a variable name was incorrect.
-  
-  Reported-by: Bylon2@users.noreply.github.com
-  
-  Fixes https://github.com/curl/curl/issues/4736
-
-- [Gisle Vanem brought this change]
-
-  strerror: Fix compiler warning "empty expression"
-  
-  - Remove the final semi-colon in the SEC2TXT() macro definition.
-  
-  Before:  #define SEC2TXT(sec) case sec: txt = #sec; break;
-  
-  After:   #define SEC2TXT(sec) case sec: txt = #sec; break
-  
-  Prior to this change SEC2TXT(foo); would generate break;; which caused
-  the empty expression warning.
-  
-  Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547
-
-Daniel Stenberg (18 Dec 2019)
-- curl/parseconfig: use curl_free() to free memory allocated by libcurl
-  
-  Reported-by: bxac on github
-  Fixes #4730
-  Closes #4731
-
-- curl/parseconfig: fix mem-leak
-  
-  When looping, first trying '.curlrc' and then '_curlrc', the function
-  would not free the first string.
-  
-  Closes #4731
-
-- CURLOPT_URL.3: "curl supports SMB version 1 (only)"
-  
-  [skip ci]
-
-- test1270: a basic -w redirect_url test
-  
-  Closes #4728
-
-- HISTORY: the SMB(S) support landed in 2014
-
-- define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
-  
-  It is covered by USE_OPENSSL_ENGINE now.
-  
-  Reported-by: Gisle Vanem
-  Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951
-  
-  Closes #4725