libcurl: update to 7.64.1

1 files changed, 1659 insertions, 1396 deletions

diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES
index b03c666643..b924571db6 100644
--- a/libs/libcurl/docs/CHANGES
+++ b/libs/libcurl/docs/CHANGES
@@ -6,6 +6,1665 @@
 
                                   Changelog
 
+Version 7.64.1 (27 Mar 2019)
+
+Daniel Stenberg (27 Mar 2019)
+- RELEASE: 7.64.1
+
+- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set"
+  
+  This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00.
+  
+  Fixes #3708
+
+- [Christian Schmitz brought this change]
+
+  ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set
+  
+  Closes #3704
+
+Jay Satiro (26 Mar 2019)
+- tool_cb_wrt: fix writing to Windows null device NUL
+  
+  - Improve console detection.
+  
+  Prior to this change WriteConsole could be called to write to a handle
+  that may not be a console, which would cause an error. This issue is
+  limited to character devices that are not also consoles such as the null
+  device NUL.
+  
+  Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724
+  Reported-by: Gisle Vanem
+
+- CURLMOPT_PIPELINING.3: fix typo
+
+Daniel Stenberg (25 Mar 2019)
+- TODO: config file parsing
+  
+  Closes #3698
+
+Jay Satiro (24 Mar 2019)
+- os400: Disable Alt-Svc by default since it's experimental
+  
+  Follow-up to 520f0b4 which added Alt-Svc support and enabled it by
+  default for OS400. Since the feature is experimental, it should be
+  disabled by default.
+  
+  Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332
+  Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html
+  
+  Closes https://github.com/curl/curl/pull/3688
+
+Dan Fandrich (24 Mar 2019)
+- tests: Fixed XML validation errors in some test files.
+
+- tests: Fix some incorrect precheck error messages.
+  
+  [ci skip]
+
+Daniel Stenberg (22 Mar 2019)
+- curl_url.3: this is not experimental anymore
+
+- travis: bump the used wolfSSL version to 4.0.0
+  
+  Test 311 is now fine, leaving only 313 (CRL) disabled.
+  
+  Test 313 details can be found here:
+  https://github.com/wolfSSL/wolfssl/issues/1546
+  
+  Closes #3697
+
+Daniel Gustafsson (22 Mar 2019)
+- lib: Fix typos in comments
+
+David Woodhouse (20 Mar 2019)
+- openssl: if cert type is ENG and no key specified, key is ENG too
+  
+  Fixes #3692
+  Closes #3692
+
+Daniel Stenberg (20 Mar 2019)
+- sectransp: tvOS 11 is required for ALPN support
+  
+  Reported-by: nianxuejie on github
+  Assisted-by: Nick Zitzmann
+  Assisted-by: Jay Satiro
+  Fixes #3689
+  Closes #3690
+
+- test1541: threaded connection sharing
+  
+  The threaded-shared-conn.c example turned into test case. Only works if
+  pthread was detected.
+  
+  An attempt to detect future regressions such as e3a53e3efb942a5
+  
+  Closes #3687
+
+Patrick Monnerat (17 Mar 2019)
+- os400: alt-svc support.
+  
+  Although experimental, enable it in the platform config file.
+  Upgrade ILE/RPG binding.
+
+Daniel Stenberg (17 Mar 2019)
+- conncache: use conn->data to know if a transfer owns it
+  
+  - make sure an already "owned" connection isn't returned unless
+    multiplexed.
+  
+  - clear ->data when returning the connection to the cache again
+  
+  Regression since 7.62.0 (probably in commit 1b76c38904f0)
+  
+  Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html
+  
+  Closes #3686
+
+- RELEASE-NOTES: synced
+
+- [Chris Young brought this change]
+
+  configure: add --with-amissl
+  
+  AmiSSL is an Amiga native library which provides a wrapper over OpenSSL.
+  It also requires all programs using it to use bsdsocket.library
+  directly, rather than accessing socket functions through clib, which
+  libcurl was not necessarily doing previously. Configure will now check
+  for the headers and ensure they are included if found.
+  
+  Closes #3677
+
+- [Chris Young brought this change]
+
+  vtls: rename some of the SSL functions
+  
+  ... in the SSL structure as AmiSSL is using macros for the socket API
+  functions.
+
+- [Chris Young brought this change]
+
+  tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
+
+- [Chris Young brought this change]
+
+  tool_operate: build on AmigaOS
+
+- makefile: make checksrc and hugefile commands "silent"
+  
+  ... to match the style already used for compiling, linking
+  etc. Acknowledges 'make V=1' to enable verbose.
+  
+  Closes #3681
+
+- curl.1: --user and --proxy-user are hidden from ps output
+  
+  Suggested-by: Eric Curtin
+  Improved-by: Dan Fandrich
+  Ref: #3680
+  
+  Closes #3683
+
+- curl.1: mark the argument to --cookie as <data|filename>
+  
+  From a discussion in #3676
+  
+  Suggested-by: Tim Rühsen
+  
+  Closes #3682
+
+Dan Fandrich (14 Mar 2019)
+- fuzzer: Only clone the latest fuzzer code, for speed.
+
+Daniel Stenberg (14 Mar 2019)
+- [Dominik Hölzl brought this change]
+
+  Negotiate: fix for HTTP POST with Negotiate
+  
+  * Adjusted unit tests 2056, 2057
+  * do not generally close connections with CURLAUTH_NEGOTIATE after every request
+  * moved negotiatedata from UrlState to connectdata
+  * Added stream rewind logic for CURLAUTH_NEGOTIATE
+  * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC
+  * Consider authproblem state for CURLAUTH_NEGOTIATE
+  * Consider reuse_forbid for CURLAUTH_NEGOTIATE
+  * moved and adjusted negotiate authentication state handling from
+    output_auth_headers into Curl_output_negotiate
+  * Curl_output_negotiate: ensure auth done is always set
+  * Curl_output_negotiate: Set auth done also if result code is
+    GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may
+    also indicate the last challenge request (only works with disabled
+    Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1)
+  * Consider "Persistent-Auth" header, detect if not present;
+    Reset/Cleanup negotiate after authentication if no persistent
+    authentication
+  * apply changes introduced with #2546 for negotiate rewind logic
+  
+  Fixes #1261
+  Closes #1975
+
+- [Marc Schlatter brought this change]
+
+  http: send payload when (proxy) authentication is done
+  
+  The check that prevents payload from sending in case of authentication
+  doesn't check properly if the authentication is done or not.
+  
+  They're cases where the proxy respond "200 OK" before sending
+  authentication challenge. This change takes care of that.
+  
+  Fixes #2431
+  Closes #3669
+
+- file: fix "Checking if unsigned variable 'readcount' is less than zero."
+  
+  Pointed out by codacy
+  
+  Closes #3672
+
+- memdebug: log pointer before freeing its data
+  
+  Coverity warned for two potentional "Use after free" cases. Both are false
+  positives because the memory wasn't used, it was only the actual pointer
+  value that was logged.
+  
+  The fix still changes the order of execution to avoid the warnings.
+  
+  Coverity CID 1443033 and 1443034
+  
+  Closes #3671
+
+- RELEASE-NOTES: synced
+
+Marcel Raad (12 Mar 2019)
+- travis: actually use updated compiler versions
+  
+  For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the
+  new GCC versions were only used for the coverage build and for building
+  nghttp2, while the new clang version was not used at all.
+  
+  BoringSSL needs to use the default GCC as it respects CC, but not CXX,
+  so it would otherwise pass gcc 8 options to g++ 4.8 and fail.
+  
+  Also remove GCC 7, it's not needed anymore.
+  
+  Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning
+  
+  Closes https://github.com/curl/curl/pull/3670
+
+- travis: update clang to version 7
+  
+  Closes https://github.com/curl/curl/pull/3670
+
+Jay Satiro (11 Mar 2019)
+- [Andre Guibert de Bruet brought this change]
+
+  examples/externalsocket: add missing close socket calls
+  
+  .. and for Windows also call WSACleanup since we call WSAStartup.
+  
+  The example is to demonstrate handling the socket independently of
+  libcurl. In this case libcurl is not responsible for creating, opening
+  or closing the socket, it is handled by the application (our example).
+  
+  Fixes https://github.com/curl/curl/pull/3663
+
+Daniel Stenberg (11 Mar 2019)
+- multi: removed unused code for request retries
+  
+  This code was once used for the non multi-interface using code path, but
+  ever since easy_perform was turned into a wrapper around the multi
+  interface, this code path never runs.
+  
+  Closes #3666
+
+Jay Satiro (11 Mar 2019)
+- doh: inherit some SSL options from user's easy handle
+  
+  - Inherit SSL options for the doh handle but not SSL client certs,
+    SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert,
+    SSL pinned public key, SSL ciphers, SSL id cache setting,
+    SSL kerberos or SSL gss-api settings.
+  
+  - Fix inheritance of verbose setting.
+  
+  - Inherit NOSIGNAL.
+  
+  There is no way for the user to set options for the doh (DNS-over-HTTPS)
+  handles and instead we inherit some options from the user's easy handle.
+  
+  My thinking for the SSL options not inherited is they are most likely
+  not intended by the user for the DOH transfer. I did inherit insecure
+  because I think that should still be in control of the user.
+  
+  Prior to this change doh did not work for me because CAINFO was not
+  inherited. Also verbose was set always which AFAICT was a bug (#3660).
+  
+  Fixes https://github.com/curl/curl/issues/3660
+  Closes https://github.com/curl/curl/pull/3661
+
+Daniel Stenberg (9 Mar 2019)
+- test331: verify set-cookie for dotless host name
+  
+  Reproduced bug #3649
+  Closes #3659
+
+- Revert "cookies: extend domain checks to non psl builds"
+  
+  This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0.
+  
+  Regression shipped in 7.64.0
+  Fixes #3649
+
+- memdebug: make debug-specific functions use curl_dbg_ prefix
+  
+  To not "collide" or use up the regular curl_ name space. Also makes them
+  easier to detect in helper scripts.
+  
+  Closes #3656
+
+- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
+  
+  Clarify the language and simplify.
+  
+  Reported-by: Daniel Lublin
+  Closes #3658
+
+- KNOWN_BUGS: Client cert (MTLS) issues with Schannel
+  
+  Closes #3145
+
+- ROADMAP: updated to some more current things to work on
+
+- tests: fix multiple may be used uninitialized warnings
+
+- RELEASE-NOTES: synced
+
+- source: fix two 'nread' may be used uninitialized warnings
+  
+  Both seem to be false positives but we don't like warnings.
+  
+  Closes #3646
+
+- gopher: remove check for path == NULL
+  
+  Since it can't be NULL and it makes Coverity believe we lack proper NULL
+  checks. Verified by test 659, landed in commit 15401fa886b.
+  
+  Pointed out by Coverity CID 1442746.
+  
+  Assisted-by: Dan Fandrich
+  Fixes #3617
+  Closes #3642
+
+- examples: only include <curl/curl.h>
+  
+  That's the only public curl header we should encourage use of.
+  
+  Reviewed-by: Marcel Raad
+  Closes #3645
+
+- ssh: loop the state machine if not done and not blocking
+  
+  If the state machine isn't complete, didn't fail and it didn't return
+  due to blocking it can just as well loop again.
+  
+  This addresses the problem with SFTP directory listings where we would
+  otherwise return back to the parent and as the multi state machine
+  doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the
+  doing phase isn't complete, it would return out when in reality there
+  was more data to deal with.
+  
+  Fixes #3506
+  Closes #3644
+
+Jay Satiro (5 Mar 2019)
+- multi: support verbose conncache closure handle
+  
+  - Change closure handle to receive verbose setting from the easy handle
+    most recently added via curl_multi_add_handle.
+  
+  The closure handle is a special easy handle used for closing cached
+  connections. It receives limited settings from the easy handle most
+  recently added to the multi handle. Prior to this change that did not
+  include verbose which was a problem because on connection shutdown
+  verbose mode was not acknowledged.
+  
+  Ref: https://github.com/curl/curl/pull/3598
+  
+  Co-authored-by: Daniel Stenberg
+  
+  Closes https://github.com/curl/curl/pull/3618
+
+Daniel Stenberg (4 Mar 2019)
+- CURLU: fix NULL dereference when used over proxy
+  
+  Test 659 verifies
+  
+  Also fixed the test 658 name
+  
+  Closes #3641
+
+- altsvc_out: check the return code from Curl_gmtime
+  
+  Pointed out by Coverity, CID 1442956.
+  
+  Closes #3640
+
+- docs/ALTSVC.md: docs describing the approach
+  
+  Closes #3498
+
+- alt-svc: add a travis build
+
+- alt-svc: add test 355 and 356 to verify with command line curl
+
+- alt-svc: the curl command line bits
+
+- alt-svc: the libcurl bits
+
+- travis: add build using gnutls
+  
+  Closes #3637
+
+- RELEASE-NOTES: synced
+
+- [Simon Legner brought this change]
+
+  scripts/completion.pl: also generate fish completion file
+  
+  This is the renamed script formerly known as zsh.pl
+  
+  Closes #3545
+
+- gnutls: remove call to deprecated gnutls_compression_get_name
+  
+  It has been deprecated by GnuTLS since a year ago and now causes build
+  warnings.
+  
+  Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f
+  Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html
+  
+  Closes #3636
+
+Jay Satiro (2 Mar 2019)
+- system_win32: move win32_init here from easy.c
+  
+  .. since system_win32 is a more appropriate location for the functions
+  and to extern the globals.
+  
+  Ref: https://github.com/curl/curl/commit/ca597ad#r32446578
+  Reported-by: Gisle Vanem
+  
+  Closes https://github.com/curl/curl/pull/3625
+
+Daniel Stenberg (1 Mar 2019)
+- curl_easy_duphandle.3: clarify that a duped handle has no shares
+  
+  Reported-by: Sara Golemon
+  
+  Fixes #3592
+  Closes #3634
+
+- 10-at-a-time.c: fix too long line
+
+- [Arnaud Rebillout brought this change]
+
+  examples: various fixes in ephiperfifo.c
+  
+  The main change here is the timer value that was wrong, it was given in
+  usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 *
+  1000). This resulted in the callback being invoked WAY TOO OFTEN.
+  
+  As a quick check you can run this command before and after applying this
+  commit:
+  
+      # shell 1
+      ./ephiperfifo 2>&1 | tee ephiperfifo.log
+      # shell 2
+      echo http://hacking.elboulangero.com > hiper.fifo
+  
+  Then just compare the size of the logs files.
+  
+  Closes #3633
+  Fixes #3632
+  Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
+
+- urldata: simplify bytecounters
+  
+  - no need to have them protocol specific
+  
+  - no need to set pointers to them with the Curl_setup_transfer() call
+  
+  - make Curl_setup_transfer() operate on a transfer pointer, not
+    connection
+  
+  - switch some counters from long to the more proper curl_off_t type
+  
+  Closes #3627
+
+- examples/10-at-a-time.c: improve readability and simplify
+  
+   - use better variable names to explain their purposes
+   - convert logic to curl_multi_wait()
+
+- threaded-resolver: shutdown the resolver thread without error message
+  
+  When a transfer is done, the resolver thread will be brought down. That
+  could accidentally generate an error message in the error buffer even
+  though this is not an error situationand the transfer would still return
+  OK.  An application that still reads the error buffer could find a
+  "Could not resolve host: [host name]" message there and get confused.
+  
+  Reported-by: Michael Schmid
+  Fixes #3629
+  Closes #3630
+
+- [Ԝеѕ brought this change]
+
+  docs: update max-redirs.d phrasing
+  
+  clarify redir - "in absurdum" doesn't seem to make sense in this context
+  
+  Closes #3631
+
+- ssh: fix Condition '!status' is always true
+  
+  in the same sftp_done function in both SSH backends. Simplify them
+  somewhat.
+  
+  Pointed out by Codacy.
+  
+  Closes #3628
+
+- test578: make it read data from the correct test
+
+- Curl_easy: remove req.maxfd - never used!
+  
+  Introduced in 8b6314ccfb, but not used anymore in current code. Unclear
+  since when.
+  
+  Closes #3626
+
+- http: set state.infilesize when sending formposts
+  
+  Without it set, we would unwillingly triger the "HTTP error before end
+  of send, stop sending" condition even if the entire POST body had been
+  sent (since it wouldn't know the expected size) which would
+  unnecessarily log that message and close the connection when it didn't
+  have to.
+  
+  Reported-by: Matt McClure
+  Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html
+  Closes #3624
+
+- INSTALL: refer to the current TLS library names and configure options
+
+- FAQ: minor updates and spelling fixes
+
+- GOVERNANCE.md: minor spelling fixes
+
+- Secure Transport: no more "darwinssl"
+  
+  Everyone calls it Secure Transport, now we do too.
+  
+  Reviewed-by: Nick Zitzmann
+  
+  Closes #3619
+
+Marcel Raad (27 Feb 2019)
+- AppVeyor: add classic MinGW build
+  
+  But use the MSYS2 shell rather than the default MSYS shell because of
+  POSIX path conversion issues. Classic MinGW is only available on the
+  Visual Studio 2015 image.
+  
+  Closes https://github.com/curl/curl/pull/3623
+
+- AppVeyor: add MinGW-w64 build
+  
+  Add a MinGW-w64 build using CMake's MSYS Makefiles generator.
+  Use the Visual Studio 2015 image as it has GCC 8, while the
+  Visual Studio 2017 image only has GCC 7.2.
+  
+  Closes https://github.com/curl/curl/pull/3623
+
+Daniel Stenberg (27 Feb 2019)
+- cookies: only save the cookie file if the engine is enabled
+  
+  Follow-up to 8eddb8f4259.
+  
+  If the cookieinfo pointer is NULL there really is nothing to save.
+  
+  Without this fix, we got a problem when a handle was using shared object
+  with cookies and is told to "FLUSH" it to file (which worked) and then
+  the share object was removed and when the easy handle was closed just
+  afterwards it has no cookieinfo and no cookies so it decided to save an
+  empty jar (overwriting the file just flushed).
+  
+  Test 1905 now verifies that this works.
+  
+  Assisted-by: Michael Wallner
+  Assisted-by: Marcel Raad
+  
+  Closes #3621
+
+- [DaVieS brought this change]
+
+  cacertinmem.c: use multiple certificates for loading CA-chain
+  
+  Closes #3421
+
+- urldata: convert bools to bitfields and move to end
+  
+  This allows the compiler to pack and align the structs better in
+  memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2
+  makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000.
+  
+  Removed an unused struct field.
+  
+  No functionality changes.
+  
+  Closes #3610
+
+- [Don J Olmstead brought this change]
+
+  curl.h: use __has_declspec_attribute for shared builds
+  
+  Closes #3616
+
+- curl: display --version features sorted alphabetically
+  
+  Closes #3611
+
+- runtests: detect "schannel" as an alias for "winssl"
+  
+  Follow-up to 180501cb02
+  
+  Reported-by: Marcel Raad
+  Fixes #3609
+  Closes #3620
+
+Marcel Raad (26 Feb 2019)
+- AppVeyor: update to Visual Studio 2017
+  
+  Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a
+  moving target anymore as the last update, Update 9, has been released.
+  
+  Closes https://github.com/curl/curl/pull/3606
+
+- AppVeyor: switch VS 2015 builds to VS 2017 image
+  
+  The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed.
+  
+  Closes https://github.com/curl/curl/pull/3606
+
+- AppVeyor: explicitly select worker image
+  
+  Currently, we're using the default Visual Studio 2015 image for
+  everything.
+  
+  Closes https://github.com/curl/curl/pull/3606
+
+Daniel Stenberg (26 Feb 2019)
+- strerror: make the strerror function use local buffers
+  
+  Instead of using a fixed 256 byte buffer in the connectdata struct.
+  
+  In my build, this reduces the size of the connectdata struct by 11.8%,
+  from 2160 to 1904 bytes with no functionality or performance loss.
+  
+  This also fixes a bug in schannel's Curl_verify_certificate where it
+  called Curl_sspi_strerror when it should have called Curl_strerror for
+  string from GetLastError. the only effect would have been no text or the
+  wrong text being shown for the error.
+  
+  Co-authored-by: Jay Satiro
+  
+  Closes #3612
+
+- [Michael Wallner brought this change]
+
+  cookies: fix NULL dereference if flushing cookies with no CookieInfo set
+  
+  Regression brought by a52e46f3900fb0 (shipped in 7.63.0)
+  
+  Closes #3613
+
+Marcel Raad (26 Feb 2019)
+- AppVeyor: re-enable test 500
+  
+  It's passing now.
+  
+  Closes https://github.com/curl/curl/pull/3615
+
+- AppVeyor: remove redundant builds
+  
+  Remove the Visual Studio 2012 and 2013 builds as they add little value.
+  
+  Ref: https://github.com/curl/curl/pull/3606
+  Closes https://github.com/curl/curl/pull/3614
+
+Daniel Stenberg (25 Feb 2019)
+- RELEASE-NOTES: synced
+
+- [Bernd Mueller brought this change]
+
+  OpenSSL: add support for TLS ASYNC state
+  
+  Closes #3591
+
+Jay Satiro (25 Feb 2019)
+- [Michael Felt brought this change]
+
+  acinclude: add additional libraries to check for LDAP support
+  
+  - Add an additional check for LDAP that also checks for OpenSSL since
+    on AIX those libraries may be required to link LDAP properly.
+  
+  Fixes https://github.com/curl/curl/issues/3595
+  Closes https://github.com/curl/curl/pull/3596
+
+- [georgeok brought this change]
+
+  schannel: support CALG_ECDH_EPHEM algorithm
+  
+  Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
+  algorithm option when selecting ciphers. This became available on the
+  Win10 SDK.
+  
+  Closes https://github.com/curl/curl/pull/3608
+
+Daniel Stenberg (24 Feb 2019)
+- multi: call multi_done on connect timeouts
+  
+  Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get
+  updated correctly and could end up getting reported to the application
+  completely wrong (way too small).
+  
+  Reported-by: accountantM on github
+  Fixes #3602
+  Closes #3605
+
+- examples: remove recursive calls to curl_multi_socket_action
+  
+  From within the timer callbacks. Recursive is problematic for several
+  reasons. They should still work, but this way the examples and the
+  documentation becomes simpler. I don't think we need to encourage
+  recursive calls.
+  
+  Discussed in #3537
+  Closes #3601
+
+Marcel Raad (23 Feb 2019)
+- configure: remove CURL_CHECK_FUNC_FDOPEN call
+  
+  The macro itself has been removed in commit
+  11974ac859c5d82def59e837e0db56fef7f6794e.
+  
+  Closes https://github.com/curl/curl/pull/3604
+
+Daniel Stenberg (23 Feb 2019)
+- wolfssl: stop custom-adding curves
+  
+  since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in
+  wolfSSL 3.10.2 and later) it sends these curves by default already.
+  
+  Pointed-out-by: David Garske
+  
+  Closes #3599
+
+- configure: remove the unused fdopen macro
+  
+  and the two remaining #ifdefs for it
+  
+  Closes #3600
+
+Jay Satiro (22 Feb 2019)
+- url: change conn shutdown order to unlink data as last step
+  
+  - Split off connection shutdown procedure from Curl_disconnect into new
+    function conn_shutdown.
+  
+  - Change the shutdown procedure to close the sockets before
+    disassociating the transfer.
+  
+  Prior to this change the sockets were closed after disassociating the
+  transfer so SOCKETFUNCTION wasn't called since the transfer was already
+  disassociated. That likely came about from recent work started in
+  Jan 2019 (#3442) to separate transfers from connections.
+  
+  Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html
+  Reported-by: Pavel Löbl
+  
+  Closes https://github.com/curl/curl/issues/3597
+  Closes https://github.com/curl/curl/pull/3598
+
+Marcel Raad (22 Feb 2019)
+- Fix strict-prototypes GCC warning
+  
+  As seen in the MinGW autobuilds. Caused by commit
+  f26bc29cfec0be84c67cf74065cf8e5e78fd68b7.
+
+Dan Fandrich (21 Feb 2019)
+- tests: Fixed XML validation errors in some test files.
+
+Daniel Stenberg (20 Feb 2019)
+- TODO: Allow SAN names in HTTP/2 server push
+  
+  Suggested-by: Nicolas Grekas
+
+- RELEASE-NOTES: synced
+
+- curl: remove MANUAL from -M output
+  
+  ... and remove it from the dist tarball. It has served its time, it
+  barely gets updated anymore and "everything curl" is now convering all
+  this document once tried to include, and does it more and better.
+  
+  In the compressed scenario, this removes ~15K data from the binary,
+  which is 25% of the -M output.
+  
+  It remains in the git repo for now for as long as the web site builds a
+  page using that as source. It renders poorly on the site (especially for
+  mobile users) so its not even good there.
+  
+  Closes #3587
+
+- http2: verify :athority in push promise requests
+  
+  RFC 7540 says we should verify that the push is for an "authoritative"
+  server. We make sure of this by only allowing push with an :athority
+  header that matches the host that was asked for in the URL.
+  
+  Fixes #3577
+  Reported-by: Nicolas Grekas
+  Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html
+  Closes #3581
+
+- singlesocket: fix the 'sincebefore' placement
+  
+  The variable wasn't properly reset within the loop and thus could remain
+  set for sockets that hadn't been set before and miss notifying the app.
+  
+  This is a follow-up to 4c35574 (shipped in curl 7.64.0)
+  
+  Reported-by: buzo-ffm on github
+  Detected-by: Jan Alexander Steffens
+  Fixes #3585
+  Closes #3589
+
+- connection: never reuse CONNECT_ONLY conections
+  
+  and make CONNECT_ONLY conections never reuse any existing ones either.
+  
+  Reported-by: Pavel Löbl
+  Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html
+  Closes #3586
+
+Patrick Monnerat (19 Feb 2019)
+- cli tool: fix mime post with --disable-libcurl-option configure option
+  
+  Reported-by: Marcel Raad
+  Fixes #3576
+  Closes #3583
+
+Daniel Stenberg (19 Feb 2019)
+- x509asn1: cleanup and unify code layout
+  
+  - rename 'n' to buflen in functions, and use size_t for them. Don't pass
+    in negative buffer lengths.
+  
+  - move most function comments to above the function starts like we use
+    to
+  
+  - remove several unnecessary typecasts (especially of NULL)
+  
+  Reviewed-by: Patrick Monnerat
+  Closes #3582
+
+- curl_multi_remove_handle.3: use at any time, just not from within callbacks
+  
+  [ci skip]
+
+- http: make adding a blank header thread-safe
+  
+  Previously the function would edit the provided header in-place when a
+  semicolon is used to signify an empty header. This made it impossible to
+  use the same set of custom headers in multiple threads simultaneously.
+  
+  This approach now makes a local copy when it needs to edit the string.
+  
+  Reported-by: d912e3 on github
+  Fixes #3578
+  Closes #3579
+
+- unit1651: survive curl_easy_init() fails
+
+- [Frank Gevaerts brought this change]
+
+  rand: Fix a mismatch between comments in source and header.
+  
+  Reported-by: Björn Stenberg <bjorn@haxx.se>
+  Closes #3584
+
+Patrick Monnerat (18 Feb 2019)
+- x509asn1: replace single char with an array
+  
+  Although safe in this context, using a single char as an array may
+  cause invalid accesses to adjacent memory locations.
+  
+  Detected by Coverity.
+
+Daniel Stenberg (18 Feb 2019)
+- examples/http2-serverpush: add some sensible error checks
+  
+  To avoid NULL pointer dereferences etc in the case of problems.
+  
+  Closes #3580
+
+Jay Satiro (18 Feb 2019)
+- easy: fix win32 init to work without CURL_GLOBAL_WIN32
+  
+  - Change the behavior of win32_init so that the required initialization
+    procedures are not affected by CURL_GLOBAL_WIN32 flag.
+  
+  libcurl via curl_global_init supports initializing for win32 with an
+  optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop
+  Winsock initialization. It did so internally by skipping win32_init()
+  when that flag was set. Since then win32_init() has been expanded to
+  include required initialization routines that are separate from
+  Winsock and therefore must be called in all cases. This commit fixes
+  it so that CURL_GLOBAL_WIN32 only controls the optional win32
+  initialization (which is Winsock initialization, according to our doc).
+  
+  The only users affected by this change are those that don't pass
+  CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the
+  risk of a potential crash.
+  
+  Ref: https://github.com/curl/curl/pull/3573
+  
+  Fixes https://github.com/curl/curl/issues/3313
+  Closes https://github.com/curl/curl/pull/3575
+
+Daniel Gustafsson (17 Feb 2019)
+- cookie: Add support for cookie prefixes
+  
+  The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
+  and how they should affect cookie initialization, which has been
+  adopted by the major browsers. This adds support for the two prefixes
+  defined, __Host- and __Secure, and updates the testcase with the
+  supplied examples from the draft.
+  
+  Closes #3554
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- mbedtls: release sessionid resources on error
+  
+  If mbedtls_ssl_get_session() fails, it may still have allocated
+  memory that needs to be freed to avoid leaking. Call the library
+  API function to release session resources on this errorpath as
+  well as on Curl_ssl_addsessionid() errors.
+  
+  Closes: #3574
+  Reported-by: Michał Antoniak <M.Antoniak@posnet.com>
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Patrick Monnerat (16 Feb 2019)
+- cli tool: refactor encoding conversion sequence for switch case fallthrough.
+
+- version.c: silent scan-build even when librtmp is not enabled
+
+Daniel Stenberg (15 Feb 2019)
+- RELEASE-NOTES: synced
+
+- Curl_now: figure out windows version in win32_init
+  
+  ... and avoid use of static variables that aren't thread safe.
+  
+  Fixes regression from e9ababd4f5a (present in the 7.64.0 release)
+  
+  Reported-by: Paul Groke
+  Fixes #3572
+  Closes #3573
+
+Marcel Raad (15 Feb 2019)
+- unit1307: just fail without FTP support
+  
+  I missed to check this in with commit
+  71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test.
+  This fixes the actual linker error.
+  
+  Closes https://github.com/curl/curl/pull/3568
+
+Daniel Stenberg (15 Feb 2019)
+- travis: enable valgrind for the iconv tests too
+  
+  Closes #3571
+
+- travis: add scan-build
+  
+  Closes #3564
+
+- examples/sftpuploadresume: Value stored to 'result' is never read
+  
+  Detected by scan-build
+
+- examples/http2-upload: cleaned up
+  
+  Fix scan-build warnings, no globals, no silly handle scan. Also remove
+  handles from the multi before cleaning up.
+
+- examples/http2-download: cleaned up
+  
+  To avoid scan-build warnings and global variables.
+
+- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
+  
+  Detected by scan-build
+
+- examples/httpcustomheader: Value stored to 'res' is never read
+  
+  Detected by scan-build
+
+- examples: remove superfluous null-pointer checks
+  
+  in ftpget, ftpsget and sftpget, so that scan-build stops warning for
+  potential NULL pointer dereference below!
+  
+  Detected by scan-build
+
+- strip_trailing_dot: make sure NULL is never used for strlen
+  
+  scan-build warning: Null pointer passed as an argument to a 'nonnull'
+  parameter
+
+- [Jay Satiro brought this change]
+
+  connection_check: restore original conn->data after the check
+  
+  - Save the original conn->data before it's changed to the specified
+    data transfer for the connection check and then restore it afterwards.
+  
+  This is a follow-up to 38d8e1b 2019-02-11.
+  
+  History:
+  
+  It was discovered a month ago that before checking whether to extract a
+  dead connection that that connection should be associated with a "live"
+  transfer for the check (ie original conn->data ignored and set to the
+  passed in data). A fix was landed in 54b201b which did that and also
+  cleared conn->data after the check. The original conn->data was not
+  restored, so presumably it was thought that a valid conn->data was no
+  longer needed.
+  
+  Several days later it was discovered that a valid conn->data was needed
+  after the check and follow-up fix was landed in bbae24c which partially
+  reverted the original fix and attempted to limit the scope of when
+  conn->data was changed to only when pruning dead connections. In that
+  case conn->data was not cleared and the original conn->data not
+  restored.
+  
+  A month later it was discovered that the original fix was somewhat
+  correct; a "live" transfer is needed for the check in all cases
+  because original conn->data could be null which could cause a bad deref
+  at arbitrary points in the check. A fix was landed in 38d8e1b which
+  expanded the scope to all cases. conn->data was not cleared and the
+  original conn->data not restored.
+  
+  A day later it was discovered that not restoring the original conn->data
+  may lead to busy loops in applications that use the event interface, and
+  given this observation it's a pretty safe assumption that there is some
+  code path that still needs the original conn->data. This commit is the
+  follow-up fix for that, it restores the original conn->data after the
+  connection check.
+  
+  Assisted-by: tholin@users.noreply.github.com
+  Reported-by: tholin@users.noreply.github.com
+  
+  Fixes https://github.com/curl/curl/issues/3542
+  Closes #3559
+
+- memdebug: bring back curl_mark_sclose
+  
+  Used by debug builds with NSS.
+  
+  Reverted from 05b100aee247bb
+
+Patrick Monnerat (14 Feb 2019)
+- transfer.c: do not compute length of undefined hex buffer.
+  
+  On non-ascii platforms, the chunked hex header was measured for char code
+  conversion length, even for chunked trailers that do not have an hex header.
+  In addition, the efective length is already known: use it.
+  Since the hex length can be zero, only convert if needed.
+  
+  Reported by valgrind.
+
+Daniel Stenberg (14 Feb 2019)
+- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP
+  
+  Closes #2367
+
+Patrick Monnerat (14 Feb 2019)
+- x509asn1: "Dereference of null pointer"
+  
+  Detected by scan-build (false positive).
+
+Daniel Stenberg (14 Feb 2019)
+- configure: show features as well in the final summary
+  
+  Closes #3569
+
+- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10
+  
+  Closes #2905
+
+- KNOWN_BUGS: Deflate error after all content was received
+  
+  Closes #2719
+
+- gssapi: fix deprecated header warnings
+  
+  Heimdal includes on FreeBSD spewed out lots of them. Less so now.
+  
+  Closes #3566
+
+- TODO: Upgrade to websockets
+  
+  Closes #3523
+
+- TODO: cmake test suite improvements
+  
+  Closes #3109
+
+Patrick Monnerat (13 Feb 2019)
+- curl: "Dereference of null pointer"
+  
+  Rephrase to satisfy scan-build.
+
+Marcel Raad (13 Feb 2019)
+- unit1307: require FTP support
+  
+  This test doesn't link without FTP support after
+  fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch
+  unavailable without FTP support.
+  
+  Closes https://github.com/curl/curl/pull/3565
+
+Daniel Stenberg (13 Feb 2019)
+- TODO: TFO support on Windows
+  
+  Nobody works on this now.
+  
+  Closes #3378
+
+- multi: Dereference of null pointer
+  
+  Mostly a false positive, but this makes the code easier to read anyway.
+  
+  Detected by scan-build.
+  
+  Closes #3563
+
+- urlglob: Argument with 'nonnull' attribute passed null
+  
+  Detected by scan-build.
+
+Jay Satiro (12 Feb 2019)
+- schannel: restore some debug output but only for debug builds
+  
+  Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
+  debug output in DEBUGF but omitted a few lines.
+  
+  Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
+
+- examples/crawler: Fix the Accept-Encoding setting
+  
+  - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default
+    supported encodings.
+  
+  Prior to this change the specific encodings of gzip and deflate were set
+  but there's no guarantee they'd be supported by the user's libcurl.
+
+Daniel Stenberg (12 Feb 2019)
+- mime: put the boundary buffer into the curl_mime struct
+  
+  ... instead of allocating it separately and point to it. It is
+  fixed-size and always used for each part.
+  
+  Closes #3561
+
+- schannel: be quiet
+  
+  Convert numerous infof() calls into debug-build only messages since they
+  are annoyingly verbose for regular applications. Removed a few.
+  
+  Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
+  Reported-by: Volker Schmid
+  Closes #3552
+
+- [Romain Geissler brought this change]
+
+  Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
+  
+  Closes #3562
+
+- http2: multi_connchanged() moved from multi.c, only used for h2
+  
+  Closes #3557
+
+- curl: "Function call argument is an uninitialized value"
+  
+  Follow-up to cac0e4a6ad14b42471eb
+  
+  Detected by scan-build
+  Closes #3560
+
+- pretransfer: don't strlen() POSTFIELDS set for GET requests
+  
+  ... since that data won't be used in the request anyway.
+  
+  Fixes #3548
+  Reported-by: Renaud Allard
+  Close #3549
+
+- multi: remove verbose "Expire in" ... messages
+  
+  Reported-by: James Brown
+  Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html
+  Closes #3558
+
+- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
+  
+  Reported-by: MAntoniak on github
+  Fixes #3553
+  Closes #3556
+
+Daniel Gustafsson (12 Feb 2019)
+- non-ascii.c: fix typos in comments
+  
+  Fix two occurrences of s/convers/converts/ spotted while reading code.
+
+Daniel Stenberg (12 Feb 2019)
+- fnmatch: disable if FTP is disabled
+  
+  Closes #3551
+
+- curl_path: only enabled for SSH builds
+
+- [Frank Gevaerts brought this change]
+
+  tests: add stderr comparison to the test suite
+  
+  The code is more or less copied from the stdout comparison code, maybe
+  some better reuse is possible.
+  
+  test 1457 is adjusted to make the output actually match (by using --silent)
+  test 506 used <stderr> without actually needing it, so that <stderr> block is removed
+  
+  Closes #3536
+
+Patrick Monnerat (11 Feb 2019)
+- cli tool: do not use mime.h private structures.
+  
+  Option -F generates an intermediate representation of the mime structure
+  that is used later to create the libcurl mime structure and generate
+  the --libcurl statements.
+  
+  Reported-by: Daniel Stenberg
+  Fixes #3532
+  Closes #3546
+
+Daniel Stenberg (11 Feb 2019)
+- curlver: bump to 7.64.1-dev
+
+- RELEASE-NOTES: synced
+  
+  and bump the version in progress to 7.64.1. If we merge any "change"
+  before the cut-off date, we update again.
+
+Daniel Gustafsson (11 Feb 2019)
+- curl: follow-up to 3f16990ec84
+  
+  Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was
+  inadvertently introducing a new bug in the ternary expression.
+  
+  Close #3555
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- dns: release sharelock as soon as possible
+  
+  There is no benefit to holding the data sharelock when freeing the
+  addrinfo in case it fails, so ensure releaseing it as soon as we can
+  rather than holding on to it. This also aligns the code with other
+  consumers of sharelocks.
+  
+  Closes #3516
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (11 Feb 2019)
+- curl: follow-up to b49652ac66cc0
+  
+  On FreeBSD, return non-zero on error otherwise zero.
+  
+  Reported-by: Marcel Raad
+
+- multi: (void)-prefix when ignoring return values
+  
+  ... and added braces to two function calls which fixes warnings if they
+  are replace by empty macros at build-time.
+
+- curl: fix FreeBSD compiler warning in the --xattr code
+  
+  Closes #3550
+
+- connection_check: set ->data to the transfer doing the check
+  
+  The http2 code for connection checking needs a transfer to use. Make
+  sure a working one is set before handler->connection_check() is called.
+  
+  Reported-by: jnbr on github
+  Fixes #3541
+  Closes #3547
+
+- hostip: make create_hostcache_id avoid alloc + free
+  
+  Closes #3544
+
+- scripts/singleuse: script to use to track single-use functions
+  
+  That is functions that are declared global but are not used from outside
+  of the file in which it is declared. Such functions should be made
+  static or even at times be removed.
+  
+  It also verifies that all used curl_ prefixed functions are "blessed"
+  
+  Closes #3538
+
+- cleanup: make local functions static
+  
+  urlapi: turn three local-only functions into statics
+  
+  conncache: make conncache_find_first_connection static
+  
+  multi: make detach_connnection static
+  
+  connect: make getaddressinfo static
+  
+  curl_ntlm_core: make hmac_md5 static
+  
+  http2: make two functions static
+  
+  http: make http_setup_conn static
+  
+  connect: make tcpnodelay static
+  
+  tests: make UNITTEST a thing to mark functions with, so they can be static for
+  normal builds and non-static for unit test builds
+  
+  ... and mark Curl_shuffle_addr accordingly.
+  
+  url: make up_free static
+  
+  setopt: make vsetopt static
+  
+  curl_endian: make write32_le static
+  
+  rtsp: make rtsp_connisdead static
+  
+  warnless: remove unused functions
+  
+  memdebug: remove one unused function, made another static
+
+Dan Fandrich (10 Feb 2019)
+- cirrus: Added FreeBSD builds using Cirrus CI.
+  
+  The build logs will be at https://cirrus-ci.com/github/curl/curl
+  
+  Some tests are currently failing and so disabled for now. The SSH server
+  isn't starting for the SSH tests due to unsupported options used in its
+  config file. The DICT server also is failing on startup.
+
+Daniel Stenberg (9 Feb 2019)
+- url/idnconvert: remove scan for <= 32 ascii values
+  
+  The check was added back in fa939220df before the URL parser would catch
+  these problems and therefore these will never trigger now.
+  
+  Closes #3539
+
+- urlapi: reduce variable scope, remove unreachable 'break'
+  
+  Both nits pointed out by codacy.com
+  
+  Closes #3540
+
+Alessandro Ghedini (7 Feb 2019)
+- zsh.pl: escape ':' character
+  
+  ':' is interpreted as separator by zsh, so if used as part of the argument
+  or option's description it needs to be escaped.
+  
+  The problem can be reproduced as follows:
+  
+   % curl --reso<TAB>
+   % curl -E <TAB>
+  
+  Bug: https://bugs.debian.org/921452
+
+- zsh.pl: update regex to better match curl -h output
+  
+  The current regex fails to match '<...>' arguments properly (e.g. those
+  with spaces in them), which causes an completion script with wrong
+  descriptions for some options.
+  
+  Here's a diff of the generated completion script, comparing the previous
+  version to the one with this fix:
+  
+  --- /usr/share/zsh/vendor-completions/_curl     2019-01-15 20:47:40.000000000 +0000
+  +++ _curl       2019-02-05 20:57:29.453349040 +0000
+  @@ -9,48 +9,48 @@
+  
+   _arguments -C -S \
+     --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'<milliseconds>' \
+  +  --resolve'[Resolve the host+port to this address]':'<host:port:address[,address]...>' \
+     {-c,--cookie-jar}'[Write cookies to <filename> after operation]':'<filename>':_files \
+     {-D,--dump-header}'[Write the received headers to <filename>]':'<filename>':_files \
+     {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'<seconds>' \
+     --proxy-cacert'[CA certificate to verify peer against for proxy]':'<file>':_files \
+  -  --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'<list' \
+  +  --tls13-ciphers'[TLS 1.3 cipher suites to use]':'<list of TLS 1.3 ciphersuites>' \
+     {-E,--cert}'[Client certificate file and password]':'<certificate[:password]>' \
+     --libcurl'[Dump libcurl equivalent code of this command line]':'<file>':_files \
+     --proxy-capath'[CA directory to verify peer against for proxy]':'<dir>':_files \
+  -  --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \
+     --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'<hashes>' \
+     --crlfile'[Get a CRL list in PEM format from the given file]':'<file>':_files \
+  -  --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \
+  -  --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \
+  +  --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \
+     --abstract-unix-socket'[Connect via abstract Unix domain socket]':'<path>' \
+     --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'<hashes>' \
+  +  --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \
+     --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'<phrase>' \
+  +  --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \
+     {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \
+     --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'<host[:port]>' \
+     --proto-default'[Use PROTOCOL for any URL missing a scheme]':'<protocol>' \
+  -  --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'<ciphersuite' \
+  +  --proxy-tls13-ciphers'[TLS 1.3 proxy cipher suites]':'<ciphersuite list>' \
+     --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'<name>' \
+     --ftp-alternative-to-user'[String to replace USER \[name\]]':'<command>' \
+  -  --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \
+     {-T,--upload-file}'[Transfer local FILE to destination]':'<file>':_files \
+     --local-port'[Force use of RANGE for local port numbers]':'<num/range>' \
+     --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'<type>' \
+     {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \
+  -  --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \
+  -  --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \
+  -  {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \
+  -  --location-trusted'[--location, and send auth to other hosts]':'Like' \
+  +  --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \
+     --proxy-cert-type'[Client certificate type for HTTPS proxy]':'<type>' \
+     {-O,--remote-name}'[Write output to a file named as the remote file]' \
+  +  --retry-connrefused'[Retry on connection refused (use with --retry)]' \
+  +  --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \
+     --trace-ascii'[Like --trace, but without hex output]':'<file>':_files \
+     --connect-timeout'[Maximum time allowed for connection]':'<seconds>' \
+     --expect100-timeout'[How long to wait for 100-continue]':'<seconds>' \
+     {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \
+  +  {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \
+     {-m,--max-time}'[Maximum time allowed for the transfer]':'<seconds>' \
+     --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'<address>' \
+     --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'<address>' \
+  -  --ignore-content-length'[the size of the remote resource]':'Ignore' \
+     {-k,--insecure}'[Allow insecure server connections when using SSL]' \
+  +  --location-trusted'[Like --location, and send auth to other hosts]' \
+     --mail-auth'[Originator address of the original email]':'<address>' \
+     --noproxy'[List of hosts which do not use proxy]':'<no-proxy-list>' \
+     --proto-redir'[Enable/disable PROTOCOLS on redirect]':'<protocols>' \
+  @@ -62,18 +62,19 @@
+     --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \
+     --cacert'[CA certificate to verify peer against]':'<file>':_files \
+     {-H,--header}'[Pass custom header(s) to server]':'<header/@file>' \
+  +  --ignore-content-length'[Ignore the size of the remote resource]' \
+     {-i,--include}'[Include protocol response headers in the output]' \
+     --proxy-header'[Pass custom header(s) to proxy]':'<header/@file>' \
+     --unix-socket'[Connect through this Unix domain socket]':'<path>' \
+     {-w,--write-out}'[Use output FORMAT after completion]':'<format>' \
+  -  --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \
+     {-o,--output}'[Write to file instead of stdout]':'<file>':_files \
+  -  {-J,--remote-header-name}'[the header-provided filename]':'Use' \
+  +  --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \
+     --socks4a'[SOCKS4a proxy on given host + port]':'<host[:port]>' \
+     {-Y,--speed-limit}'[Stop transfers slower than this]':'<speed>' \
+     {-z,--time-cond}'[Transfer based on a time condition]':'<time>' \
+     --capath'[CA directory to verify peer against]':'<dir>':_files \
+     {-f,--fail}'[Fail silently (no output at all) on HTTP errors]' \
+  +  --http2-prior-knowledge'[Use HTTP 2 without HTTP/1.1 Upgrade]' \
+     --proxy-tlspassword'[TLS password for HTTPS proxy]':'<string>' \
+     {-U,--proxy-user}'[Proxy user and password]':'<user:password>' \
+     --proxy1.0'[Use HTTP/1.0 proxy on given port]':'<host[:port]>' \
+  @@ -81,52 +82,49 @@
+     {-A,--user-agent}'[Send User-Agent <name> to server]':'<name>' \
+     --egd-file'[EGD socket path for random data]':'<file>':_files \
+     --fail-early'[Fail on first transfer error, do not continue]' \
+  -  --haproxy-protocol'[HAProxy PROXY protocol v1 header]':'Send' \
+  -  --preproxy'[Use this proxy first]':'[protocol://]host[:port]' \
+  +  {-J,--remote-header-name}'[Use the header-provided filename]' \
+     --retry-max-time'[Retry only within this period]':'<seconds>' \
+     --socks4'[SOCKS4 proxy on given host + port]':'<host[:port]>' \
+     --socks5'[SOCKS5 proxy on given host + port]':'<host[:port]>' \
+  -  --socks5-gssapi-nec'[with NEC SOCKS5 server]':'Compatibility' \
+  -  --ssl-allow-beast'[security flaw to improve interop]':'Allow' \
+     --cert-status'[Verify the status of the server certificate]' \
+  -  --ftp-create-dirs'[the remote dirs if not present]':'Create' \
+     {-:,--next}'[Make next URL use its separate set of options]' \
+     --proxy-key-type'[Private key file type for proxy]':'<type>' \
+  -  --remote-name-all'[the remote file name for all URLs]':'Use' \
+     {-X,--request}'[Specify request command to use]':'<command>' \
+     --retry'[Retry request if transient problems occur]':'<num>' \
+  -  --ssl-no-revoke'[cert revocation checks (WinSSL)]':'Disable' \
+     --cert-type'[Certificate file type (DER/PEM/ENG)]':'<type>' \
+     --connect-to'[Connect to host]':'<HOST1:PORT1:HOST2:PORT2>' \
+     --create-dirs'[Create necessary local directory hierarchy]' \
+  +  --haproxy-protocol'[Send HAProxy PROXY protocol v1 header]' \
+     --max-redirs'[Maximum number of redirects allowed]':'<num>' \
+     {-n,--netrc}'[Must read .netrc for user name and password]' \
+  +  {-x,--proxy}'[\[protocol://\]host\[:port\] Use this proxy]' \
+     --proxy-crlfile'[Set a CRL list for proxy]':'<file>':_files \
+     --sasl-ir'[Enable initial response in SASL authentication]' \
+  -  --socks5-gssapi'[GSS-API auth for SOCKS5 proxies]':'Enable' \
+  +  --socks5-gssapi-nec'[Compatibility with NEC SOCKS5 server]' \
+  +  --ssl-allow-beast'[Allow security flaw to improve interop]' \
+  +  --ftp-create-dirs'[Create the remote dirs if not present]' \
+     --interface'[Use network INTERFACE (or address)]':'<name>' \
+     --key-type'[Private key file type (DER/PEM/ENG)]':'<type>' \
+     --netrc-file'[Specify FILE for netrc]':'<filename>':_files \
+     {-N,--no-buffer}'[Disable buffering of the output stream]' \
+     --proxy-service-name'[SPNEGO proxy service name]':'<name>' \
+  -  --styled-output'[styled output for HTTP headers]':'Enable' \
+  +  --remote-name-all'[Use the remote file name for all URLs]' \
+  +  --ssl-no-revoke'[Disable cert revocation checks (WinSSL)]' \
+     --max-filesize'[Maximum file size to download]':'<bytes>' \
+     --negotiate'[Use HTTP Negotiate (SPNEGO) authentication]' \
+     --no-keepalive'[Disable TCP keepalive on the connection]' \
+     {-#,--progress-bar}'[Display transfer progress as a bar]' \
+  -  {-x,--proxy}'[Use this proxy]':'[protocol://]host[:port]' \
+  -  --proxy-anyauth'[any proxy authentication method]':'Pick' \
+     {-Q,--quote}'[Send command(s) to server before transfer]' \
+  -  --request-target'[the target for this request]':'Specify' \
+  +  --socks5-gssapi'[Enable GSS-API auth for SOCKS5 proxies]' \
+     {-u,--user}'[Server user and password]':'<user:password>' \
+     {-K,--config}'[Read config from a file]':'<file>':_files \
+     {-C,--continue-at}'[Resumed transfer offset]':'<offset>' \
+     --data-raw'[HTTP POST data, '\''@'\'' allowed]':'<data>' \
+  -  --disallow-username-in-url'[username in url]':'Disallow' \
+     --krb'[Enable Kerberos with security <level>]':'<level>' \
+     --proxy-ciphers'[SSL ciphers to use for proxy]':'<list>' \
+     --proxy-digest'[Use Digest authentication on the proxy]' \
+     --proxy-tlsuser'[TLS username for HTTPS proxy]':'<name>' \
+  +  --styled-output'[Enable styled output for HTTP headers]' \
+     {-b,--cookie}'[Send cookies from string/file]':'<data>' \
+     --data-urlencode'[HTTP POST data url encoded]':'<data>' \
+     --delegation'[GSS-API delegation permission]':'<LEVEL>' \
+  @@ -134,7 +132,10 @@
+     --post301'[Do not switch to GET after following a 301]' \
+     --post302'[Do not switch to GET after following a 302]' \
+     --post303'[Do not switch to GET after following a 303]' \
+  +  --proxy-anyauth'[Pick any proxy authentication method]' \
+  +  --request-target'[Specify the target for this request]' \
+     --trace-time'[Add time stamps to trace/verbose output]' \
+  +  --disallow-username-in-url'[Disallow username in url]' \
+     --dns-servers'[DNS server addrs to use]':'<addresses>' \
+     {-G,--get}'[Put the post data in the URL and use GET]' \
+     --limit-rate'[Limit transfer speed to RATE]':'<speed>' \
+  @@ -148,21 +149,21 @@
+     --metalink'[Process given URLs as metalink XML file]' \
+     --tr-encoding'[Request compressed transfer encoding]' \
+     --xattr'[Store metadata in extended file attributes]' \
+  -  --ftp-skip-pasv-ip'[the IP address for PASV]':'Skip' \
+     --pass'[Pass phrase for the private key]':'<phrase>' \
+     --proxy-ntlm'[Use NTLM authentication on the proxy]' \
+     {-S,--show-error}'[Show error even when -s is used]' \
+  -  --ciphers'[of ciphers> SSL ciphers to use]':'<list' \
+  +  --ciphers'[SSL ciphers to use]':'<list of ciphers>' \
+     --form-string'[Specify multipart MIME data]':'<name=string>' \
+     --login-options'[Server login options]':'<options>' \
+     --tftp-blksize'[Set TFTP BLKSIZE option]':'<value>' \
+  -  --tftp-no-options'[not send any TFTP options]':'Do' \
+     {-v,--verbose}'[Make the operation more talkative]' \
+  +  --ftp-skip-pasv-ip'[Skip the IP address for PASV]' \
+     --proxy-key'[Private key for HTTPS proxy]':'<key>' \
+     {-F,--form}'[Specify multipart MIME data]':'<name=content>' \
+     --mail-from'[Mail from this address]':'<address>' \
+     --oauth2-bearer'[OAuth 2 Bearer Token]':'<token>' \
+     --proto'[Enable/disable PROTOCOLS]':'<protocols>' \
+  +  --tftp-no-options'[Do not send any TFTP options]' \
+     --tlsauthtype'[TLS authentication type]':'<type>' \
+     --doh-url'[Resolve host names over DOH]':'<URL>' \
+     --no-sessionid'[Disable SSL session-ID reusing]' \
+  @@ -173,14 +174,13 @@
+     --ftp-ssl-ccc'[Send CCC after authenticating]' \
+     {-4,--ipv4}'[Resolve names to IPv4 addresses]' \
+     {-6,--ipv6}'[Resolve names to IPv6 addresses]' \
+  -  --netrc-optional'[either .netrc or URL]':'Use' \
+     --service-name'[SPNEGO service name]':'<name>' \
+     {-V,--version}'[Show version number and quit]' \
+     --data-ascii'[HTTP POST ASCII data]':'<data>' \
+     --ftp-account'[Account data string]':'<data>' \
+  -  --compressed-ssh'[SSH compression]':'Enable' \
+     --disable-eprt'[Inhibit using EPRT or LPRT]' \
+     --ftp-method'[Control CWD usage]':'<method>' \
+  +  --netrc-optional'[Use either .netrc or URL]' \
+     --pubkey'[SSH Public key file name]':'<key>' \
+     --raw'[Do HTTP "raw"; no transfer decoding]' \
+     --anyauth'[Pick any authentication method]' \
+  @@ -189,6 +189,7 @@
+     --no-alpn'[Disable the ALPN TLS extension]' \
+     --tcp-nodelay'[Use the TCP_NODELAY option]' \
+     {-B,--use-ascii}'[Use ASCII/text transfer]' \
+  +  --compressed-ssh'[Enable SSH compression]' \
+     --digest'[Use HTTP Digest Authentication]' \
+     --proxy-tlsv1'[Use TLSv1 for HTTPS proxy]' \
+     --engine'[Crypto engine to use]':'<name>' \
+
+Marcel Raad (7 Feb 2019)
+- tool_operate: fix typecheck warning
+  
+  Use long for CURLOPT_HTTP09_ALLOWED to fix the following warning:
+  tool_operate.c: In function 'operate_do':
+  ../include/curl/typecheck-gcc.h:47:9: error: call to
+  '_curl_easy_setopt_err_long' declared with attribute warning:
+  curl_easy_setopt expects a long argument for this option [-Werror]
+  
+  Closes https://github.com/curl/curl/pull/3534
+
+Jay Satiro (6 Feb 2019)
+- [Chris Araman brought this change]
+
+  url: close TLS before removing conn from cache
+  
+  - Fix potential crashes in schannel shutdown.
+  
+  Ensure any TLS shutdown messages are sent before removing the
+  association between the connection and the easy handle. Reverts
+  @bagder's previous partial fix for #3412.
+  
+  Fixes https://github.com/curl/curl/issues/3412
+  Fixes https://github.com/curl/curl/issues/3505
+  Closes https://github.com/curl/curl/pull/3531
+
+Daniel Gustafsson (6 Feb 2019)
+- INTERNALS.md: fix subsection depth and link
+  
+  The Kerberos subsection was mistakenly a subsubsection under FTP, and
+  the curlx subsection was missing an anchor for the TOC link.
+  
+  Closes #3529
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
 Version 7.64.0 (6 Feb 2019)
 
 Daniel Stenberg (6 Feb 2019)
@@ -6351,1399 +8010,3 @@ Daniel Stenberg (12 May 2018)
   
   Detected by OSS-Fuzz
   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
-
-- setup_transfer: deal with both sockets being -1
-  
-  Detected by Coverity; CID 1435559.  Follow-up to f8d608f38d00. It would
-  index the array with -1 if neither index was a socket.
-
-- travis: add build using NSS
-  
-  Closes #2558
-
-- [Sunny Purushe brought this change]
-
-  openssl: change FILE ops to BIO ops
-  
-  To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES
-  handling is causing problems. This fix changes the OpenSSL backend code
-  to use BIO functions instead of FILE I/O functions to circumvent those
-  problems.
-  
-  Closes #2512
-
-- travis: add a build using WolfSSL
-  
-  Assisted-by: Dan Fandrich
-  
-  Closes #2528
-
-- RELEASE-NOTES: typo
-
-- RELEASE-NOTES: synced
-
-- [Daniel Gustafsson brought this change]
-
-  URLs: fix one more http url
-  
-  This file wasn't included in commit 4af40b3646d3b09 which updated all
-  haxx.se http urls to https. The file was committed prior to that update,
-  but may have been merged after it and hence didn't get updated.
-  
-  Closes #2550
-
-- github/lock: auto-lock closed issues after 90 days of inactivity
-
-- vtls: fix missing commas
-  
-  follow-up to e66cca046cef
-
-- vtls: use unified "supports" bitfield member in backends
-  
-  ... instead of previous separate struct fields, to make it easier to
-  extend and change individual backends without having to modify them all.
-  
-  closes #2547
-
-- transfer: don't unset writesockfd on setup of multiplexed conns
-  
-  Curl_setup_transfer() can be called to setup a new individual transfer
-  over a multiplexed connection so it shouldn't unset writesockfd.
-  
-  Bug: #2520
-  Closes #2549
-
-- [Frank Gevaerts brought this change]
-
-  configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
-  
-  They are removed from the compiler flags.
-  
-  This ensures that make dependency tracking will force a rebuild whenever
-  configure --enable-debug or --enable-curldebug changes.
-  
-  Closes #2548
-
-- http: don't set the "rewind" flag when not uploading anything
-  
-  It triggers an assert.
-  
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
-  Closes #2546
-
-- travis: add an mbedtls build
-  
-  Closes #2531
-
-- configure: only check for CA bundle for file-using SSL backends
-  
-  When only building with SSL backends that don't use the CA bundle file
-  (by default), skip the check.
-  
-  Fixes #2543
-  Fixes #2180
-  Closes #2545
-
-- ssh-libssh.c: fix left shift compiler warning
-  
-  ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to
-  represent, but 'int' only has 32 bits [-Wshift-overflow=]
-  
-  'len' will never be that big anyway so I converted the run-time check to
-  a regular assert.
-
-- [Stephan Mühlstrasser brought this change]
-
-  URL: fix ASCII dependency in strcpy_url and strlen_url
-  
-  Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the
-  changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of
-  the problem that strcpy_url() was modified unilaterally without also
-  modifying strlen_url(). As a consequence strcpy_url() was again
-  depending on ASCII encoding.
-  
-  This change fixes strlen_url() and strcpy_url() in parallel to use a
-  common host-encoding independent criterion for deciding whether an URL
-  character must be %-escaped.
-  
-  Closes #2535
-
-- [Denis Ollier brought this change]
-
-  docs: remove extraneous commas in man pages
-  
-  Closes #2544
-
-- RELEASE-NOTES: synced
-
-- Revert "TODO: remove configure --disable-pthreads"
-  
-  This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3.
-  
-  --disable-pthreads can be used to disable pthreads and get the threaded
-  resolver to use the windows threading when building with mingw.
-
-- vtls: don't define MD5_DIGEST_LENGTH for wolfssl
-  
-  ... as it defines it (too)
-
-- TODO: remove configure --disable-pthreads
-
-Jay Satiro (2 May 2018)
-- [David Garske brought this change]
-
-  wolfssl: Fix non-blocking connect
-  
-  Closes https://github.com/curl/curl/pull/2542
-
-Daniel Stenberg (30 Apr 2018)
-- CURLOPT_URL.3: add ENCODING section [ci skip]
-  
-  Feedback-by: Michael Kilburn
-
-- KNOWN_BUGS: Client cert with Issuer DN differs between backends
-  
-  Closes #1411
-
-- KNOWN_BUGS: Passive transfer tries only one IP address
-  
-  Closes #1508
-
-- KNOWN_BUGS: --upload-file . hang if delay in STDIN
-  
-  Closes #2051
-
-- KNOWN_BUGS: Connection information when using TCP Fast Open
-  
-  Closes #1332
-
-- travis: enable libssh2 on both macos and Linux
-  
-  It seems to not be detected by default anymore (which is a bug I
-  believe)
-  
-  Closes #2541
-
-- TODO: Support the clienthello extension
-  
-  Closes #2299
-
-- TODO: CLOEXEC
-  
-  Closes #2252
-
-- tests: provide 'manual' as a feature to optionally require
-  
-  ... and make test 1026 rely on that feature so that --disable-manual
-  builds don't cause test failures.
-  
-  Reported-by: Max Dymond and Anders Roxell
-  Fixes #2533
-  Closes #2540
-
-- CURLINFO_PROTOCOL.3: mention the existing defined names
-
-Jay Satiro (27 Apr 2018)
-- [Daniel Gustafsson brought this change]
-
-  cookies: remove unused macro
-  
-  Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
-  so remove as it's not part of the published API.
-  
-  Closes https://github.com/curl/curl/pull/2537
-
-Daniel Stenberg (27 Apr 2018)
-- [Daniel Gustafsson brought this change]
-
-  checksrc: force indentation of lines after an else
-  
-  This extends the INDENTATION case to also handle 'else' statements
-  and require proper indentation on the following line. Also fixes the
-  offending cases found in the codebase.
-  
-  Closes #2532
-
-- http2: fix null pointer dereference in http2_connisdead
-  
-  This function can get called on a connection that isn't setup enough to
-  have the 'recv_underlying' function pointer initialized so it would try
-  to call the NULL pointer.
-  
-  Reported-by: Dario Weisser
-  
-  Follow-up to db1b2c7fe9b093f8 (never shipped in a release)
-  Closes #2536
-
-- http2: get rid of another strstr()
-  
-  Follow-up to 1514c44655e12e: replace another strstr() call done on a
-  buffer that might not be zero terminated - with a memchr() call, even if
-  we know the substring will be found.
-  
-  Assisted-by: Max Dymond
-  
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021
-  
-  Closes #2534
-
-- cyassl: adapt to libraries without TLS 1.0 support built-in
-  
-  WolfSSL doesn't enable it by default anymore
-
-- configure: provide --with-wolfssl as an alias for --with-cyassl
-
-- RELEASE-NOTES: synced
-
-- [Daniel Gustafsson brought this change]
-
-  os400.c: fix ASSIGNWITHINCONDITION checksrc warnings
-  
-  All occurrences of assignment within conditional expression in
-  os400sys.c rewritten into two steps: first assignment and then the check
-  on the success of the assignment. Also adjust related incorrect brace
-  positions to match project indentation style.
-  
-  This was spurred by seeing "if((inp = input_token))", but while in there
-  all warnings were fixed.
-  
-  There should be no functional change from these changes.
-  
-  Closes #2525
-
-- [Daniel Gustafsson brought this change]
-
-  cookies: ensure that we have cookies before writing jar
-  
-  The jar should be written iff there are cookies, so ensure that we still
-  have cookies after expiration to avoid creating an empty file.
-  
-  Closes #2529
-
-- strcpy_url: only %-encode values >= 0x80
-  
-  OSS-Fuzz detected
-  
-  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000
-  
-  Broke in dd7521bcc1b7
-
-- mime: avoid NULL pointer dereference risk
-  
-  Coverity detected, CID 1435120
-  
-  Closes #2527
-
-- [Stephan Mühlstrasser brought this change]
-
-  ctype: restore character classification for non-ASCII platforms
-  
-  With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic
-  character classification macros and functions were introduced in
-  curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on
-  non-ASCII, e.g. EBCDIC platforms. This change restores the previous set
-  of character classification macros when CURL_DOES_CONVERSIONS is
-  defined.
-  
-  Closes #2494
-
-- ftplistparser: keep state between invokes
-  
-  Fixes FTP wildcard parsing when done over a number of read buffers.
-  
-  Regression from f786d1f14
-  
-  Reported-by: wncboy on github
-  Fixes #2445
-  Closes #2526
-
-- examples/http2-upload: expand buffer to avoid silly warning
-  
-  http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated
-  writing between 2 and 11 bytes into a region of size between 8 and 17
-
-- examples/sftpuploadresume: typecast fseek argument to long
-  
-  /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long
-  int' from 'curl_off_t {aka long long int}' may alter its value
-
-- Revert "ftplistparser: keep state between invokes"
-  
-  This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934.
-  
-  Caused fuzzer problems on travis not seen when this was a PR!
-
-- Curl_memchr: zero length input can't match
-  
-  Avoids undefined behavior.
-  
-  Reported-by: Geeknik Labs
-
-- ftplistparser: keep state between invokes
-  
-  Fixes FTP wildcard parsing when doing over a number of read buffers.
-  
-  Regression from f786d1f14
-  
-  Reported-by: wncboy on github
-  Fixes #2445
-  Closes #2519
-
-- ftplistparser: renamed some members and variables
-  
-  ... to make them better spell out what they're for.
-
-- RELEASE-NOTES: synced
-
-- [Christian Schmitz brought this change]
-
-  curl_global_sslset: always provide available backends
-  
-  Closes #2499
-
-- http2: convert an assert to run-time check
-  
-  Fuzzing has proven we can reach code in on_frame_recv with status_code
-  not having been set, so let's detect that in run-time (instead of with
-  assert) and error error accordingly.
-  
-  (This should no longer happen with the latest nghttp2)
-  
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
-  Closes #2514
-
-- curl.1: clarify that options and URLs can be mixed
-  
-  Fixes #2515
-  Closes #2517
-
-Jay Satiro (23 Apr 2018)
-- [Archangel_SDY brought this change]
-
-  CURLOPT_SSLCERT.3: improve WinSSL-specific usage info
-  
-  Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780
-  
-  Closes https://github.com/curl/curl/pull/2504
-
-- [Archangel_SDY brought this change]
-
-  schannel: fix build error on targets <= XP
-  
-  - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
-    support the latter.
-  
-  Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668
-  
-  Closes https://github.com/curl/curl/pull/2504
-
-Daniel Stenberg (23 Apr 2018)
-- Revert "ftplistparser: keep state between invokes"
-  
-  This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9.
-  
-  Unfortunately this fix introduces memory leaks I've not been able to fix
-  in several days. Reverting this for now to get the leaks fixed.
-
-Jay Satiro (21 Apr 2018)
-- tool_help: clarify --max-time unit of time is seconds
-  
-  Before:
-   -m, --max-time <time> Maximum time allowed for the transfer
-  
-  After:
-   -m, --max-time <seconds> Maximum time allowed for the transfer
-
-Daniel Stenberg (20 Apr 2018)
-- http2: handle GOAWAY properly
-  
-  When receiving REFUSED_STREAM, mark the connection for close and retry
-  streams accordingly on another/fresh connection.
-  
-  Reported-by: Terry Wu
-  Fixes #2416
-  Fixes #1618
-  Closes #2510
-
-- http2: clear the "drain counter" when a stream is closed
-  
-  This fixes the notorious "httpc->drain_total >= data->state.drain"
-  assert.
-  
-  Reported-by: Anders Bakken
-  
-  Fixes #1680
-  Closes #2509
-
-- http2: avoid strstr() on data not zero terminated
-  
-  It's not strictly clear if the API contract allows us to call strstr()
-  on a string that isn't zero terminated even when we know it will find
-  the substring, and clang's ASAN check dislikes us for it.
-  
-  Also added a check of the return code in case it fails, even if I can't
-  think of a situation how that can trigger.
-  
-  Detected by OSS-Fuzz
-  Closes #2513
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
-
-- [Stephan Mühlstrasser brought this change]
-
-  openssl: fix subjectAltName check on non-ASCII platforms
-  
-  Curl_cert_hostcheck operates with the host character set, therefore the
-  ASCII subjectAltName string retrieved with OpenSSL must be converted to
-  the host encoding before comparison.
-  
-  Closes #2493
-
-Jay Satiro (20 Apr 2018)
-- openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
-  
-  - Support handling verbose-mode trace messages of type
-    SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
-    SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
-    SSL3_MT_MESSAGE_HASH
-  
-  Reported-by: iz8mbw@users.noreply.github.com
-  
-  Fixes https://github.com/curl/curl/issues/2403
-
-Daniel Stenberg (19 Apr 2018)
-- ftplistparser: keep state between invokes
-  
-  Regression from f786d1f14
-  
-  Reported-by: wncboy on github
-  Fixes #2445
-  Closes #2508
-
-- detect_proxy: only show proxy use if it had contents
-
-- http2: handle on_begin_headers() called more than once
-  
-  This triggered an assert if called more than once in debug mode (and a
-  memory leak if not debug build). With the right sequence of HTTP/2
-  headers incoming it can happen.
-  
-  Detected by OSS-Fuzz
-  
-  Closes #2507
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
-
-Jay Satiro (18 Apr 2018)
-- [Dan McNulty brought this change]
-
-  schannel: add support for CURLOPT_CAINFO
-  
-  - Move verify_certificate functionality in schannel.c into a new
-    file called schannel_verify.c. Additionally, some structure defintions
-    from schannel.c have been moved to schannel.h to allow them to be
-    used in schannel_verify.c.
-  
-  - Make verify_certificate functionality for Schannel available on
-    all versions of Windows instead of just Windows CE. verify_certificate
-    will be invoked on Windows CE or when the user specifies
-    CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
-  
-  - In verify_certificate, create a custom certificate chain engine that
-    exclusively trusts the certificate store backed by the CURLOPT_CAINFO
-    file.
-  
-  - doc updates of --cacert/CAINFO support for schannel
-  
-  - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
-    when available. This implements a TODO in schannel.c to improve
-    handling of multiple SANs in a certificate. In particular, all SANs
-    will now be searched instead of just the first name.
-  
-  - Update tool_operate.c to not search for the curl-ca-bundle.crt file
-    when using Schannel to maintain backward compatibility. Previously,
-    any curl-ca-bundle.crt file found in that search would have been
-    ignored by Schannel. But, with CAINFO support, the file found by
-    that search would have been used as the certificate store and
-    could cause issues for any users that have curl-ca-bundle.crt in
-    the search path.
-  
-  - Update url.c to not set the build time CURL_CA_BUNDLE if the selected
-    SSL backend is Schannel. We allow setting CA location for schannel
-    only when explicitly specified by the user via CURLOPT_CAINFO /
-    --cacert.
-  
-  - Add new test cases 3000 and 3001. These test cases check that the first
-    and last SAN, respectively, matches the connection hostname. New test
-    certificates have been added for these cases. For 3000, the certificate
-    prefix is Server-localhost-firstSAN and for 3001, the certificate
-    prefix is Server-localhost-secondSAN.
-  
-  - Remove TODO 15.2 (Add support for custom server certificate
-    validation), this commit addresses it.
-  
-  Closes https://github.com/curl/curl/pull/1325
-
-- schannel: fix warning
-  
-  - Fix warning 'integer from pointer without a cast' on 3rd arg in
-    CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
-    type of the same size.
-  
-  Follow-up to e35b025.
-  
-  Caught by Marc's CI builds.
-
-- [Jakub Wilk brought this change]
-
-  docs: fix typos
-  
-  Closes https://github.com/curl/curl/pull/2503
-
-Daniel Stenberg (17 Apr 2018)
-- RELEASE-NOTES: synced
-
-Jay Satiro (17 Apr 2018)
-- [Kees Dekker brought this change]
-
-  winbuild: Support custom devel paths for each dependency
-  
-  - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
-    OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
-    NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
-  
-  - Use lib.exe for making the static library instead of link.exe /lib.
-    The latter is undocumented and could cause problems as noted in the
-    comments.
-  
-  - Remove a dangling URL that no longer worked. (I was not able to find
-    the IDN download at MSDN/microsoft.com, so it seems to be removed.)
-  
-  - Remove custom override for release-ssh2-ssl-dll-zlib configuration.
-    Nobody knows why it was there and as far as we can see is unnecessary.
-  
-  Closes https://github.com/curl/curl/pull/2474
-
-Daniel Stenberg (17 Apr 2018)
-- [Jess brought this change]
-
-  README.md: add backers and sponsors
-  
-  Closes #2484
-
-- [Archangel_SDY brought this change]
-
-  schannel: add client certificate authentication
-  
-  Users can now specify a client certificate in system certificates store
-  explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`
-  
-  Closes #2376
-
-Marcel Raad (16 Apr 2018)
-- [toughengineer brought this change]
-
-  ntlm_sspi: fix authentication using Credential Manager
-  
-  If you pass empty user/pass asking curl to use Windows Credential
-  Storage (as stated in the docs) and it has valid credentials for the
-  domain, e.g.
-  curl -v -u : --ntlm example.com
-  currently authentication fails.
-  This change fixes it by providing proper SPN string to the SSPI API
-  calls.
-  
-  Fixes https://github.com/curl/curl/issues/1622
-  Closes https://github.com/curl/curl/pull/1660
-
-Daniel Stenberg (16 Apr 2018)
-- configure: keep LD_LIBRARY_PATH changes local
-  
-  ... only set it when we actually have to run tests to reduce its impact
-  on for example build commands etc.
-  
-  Fixes #2490
-  Closes #2492
-  
-  Reported-by: Dmitry Mikhirev
-
-Marcel Raad (16 Apr 2018)
-- urldata: make service names unconditional
-  
-  The ifdefs have become quite long. Also, the condition for the
-  definition of CURLOPT_SERVICE_NAME and for setting it from
-  CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
-  options for NTLM, at least when using SSPI, for
-  https://github.com/curl/curl/pull/1660.
-  Just make the definitions unconditional to make that easier.
-  
-  Closes https://github.com/curl/curl/pull/2479
-
-Daniel Stenberg (16 Apr 2018)
-- test1148: tolerate progress updates better
-  
-  Fixes #2446
-  Closes #2488
-
-- [Christian Schmitz brought this change]
-
-  ssh: show libSSH2 error code when closing fails
-  
-  Closes #2500
-
-Jay Satiro (15 Apr 2018)
-- [Daniel Gustafsson brought this change]
-
-  vauth: Fix typo
-  
-  Address various spellings of "credentials".
-  
-  Closes https://github.com/curl/curl/pull/2496
-
-- [Dagobert Michelsen brought this change]
-
-  system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
-  
-  With specific compiler options selecting the arch like -xarch=sparc on
-  newer compilers like Oracle Studio 12.4 there is no definition of
-  __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the
-  32ÎíÎñbit subset defined by the V8plus ISA specification, without the
-  Visual Instruction Set (VIS), and without other implementation-specific
-  ISA extensions. So it should be the same as __sparcv8.
-  
-  Closes https://github.com/curl/curl/pull/2491
-
-- [Daniel Gustafsson brought this change]
-
-  checksrc: Fix typo
-  
-  Fix typo in "semicolon" spelling and remove stray tab character.
-  
-  Closes https://github.com/curl/curl/pull/2498
-
-- [Daniel Gustafsson brought this change]
-
-  all: Refactor malloc+memset to use calloc
-  
-  When a zeroed out allocation is required, use calloc() rather than
-  malloc() followed by an explicit memset(). The result will be the
-  same, but using calloc() everywhere increases consistency in the
-  codebase and avoids the risk of subtle bugs when code is injected
-  between malloc and memset by accident.
-  
-  Closes https://github.com/curl/curl/pull/2497
-
-Daniel Stenberg (12 Apr 2018)
-- duphandle: make sure CURLOPT_RESOLVE is duplicated fine too
-  
-  Verified in test 1502 now
-  
-  Fixes #2485
-  Closes #2486
-  Reported-by: Ernst Sjöstrand
-
-- mailmap: add a monnerat fixup [ci skip]
-
-- proxy: show getenv proxy use in verbose output
-  
-  ... to aid debugging etc as it sometimes isn't immediately obvious why
-  curl uses or doesn't use a proxy.
-  
-  Inspired by #2477
-  
-  Closes #2480
-
-- travis: build libpsl and make builds use it
-  
-  closes #2471
-
-- travis: bump to clang 6 and gcc 7
-  
-  Extra-eye-on-this-by: Marcel Raad
-  
-  Closes #2478
-
-Marcel Raad (10 Apr 2018)
-- travis: use trusty for coverage build
-  
-  This works now and precise is in the process of being decommissioned.
-  
-  Closes https://github.com/curl/curl/pull/2476
-
-- lib: silence null-dereference warnings
-  
-  In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
-  when dereferencing pointers after DEBUGASSERT-ing that they are not
-  NULL.
-  Fix this by removing the DEBUGASSERTs.
-  
-  Suggested-by: Daniel Stenberg
-  Ref: https://github.com/curl/curl/pull/2463
-
-- [Kees Dekker brought this change]
-
-  winbuild: fix URL
-  
-  Follow up on https://github.com/curl/curl/pull/2472.
-  Now using en-us instead of nl-nl as language code in the URL.
-  
-  Closes https://github.com/curl/curl/pull/2475
-
-Daniel Stenberg (9 Apr 2018)
-- [Kees Dekker brought this change]
-
-  winbuild: updated the documentation
-  
-  The setenv command no longer exists and visual studio build prompts got
-  changed. Used Visual Studio 2015/2017 as reference.
-  
-  Closes #2472
-
-- test1136: fix cookie order after commit c990eadd1277
-
-- build: cleanup to fix clang warnings/errors
-  
-  unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
-  cast from integer to pointer is a GNU extension
-  
-  Reported-by: Rikard Falkeborn
-  
-  Fixes #2466
-  Closes #2468
-
-Jay Satiro (7 Apr 2018)
-- examples/sftpuploadresmue: Fix Windows large file seek
-  
-  - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows.
-  
-  - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print
-    curl_off_t.
-  
-  Caught by Marc's CI builds.
-
-Daniel Stenberg (7 Apr 2018)
-- curl_setup: provide a CURL_SA_FAMILY_T type if none exists
-  
-  ... and use this type instead of 'sa_family_t' in the code since several
-  platforms don't have it.
-  
-  Closes #2463
-
-- [Eric Gallager brought this change]
-
-  build: add picky compiler warning flags for gcc 6 and 7
-
-- configure: detect sa_family_t
-
-Jay Satiro (7 Apr 2018)
-- [Stefan Agner brought this change]
-
-  tool_operate: Fix retry on FTP 4xx to ignore other protocols
-  
-  Only treat response code as FTP response codes in case the
-  protocol type is FTP.
-  
-  This fixes an issue where an HTTP download was treated as FTP
-  in case libcurl returned with 33. This happens when the
-  download has already finished and the server responses 416:
-    HTTP/1.1 416 Requested Range Not Satisfiable
-  
-  This should not be treated as an FTP error.
-  
-  Fixes #2464
-  Closes #2465
-
-Daniel Stenberg (6 Apr 2018)
-- hash: calculate sizes with size_t instead of longs
-  
-  ... since they return size_t anyway!
-  
-  closes #2462
-
-- RELEASE-NOTES: synced
-
-- [Jay Satiro brought this change]
-
-  build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
-  
-  .. and do the same for build-wolfssl.bat.
-  
-  Because MS calls it VC14.1.
-  
-  Closes https://github.com/curl/curl/pull/2189
-
-- [Kees Dekker brought this change]
-
-  winbuild: make the clean target work without build-type
-  
-  Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
-  be invoked unless a build-type was specified. However, a clean target
-  only existed when a build type was specified. As a result, the clean
-  target was unreachable. Made clean target unconditional.
-  
-  Closes #2455
-
-- [patelvivekv1993 brought this change]
-
-  build-openssl.bat: allow custom paths for VS and perl
-  
-  Fixes #2430
-  Closes #2457
-
-- [Laurie Clark-Michalek brought this change]
-
-  FTP: allow PASV on IPv6 connections when a proxy is being used
-  
-  In the situation of a client connecting to an FTP server using an IPv6
-  tunnel proxy, the connection info will indicate that the connection is
-  IPv6. However, because the server behing the proxy is IPv4, it is
-  permissable to attempt PSV mode. In the case of the FTP server being
-  IPv4 only, EPSV will always fail, and with the current logic curl will
-  be unable to connect to the server, as the IPv6 fwdproxy causes curl to
-  think that EPSV is impossible.
-  
-  Closes #2432
-
-- [Jon DeVree brought this change]
-
-  file: restore old behavior for file:////foo/bar URLs
-  
-  curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
-  8089 but then returns an error saying this is unimplemented. This is
-  actually a regression in behavior on both Windows and Unix.
-  
-  Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
-  then passed to the relevant OS API. This means that the behavior of this
-  case is actually OS dependent.
-  
-  The Unix path resolution rules say that the OS must handle swallowing
-  the extra "/" and so this path is the same as "/foo/bar"
-  
-  The Windows path resolution rules say that this is a UNC path and
-  automatically handles the SMB access for the program. So curl on Windows
-  was already doing Appendix E.3.2 without any special code in curl.
-  
-  Regression
-  
-  Closes #2438
-
-- [Gaurav Malhotra brought this change]
-
-  Revert "openssl: Don't add verify locations when verifypeer==0"
-  
-  This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.
-  
-  libcurl (with the OpenSSL backend) performs server certificate verification
-  even if verifypeer == 0 and the verification result is available using
-  CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
-  CURLINFO_SSL_VERIFYRESULT to not have useful information for the
-  verifypeer == 0 use case (it would always have
-  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
-  
-  Closes #2451
-
-- [Wyatt O'Day brought this change]
-
-  tls: fix mbedTLS 2.7.0 build + handle sha256 failures
-  
-  (mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)
-  
-  Closes #2453
-
-- [Lauri Kasanen brought this change]
-
-  cookie: case-insensitive hashing for the domains
-  
-  closes #2458
-
-Patrick Monnerat (4 Apr 2018)
-- cookie: fix and optimize 2nd top level domain name extraction
-  
-  This fixes a segfault occurring when a name of the (invalid) form "domain..tld"
-  is processed.
-  
-  test46 updated to cover this case.
-  
-  Follow-up to commit c990ead.
-  
-  Ref: https://github.com/curl/curl/pull/2440
-
-Daniel Stenberg (4 Apr 2018)
-- openssl: provide defines for argument typecasts to build warning-free
-  
-  ... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
-
-- [Bernard Spil brought this change]
-
-  openssl: fix build with LibreSSL 2.7
-  
-   - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API
-  
-  Fixes #2319
-  Closes #2447
-  Closes #2448
-  
-  Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
-
-- [Lauri Kasanen brought this change]
-
-  cookie: store cookies per top-level-domain-specific hash table
-  
-  This makes libcurl handle thousands of cookies much better and speedier.
-  
-  Closes #2440
-
-- [Lauri Kasanen brought this change]
-
-  cookies: when reading from a file, only remove_expired once
-  
-  This drops the cookie load time for 8k cookies from 178ms to 15ms.
-  
-  Closes #2441
-
-- test1148: set a fixed locale for the test
-  
-  ...as otherwise it might use a different decimal sign.
-  
-  Bug: #2436
-  Reported-by: Oumph on github
-
-Jay Satiro (31 Mar 2018)
-- docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
-  
-  - Put a percent sign before each CURL_FORMAT_CURL_OFF_T in printf.
-  
-  For example "%" CURL_FORMAT_CURL_OFF_T becomes %lld or similar.
-  
-  Bug: https://curl.haxx.se/mail/lib-2018-03/0140.html
-  Reported-by: David L.
-
-Sergei Nikulov (27 Mar 2018)
-- [Michał Janiszewski brought this change]
-
-  cmake: Add advapi32 as explicit link library for win32
-  
-  ARM targets need advapi32 explicitly.
-  
-  Closes #2363
-
-Daniel Stenberg (27 Mar 2018)
-- TODO: connection cache sharing is now supporte
-
-Jay Satiro (26 Mar 2018)
-- travis: enable apt retry on fail
-  
-  This is a workaround for an unsolved travis issue that is causing CI
-  instances to sporadically fail due to 'unable to connect' issues during
-  apt stage.
-  
-  Ref: https://github.com/travis-ci/travis-ci/issues/8507
-  Ref: https://github.com/travis-ci/travis-ci/issues/9112#issuecomment-376305909
-
-Michael Kaufmann (26 Mar 2018)
-- runtests.pl: fix warning 'use of uninitialized value'
-  
-  follow-up to a9a7b60
-  
-  Closes #2428
-
-Daniel Stenberg (24 Mar 2018)
-- gitignore: ignore more generated files
-
-- threaded resolver: track resolver time and set suitable timeout values
-  
-  In order to make curl_multi_timeout() return suitable "sleep" times even
-  when there's no socket to wait for while the name is being resolved in a
-  helper thread.
-  
-  It will increases the timeouts as time passes.
-  
-  Closes #2419
-
-- [Howard Chu brought this change]
-
-  openldap: fix for NULL return from ldap_get_attribute_ber()
-  
-  Closes #2399
-
-GitHub (22 Mar 2018)
-- [Sergei Nikulov brought this change]
-
-  travis-ci: enable -Werror for CMake builds (#2418)
-
-- [Sergei Nikulov brought this change]
-
-  cmake: avoid warn-as-error during config checks (#2411)
-  
-  - Move the CURL_WERROR option processing after the configuration checks
-    to avoid failures in case of warnings during the configuration checks.
-  
-  This is a partial fix for #2358
-
-- [Sergei Nikulov brought this change]
-
-  timeval: remove compilation warning by casting (#2417)
-  
-  This is fixes #2358
-
-Daniel Stenberg (22 Mar 2018)
-- http2: read pending frames (including GOAWAY) in connection-check
-  
-  If a connection has received a GOAWAY frame while not being used, the
-  function now reads frames off the connection before trying to reuse it
-  to avoid reusing connections the server has told us not to use.
-  
-  Reported-by: Alex Baines
-  Fixes #1967
-  Closes #2402
-
-- [Bas van Schaik brought this change]
-
-  CI: add lgtm.yml for tweaking lgtm.com analysis
-  
-  Closes #2414
-
-- CURLINFO_SSL_VERIFYRESULT.3: fix the example, add some text
-  
-  Reported-by: Michal Trybus
-  
-  Fixes #2400
-
-- TODO: expand ~/ in config files
-  
-  Closes #2317
-
-- cookie.d: mention that "-" as filename means stdin
-  
-  Reported-by: Dongliang Mu
-  Fixes #2410
-
-- CURLINFO_COOKIELIST.3: made the example not leak memory
-  
-  Reported-by: Muz Dima
-
-- vauth/cleartext: fix integer overflow check
-  
-  Make the integer overflow check not rely on the undefined behavior that
-  a size_t wraps around on overflow.
-  
-  Detected by lgtm.com
-  Closes #2408
-
-- lib/curl_path.h: add #ifdef header guard
-  
-  Detected by lgtm.com
-
-- vauth/ntlm.h: fix the #ifdef header guard
-  
-  Detected by lgtm.com
-
-Jay Satiro (20 Mar 2018)
-- examples/hiperfifo: checksrc compliance
-
-Daniel Stenberg (19 Mar 2018)
-- [Nikos Tsipinakis brought this change]
-
-  parsedate: support UT timezone
-  
-  RFC822 section 5.2 mentions Universal Time, 'UT', to be synonymous with
-  GMT.
-  
-  Closes #2401
-
-- RELEASE-NOTES: synced
-
-- [Don brought this change]
-
-  cmake: add support for brotli
-  
-  Currently CMake cannot detect Brotli support. This adds detection of the
-  libraries and associated header files. It also adds this to the
-  generated config.
-  
-  Closes #2392
-
-- [Chris Araman brought this change]
-
-  darwinssl: fix iOS build
-
-Patrick Monnerat (18 Mar 2018)
-- ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES
-
-Daniel Stenberg (17 Mar 2018)
-- [Rick Deist brought this change]
-
-  resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES
-  
-  This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request
-  shuffling of IP addresses returned for a hostname when there is more
-  than one. This is useful when the application knows that a round robin
-  approach is appropriate and is willing to accept the consequences of
-  potentially discarding some preference order returned by the system's
-  implementation.
-  
-  Closes #1694
-
-- add_handle/easy_perform: clear errorbuffer on start if set
-  
-  To offer applications a more defined behavior, we clear the buffer as
-  early as possible.
-  
-  Assisted-by: Jay Satiro
-  
-  Fixes #2190
-  Closes #2377
-
-- [Lawrence Matthews brought this change]
-
-  CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocol
-  
-  Add --haproxy-protocol for the command line tool
-  
-  Closes #2162
-
-- curl_version_info.3: fix ssl_version description
-  
-  Reported-by: Vincas Razma
-  Fixes #2364
-
-- multi: improved pending transfers handling => improved performance
-  
-  When a transfer is requested to get done and it is put in the pending
-  queue when limited by number of connections, total or per-host, libcurl
-  would previously very aggressively retry *ALL* pending transfers to get
-  them transferring. That was very time consuming.
-  
-  By reducing the aggressiveness in how pending are being retried, we
-  waste MUCH less time on putting transfers back into pending again.
-  
-  Some test cases got a factor 30(!) speed improvement with this change.
-  
-  Reported-by: Cyril B
-  Fixes #2369
-  Closes #2383
-
-- pause: when changing pause state, update socket state
-  
-  Especially unpausing a transfer might have to move the socket back to the
-  "currently used sockets" hash to get monitored. Otherwise it would never get
-  any more data and get stuck. Easily triggered with pausing using the
-  multi_socket API.
-  
-  Reported-by: Philip Prindeville
-  Bug: https://curl.haxx.se/mail/lib-2018-03/0048.html
-  Fixes #2393
-  Closes #2391
-
-- [Philip Prindeville brought this change]
-
-  examples/hiperfifo.c: improved
-  
-   * use member struct event’s instead of pointers to alloc’d struct
-     events
-  
-   * simplify the cases for the mcode_or_die() function via macros;
-  
-   * make multi_timer_cb() actually do what the block comment says it
-     should;
-  
-   * accept a “stop” command on the FIFO to shut down the service;
-  
-   * use cleaner notation for unused variables than the (void) hack;
-  
-   * allow following redirections (304’s);
-
-- rate-limit: use three second window to better handle high speeds
-  
-  Due to very frequent updates of the rate limit "window", it could
-  attempt to rate limit within the same milliseconds and that then made
-  the calculations wrong, leading to it not behaving correctly on very
-  fast transfers.
-  
-  This new logic updates the rate limit "window" to be no shorter than the
-  last three seconds and only updating the timestamps for this when
-  switching between the states TOOFAST/PERFORM.
-  
-  Reported-by: 刘佩东
-  Fixes #2386
-  Closes #2388
-
-- [luz.paz brought this change]
-
-  cleanup: misc typos in strings and comments
-  
-  Found via `codespell`
-  
-  Closes #2389
-
-- RELEASE-NOTES: toward 7.60.0
-
-- [Kobi Gurkan brought this change]
-
-  http2: fixes typo
-  
-  Closes #2387
-
-- user-agent.d:: mention --proxy-header as well
-  
-  Bug: https://github.com/curl/curl/issues/2381
-
-- transfer: make HTTP without headers count correct body size
-  
-  This is what "HTTP/0.9" basically looks like.
-  
-  Reported on IRC
-  
-  Closes #2382
-
-- test1208: marked flaky
-  
-  It fails somewhere between every 3rd to 10th travis-CI run
-
-- SECURITY-PROCESS: mention how we write/add advisories
-
-- [dasimx brought this change]
-
-  FTP: fix typo in recursive callback detection for seeking
-  
-  Fixes #2380
-
-Version 7.59.0 (13 Mar 2018)
-
-Daniel Stenberg (13 Mar 2018)
-- release: 7.59.0
-
-Kamil Dudka (13 Mar 2018)
-- tests/.../spnego.py: fix identifier typo
-  
-  Detected by Coverity Analysis:
-  
-  Error: IDENTIFIER_TYPO:
-  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
-  * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
-  * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
-  curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
-  curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
-  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
-  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
-  
-  Closes #2379
-
-Daniel Stenberg (13 Mar 2018)
-- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
-  
-  Reported-by: Aron Bergman
-  Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
-  
-  [ci skip]
-
-- Revert "hostip: fix compiler warning: 'variable set but not used'"
-  
-  This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
-  
-  The assignment really needs to be there or we risk working with an
-  uninitialized pointer.
-
-Michael Kaufmann (12 Mar 2018)
-- limit-rate: fix compiler warning
-  
-  follow-up to 72a0f62
-
-Viktor Szakats (12 Mar 2018)
-- checksrc.pl: add -i and -m options
-  
-  To sync it with changes made for the libssh2 project.
-  Also cleanup some whitespace.
-
-- curl-openssl.m4: fix spelling [ci skip]
-
-- FAQ: fix a broken URL [ci skip]
-
-Daniel Stenberg (12 Mar 2018)
-- http2: mark the connection for close on GOAWAY
-  
-  ... don't consider it an error!
-  
-  Assisted-by: Jay Satiro
-  Reported-by: Łukasz Domeradzki
-  Fixes #2365
-  Closes #2375
-
-- credits: Viktor prefers without accent
-
-- openldap: white space changes, fixed up the copyright years
-
-- openldap: check ldap_get_attribute_ber() results for NULL before using
-  
-  CVE-2018-1000121
-  Reported-by: Dario Weisser
-  Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
-
-- FTP: reject path components with control codes
-  
-  Refuse to operate when given path components featuring byte values lower
-  than 32.
-  
-  Previously, inserting a %00 sequence early in the directory part when
-  using the 'singlecwd' ftp method could make curl write a zero byte
-  outside of the allocated buffer.
-  
-  Test case 340 verifies.
-  
-  CVE-2018-1000120
-  Reported-by: Duy Phan Thanh
-  Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
-
-- readwrite: make sure excess reads don't go beyond buffer end
-  
-  CVE-2018-1000122
-  Bug: https://curl.haxx.se/docs/adv_2018-b047.html
-  
-  Detected by OSS-fuzz
-
-- BUGS: updated link to security process
-
-- limit-rate: kick in even before "limit" data has been received
-  
-  ... and make sure to avoid integer overflows with really large values.
-  
-  Reported-by: 刘佩东
-  Fixes #2371
-  Closes #2373
-
-- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
-
-- SECURITY.md: call it the security process
-
-Michael Kaufmann (11 Mar 2018)
-- Curl_range: fix FTP-only and FILE-only builds
-  
-  follow-up to e04417d
-
-- hostip: fix compiler warning: 'variable set but not used'
-
-Daniel Stenberg (11 Mar 2018)
-- HTTP: allow "header;" to replace an internal header with a blank one
-  
-  Reported-by: Michael Kaufmann
-  Fixes #2357
-  Closes #2362
-
-- http2: verbose output new MAX_CONCURRENT_STREAMS values
-  
-  ... as it is interesting for many users.
-
-- SECURITY: distros' max embargo time is 14 days now
-
-Patrick Monnerat (8 Mar 2018)
-- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
-
-Daniel Stenberg (5 Mar 2018)
-- THANKS + mailmap: remove duplicates, fixup full names
-
-- [sergii.kavunenko brought this change]
-
-  WolfSSL: adding TLSv1.3
-  
-  Closes #2349