From 2a7aa481eaf81a71e5c5682974fffe1aa1fc6202 Mon Sep 17 00:00:00 2001
From: dartraiden <wowemuh@gmail.com>
Date: Fri, 1 Jun 2018 22:53:12 +0300
Subject: libs/libcurl: update to 7.60

---
 libs/libcurl/docs/CHANGES        | 9418 ++++++++++++++++++++++----------------
 libs/libcurl/docs/COPYING        |    3 +-
 libs/libcurl/docs/LICENSE-MIXING |  130 -
 libs/libcurl/docs/THANKS         |  728 ++-
 4 files changed, 6215 insertions(+), 4064 deletions(-)
 delete mode 100644 libs/libcurl/docs/LICENSE-MIXING

(limited to 'libs/libcurl/docs')

diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES
index a384fadba8..cbb1072dc5 100644
--- a/libs/libcurl/docs/CHANGES
+++ b/libs/libcurl/docs/CHANGES
@@ -6,5570 +6,7166 @@
 
                                   Changelog
 
-Version 7.33.0 (13 Oct 2013)
+Version 7.60.0 (15 May 2018)
 
-Daniel Stenberg (13 Oct 2013)
-- RELEASE-NOTES: synced with 92cf6141ed0de
+Daniel Stenberg (15 May 2018)
+- RELEASE-NOTES: 7.60.0 release
 
-- curl: fix --oauth2-bearer in the --help output
-  
-  After the option rename in 5df04bfafd1
-
-- OpenSSL: improve the grammar of the language in 39beaa5ffbcc
-  
-  Reported-by: Petr Pisar
-
-- [Andrej E Baranov brought this change]
+- THANKS: added people from the curl 7.60.0 release
 
-  OpenSSL: use failf() when subjectAltName mismatches
+- docs/libcurl/index.html: removed
   
-  Write to CURLOPT_ERRORBUFFER information about mismatch alternative
-  certificate subject names.
+  The HTML files are long gone from the dist, now remove the last HTML
+  file pointing to those missing files.
   
-  Signed-off-by: Andrej E Baranov <admin@andrej-andb.ru>
+  d
 
-- curl: rename --bearer to --oauth2-bearer
-  
-  The option '--bearer' might be slightly ambiguous in name. It doesn't
-  create any conflict that I am aware of at the moment, however, OAUTH v2
-  is not the only authentication mechanism which uses "bearer" tokens.
-  
-  Reported-by: Kyle L. Huff
-  URL: http://curl.haxx.se/mail/lib-2013-10/0064.html
+- [steini2000 brought this change]
 
-- [Kamil Dudka brought this change]
-
-  ssh: improve the logic for detecting blocking direction
+  http2: remove unused variable
   
-  This fixes a regression introduced by commit 0feeab78 limiting the speed
-  of SCP upload to 16384 B/s on a fast connection (such as localhost).
-
-Dan Fandrich (12 Oct 2013)
-- Fixed typo in Makefile.inc that left http2.h out of the tar ball
+  Closes #2570
 
-Daniel Stenberg (11 Oct 2013)
-- [Heinrich Schaefer brought this change]
+- [steini2000 brought this change]
 
-  minor fix in doc
+  http2: use easy handle of stream for logging
 
-- [Gisle Vanem brought this change]
-
-  curl_setup_once: fix errno access for lwip on Windows
+- gcc: disable picky gcc-8 function pointer warnings in two places
   
-  lib/curl_setup_once.h assumed lwIP on Windows uses 'SetLastError()' to
-  set network errors. It doesn't; it uses 'errno'.
-
-- test1239: verify 4cd444e01ad and the simulated 304 response
-
-- [Derek Higgins brought this change]
+  Reported-by: Rikard Falkeborn
+  Bug: #2560
+  Closes #2569
 
-  HTTP: Output http response 304 when modified time is too old
+- http2: use the correct function pointer typedef
   
-  When using the -w '%{http_code}' flag and simulating a Not Modified then
-  304 should be output.
+  Fixes gcc-8 picky compiler warnings
+  Reported-by: Rikard Falkeborn
+  Bug: #2560
+  Closes #2568
 
-- contributors: helper script to dig out contributors from git
-
-- RELEASE-NOTES: add twos refs to bug reports
-
-- RELEASE-NOTES: synced with 173160c0d068
-
-Nick Zitzmann (2 Oct 2013)
-- darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
+- CODE_STYLE: mention return w/o parens, but sizeof with
   
-  Credit (for catching a cipher I forgot to add to the blocked ciphers list):
-  https://www.ssllabs.com/ssltest/viewMyClient.html
+  ... and remove the github markdown syntax so that it renders better on
+  the web site. Also, don't use back-ticks inlined to allow the CSS to
+  highlight source code better.
 
-Daniel Stenberg (2 Oct 2013)
-- OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
-  
-  Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set
-  should still verify that the host name fields in the server certificate
-  is fine or return failure.
-  
-  Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
-  Reported-by: Ishan SinghLevett
+- [Rikard Falkeborn brought this change]
 
-- KNOWN_BUGS: #84: CURLINFO_SSL_VERIFYRESULT
+  examples: Fix format specifiers
   
-  CURLINFO_SSL_VERIFYRESULT is only implemented for the OpenSSL and NSS
-  backends and not for any other!
-
-- [François Charlier brought this change]
+  Closes #2561
 
-  xattr: add support for FreeBSD xattr API
+- [Rikard Falkeborn brought this change]
 
-- curl_easy_setopt.3: slight clarification of SEEKFUNCTION
+  tool: Fix format specifiers
 
-Steve Holme (29 Sep 2013)
-- tests: Fixed typos from commit 25a0c96a494297
+- [Rikard Falkeborn brought this change]
 
-- tests: Updated email addresses in SMTP tests following recent changes
+  ntlm: Fix format specifiers
 
-- test909: Removed custom EHLO response after recent changes
-  
-  ...as it is no longer required following capability and authentication
-  changes and is now causing problems following commit 49341628b50007 as
-  the test number is obtained from the client address in the EHLO.
+- [Rikard Falkeborn brought this change]
 
-- ftpserver.pl: Fixed compilation error from commit 49341628b50007
+  tests: Fix format specifiers
 
-- ftpserver.pl: Moved specifying the test number from the RCPT address
-  
-  ...to the client address as this frees the RCPT strings to contain
-  just an email address and by passing the test number into curl as the
-  client address remains consistent with POP3 and IMAP tests as they are
-  specified in the URL.
+- [Rikard Falkeborn brought this change]
 
-- ftpserver.pl: Added unwanted argument check to SMTP DATA command handler
+  lib: Fix format specifiers
 
-Daniel Stenberg (29 Sep 2013)
-- getinmemory: remove a comment
-  
-  The comment mentioned the need to free the data, but the example already
-  does that free
+- contributors.sh: use "on github", not at
 
-- postinmemory: new example
+- http2: getsock fix for uploads
   
-  This is similar to getinmemory.c but with an initial POST.
+  When there's an upload in progress, make sure to wait for the socket to
+  become writable.
   
-  Combined-by: Ulf Samuelsson
+  Detected-by: steini2000 on github
+  Bug: #2520
+  Closes #2567
 
-- win32: fix Visual Studio 2010 build with WINVER >= 0x600
+- pingpong: fix response cache memcpy overflow
   
-  If no WINVER and/or _WIN32_IWNNT define was set, the Windows platform
-  SDK often defaults to high value, e.g. 0x601 (whoch may probably depend
-  on the Windows version being used, in my case Windows 7).
+  Response data for a handle with a large buffer might be cached and then
+  used with the "closure" handle when it has a smaller buffer and then the
+  larger cache will be copied and overflow the new smaller heap based
+  buffer.
   
-  If WINVER >= 0x600 then winsock2.h includes some defines for WSAPoll(),
-  e.g. POLLIN, POLLPRI, POLLOUT etc. These defines clash with cURL's
-  lib/select.h.
+  Reported-by: Dario Weisser
+  CVE: CVE-2018-1000300
+  Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
+
+- http: restore buffer pointer when bad response-line is parsed
   
-  Make sure HAVE_STRUCT_POLLFD is defined then.
+  ... leaving the k->str could lead to buffer over-reads later on.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1282
-  Reported-by: "kdekker"
-  Patch-by: Marcel Raad
-
-Steve Holme (28 Sep 2013)
-- ssluse.c: Fixed compilation warnings when ENGINE not supported
+  CVE: CVE-2018-1000301
+  Assisted-by: Max Dymond
   
-  The function "ssl_ui_reader" was declared but never referenced
-  The function "ssl_ui_writer" was declared but never referenced
+  Detected by OSS-Fuzz.
+  Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
 
-Daniel Stenberg (27 Sep 2013)
-- configure: use icc options without space
+Patrick Monnerat (13 May 2018)
+- cookies: do not take cookie name as a parameter
   
-  The latest version(s) of the icc compiler no longer accept the extra
-  space in the -we (warning enable), -wd (warning disable), etc.
+  RFC 6265 section 4.2.1 does not set restrictions on cookie names.
+  This is a follow-up to commit 7f7fcd0.
+  Also explicitly check proper syntax of cookie name/value pair.
   
-  Reported-by: Elmira A Semenova
-  Bug: http://curl.haxx.se/mail/lib-2013-09/0182.html
-
-Steve Holme (25 Sep 2013)
-- imap: Added clarification to the code about odd continuation responses
-
-- ftp.c: Fixed compilation warning
+  New test 1155 checks that cookie names are not reserved words.
   
-  There is an implicit conversion from "unsigned long" to "long"
+  Reported-By: anshnd at github
+  Fixes #2564
+  Closes #2566
 
-- sasl: Centralised the authentication mechanism strings
-  
-  Moved the standard SASL mechanism strings into curl_sasl.h rather than
-  hard coding the same values over and over again in the protocols that
-  use SASL authentication.
+Daniel Stenberg (12 May 2018)
+- smb: reject negative file sizes
   
-  For more information about the mechanism strings see:
+  Assisted-by: Max Dymond
   
-  http://www.iana.org/assignments/sasl-mechanisms
-
-Daniel Stenberg (23 Sep 2013)
-- RELEASE-NOTES: added recent contributors missing
-
-Steve Holme (23 Sep 2013)
-- test906: Fixed type-2 response
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
 
-- test915: Corrected test number from commit 22bccb0edaf041
+- setup_transfer: deal with both sockets being -1
+  
+  Detected by Coverity; CID 1435559.  Follow-up to f8d608f38d00. It would
+  index the array with -1 if neither index was a socket.
 
-- test906: Fixed type-1 message not handled error
+- travis: add build using NSS
   
-  ...from commit f81d1e16664976 due to copy paste error.
+  Closes #2558
 
-- tests: Added SMTP AUTH NTLM test
+- [Sunny Purushe brought this change]
 
-- tests: Added SMTP multiple and invalid --mail-rcpt test
+  openssl: change FILE ops to BIO ops
+  
+  To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES
+  handling is causing problems. This fix changes the OpenSSL backend code
+  to use BIO functions instead of FILE I/O functions to circumvent those
+  problems.
+  
+  Closes #2512
 
-- tests: Added SMTP multiple --mail-rcpt test
+- travis: add a build using WolfSSL
+  
+  Assisted-by: Dan Fandrich
+  
+  Closes #2528
 
-- tests: Added SMTP invalid --mail-rcpt test
+- RELEASE-NOTES: typo
 
-- tests: Regrouping of SMTP tests
+- RELEASE-NOTES: synced
 
-Daniel Stenberg (22 Sep 2013)
-- [Benoit Sigoure brought this change]
+- [Daniel Gustafsson brought this change]
 
-  test1112: Increase the timeout from 7s to 16s
+  URLs: fix one more http url
   
-  As someone reported on the mailing list a while back, the hard-coded
-  arbitrary timeout of 7s in test 1112 is not sufficient in some build
-  environments. At Arista Networks we build and test curl as part of our
-  automated build system, and we've run into this timeout 170 times so
-  far. Our build servers are typically quite busy building and testing a
-  lot of code in parallel, so despite being beefy machines with 32 cores
-  and 128GB of RAM we still hit this 7s timeout regularly.
+  This file wasn't included in commit 4af40b3646d3b09 which updated all
+  haxx.se http urls to https. The file was committed prior to that update,
+  but may have been merged after it and hence didn't get updated.
   
-  URL: http://curl.haxx.se/mail/lib-2010-02/0200.html
+  Closes #2550
 
-Steve Holme (22 Sep 2013)
-- tests: Fixed smtp rcpt to addresses
+- github/lock: auto-lock closed issues after 90 days of inactivity
 
-- ftpserver.pl: Expanded the SMTP RCPT handler to validate TO addresses
+- vtls: fix missing commas
   
-  RCPT_smtp() will now check for a correctly formatted TO address which
-  allows for invalid recipient addresses to be added.
+  follow-up to e66cca046cef
 
-- ftpserver.pl: Added cURL SMTP server detection to HELO command handler
+- vtls: use unified "supports" bitfield member in backends
   
-  As curl will send a HELO command after an negative EHLO response, added
-  the same detection from commit b07709f7417c3e to the HELO handler to
-  ensure the test server is identified correctly and an upload isn't
-  performed.
-
-- ftpserver.pl: Corrected response code for successful RCPT command
-
-- ftpserver.pl: Moved invalid RCPT TO: address detection to RCPT handler
+  ... instead of previous separate struct fields, to make it easier to
+  extend and change individual backends without having to modify them all.
   
-  Rather than detecting the TO address as missing in the DATA handler,
-  moved the detection to the RCPT command handler where an error response
-  can be generated.
+  closes #2547
 
-- RELEASE-NOTES: Corrected missed addition
+- transfer: don't unset writesockfd on setup of multiplexed conns
+  
+  Curl_setup_transfer() can be called to setup a new individual transfer
+  over a multiplexed connection so it shouldn't unset writesockfd.
   
-  Somehow commit 60a20461629fda missed the last item in the sync list
-  even though I'm sure I added it during editing.
+  Bug: #2520
+  Closes #2549
 
-- RELEASE-NOTES: Synced with 6dd8bd8d2f9729
+- [Frank Gevaerts brought this change]
 
-- curl.1: Added information about optional login options to --user in manpage
+  configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
   
-  Added missing information, from curl 7.31.0, regarding the use of the
-  optional login options that may be specified as part of --user.
+  They are removed from the compiler flags.
   
-  For example:
+  This ensures that make dependency tracking will force a rebuild whenever
+  configure --enable-debug or --enable-curldebug changes.
   
-  --user 'user:password;auth=NTLM' in IMAP, POP3 and SMTP protocols.
+  Closes #2548
 
-- ftpserver.pl: Moved cURL SMTP server detection into EHLO command handler
+- http: don't set the "rewind" flag when not uploading anything
   
-  Moved the special SMTP server detection code from the DATA command
-  handler, which happens further down the operation chain after EHLO,
-  MAIL and RCPT commands, to the EHLO command as it is the first command
-  to be generated by a SMTP operation as well as containing the special
-  "verifiedserver" string from the URL.
+  It triggers an assert.
   
-  This not only makes it easier and quicker to detect but also means that
-  cURL doesn't need to specify "verifiedserver" as --mail-from and
-  --mail-rcpt arguments.
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
+  Closes #2546
+
+- travis: add an mbedtls build
   
-  More importantly, this also makes the upcoming verification changes to
-  the RCPT handler easier to implement.
+  Closes #2531
 
-Daniel Stenberg (21 Sep 2013)
-- openssl: use correct port number in error message
+- configure: only check for CA bundle for file-using SSL backends
   
-  In ossl_connect_step2() when the "Unknown SSL protocol error" occurs, it
-  would output the local port number instead of the remote one which
-  showed when doing SSL over a proxy (but with the correct remote host
-  name). As libcurl only speaks SSL to the remote we know it is the remote
-  port.
+  When only building with SSL backends that don't use the CA bundle file
+  (by default), skip the check.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1281
-  Reported-by: Gordon Marler
+  Fixes #2543
+  Fixes #2180
+  Closes #2545
 
-- test1415: adjusted to work for 32bit time_t
+- ssh-libssh.c: fix left shift compiler warning
   
-  The libcurl date parser returns INT_MAX for all dates > 2037 so this
-  test is now made to use 2037 instead of 2038 to work the same for both
-  32bit and 64bit time_t systems.
-
-Steve Holme (21 Sep 2013)
-- tests: Reworked existing SMTP tests to be single recipient based
+  ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to
+  represent, but 'int' only has 32 bits [-Wshift-overflow=]
   
-  ...in preparation of upcoming multiple recipient tests.
-
-- ftpserver.pl: Corrected SMTP QUIT response to be more realistic
-
-Daniel Stenberg (20 Sep 2013)
-- curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
+  'len' will never be that big anyway so I converted the run-time check to
+  a regular assert.
 
-- [Kim Vandry brought this change]
+- [Stephan Mühlstrasser brought this change]
 
-  Documented --dns-* options in curl manpage
-
-Steve Holme (20 Sep 2013)
-- pop3: Added basic SASL XOAUTH2 support
+  URL: fix ASCII dependency in strcpy_url and strlen_url
   
-  Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for
-  authentication using RFC6749 "OAuth 2.0 Authorization Framework".
+  Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the
+  changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of
+  the problem that strcpy_url() was modified unilaterally without also
+  modifying strlen_url(). As a consequence strcpy_url() was again
+  depending on ASCII encoding.
   
-  The bearer token is expected to be valid for the user specified in
-  conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has
-  an advertised auth mechanism of "XOAUTH2", the user and access token are
-  formatted as a base64 encoded string and sent to the server as
-  "AUTH XOAUTH2 <bearer token>".
-
-- curl: Added clarification to the --mail options in the --help output
+  This change fixes strlen_url() and strcpy_url() in parallel to use a
+  common host-encoding independent criterion for deciding whether an URL
+  character must be %-escaped.
   
-  ... that these options apply to SMTP only.
+  Closes #2535
 
-- ftpserver.pl: Moved SMTP RCPT response text into command handler
+- [Denis Ollier brought this change]
+
+  docs: remove extraneous commas in man pages
+  
+  Closes #2544
 
-- tests: Added SMTP invalid --mail-from test
+- RELEASE-NOTES: synced
 
-Nick Zitzmann (19 Sep 2013)
-- darwinssl: enable BEAST workaround on iOS 7 & later
+- Revert "TODO: remove configure --disable-pthreads"
   
-  iOS 7 finally added the option to enable 1/n-1 when using TLS 1.0
-  and a CBC cipher, so we now always turn that on unless the user
-  manually turns it off using CURLSSLOPT_ALLOW_BEAST.
+  This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3.
   
-  It appears Apple also added some new PSK ciphers, but no interface to
-  use them yet, so we at least support printing them if we find them.
+  --disable-pthreads can be used to disable pthreads and get the threaded
+  resolver to use the windows threading when building with mingw.
 
-Steve Holme (19 Sep 2013)
-- tests: Updated SMTP AUTH tests to use the new AUTH directive
+- vtls: don't define MD5_DIGEST_LENGTH for wolfssl
   
-  ...rather than specify a customised EHLO response.
+  ... as it defines it (too)
 
-- tests: Corrected test913 as the QUIT response is received
+- TODO: remove configure --disable-pthreads
 
-- tests: Added SMTP large message SIZE test
+Jay Satiro (2 May 2018)
+- [David Garske brought this change]
 
-- ftpserver.pl: Updated email regex from commit 98f7ca7e971006
+  wolfssl: Fix non-blocking connect
   
-  ...to not be as strict as it was rejecting valid numeric email
-  addresses.
+  Closes https://github.com/curl/curl/pull/2542
 
-- tests: Fixed smtp mail from addresses
+Daniel Stenberg (30 Apr 2018)
+- CURLOPT_URL.3: add ENCODING section [ci skip]
+  
+  Feedback-by: Michael Kilburn
 
-- ftpserver.pl: Standardised CAPA and AUTH responses
+- KNOWN_BUGS: Client cert with Issuer DN differs between backends
+  
+  Closes #1411
 
-- ftpserver.pl: Corrected POP3 QUIT reply to be more realistic
+- KNOWN_BUGS: Passive transfer tries only one IP address
+  
+  Closes #1508
 
-- runtests.pl: Fixed syntax error in commit c873375123343e
+- KNOWN_BUGS: --upload-file . hang if delay in STDIN
   
-  Possible unintended interpolation in string at line 796
+  Closes #2051
 
-- runtests.pl: Fixed smtp mail from address
+- KNOWN_BUGS: Connection information when using TCP Fast Open
   
-  Following changes to ftpserver.pl fixed the mail from address to be a
-  correctly formatted address otherwise the server response will be 501
-  Invalid address.
+  Closes #1332
 
-- ftpserver.pl: Fixed syntax error in commit 98f7ca7e971006
+- travis: enable libssh2 on both macos and Linux
+  
+  It seems to not be detected by default anymore (which is a bug I
+  believe)
   
-  Can't modify constant item in scalar assignment line 779, near "0;"
+  Closes #2541
 
-- ftpserver.pl: Expanded the SMTP MAIL handler to validate messages
+- TODO: Support the clienthello extension
   
-  MAIl_smtp() will now check for a correctly formatted FROM address as
-  well as the optional SIZE parameter comparing it against the server
-  capability when specified.
+  Closes #2299
 
-Daniel Stenberg (17 Sep 2013)
-- [YAMADA Yasuharu brought this change]
+- TODO: CLOEXEC
+  
+  Closes #2252
 
-  cookies: add expiration
+- tests: provide 'manual' as a feature to optionally require
+  
+  ... and make test 1026 rely on that feature so that --disable-manual
+  builds don't cause test failures.
   
-  Implement: Expired Cookies These following situation, curl removes
-  cookie(s) from struct CookieInfo if the cookie expired.
-   - Curl_cookie_add()
-   - Curl_cookie_getlist()
-   - cookie_output()
+  Reported-by: Max Dymond and Anders Roxell
+  Fixes #2533
+  Closes #2540
 
-Steve Holme (17 Sep 2013)
-- ftpserver.pl: Corrected response code for successful MAIL command
+- CURLINFO_PROTOCOL.3: mention the existing defined names
 
-- ftpserver.pl: Moved SMTP MAIL handler into own function
+Jay Satiro (27 Apr 2018)
+- [Daniel Gustafsson brought this change]
 
-- dns: fix compilation with MinGW from commit df69440d05f113
+  cookies: remove unused macro
   
-  Avoid 'interface' literal that some MinGW versions define as a macro
+  Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
+  so remove as it's not part of the published API.
   
-  Additionally, corrected some very, very minor coding style errors.
+  Closes https://github.com/curl/curl/pull/2537
 
-- tests: Fixed test 1406 following recent changes in ftpserver.pl
+Daniel Stenberg (27 Apr 2018)
+- [Daniel Gustafsson brought this change]
+
+  checksrc: force indentation of lines after an else
+  
+  This extends the INDENTATION case to also handle 'else' statements
+  and require proper indentation on the following line. Also fixes the
+  offending cases found in the codebase.
   
-  By default the mail server doesn't send the SIZE capability but instead
-  it has to be specified as a supported capability.
+  Closes #2532
 
-- tests: Added test for SMTP SIZE capability
+- http2: fix null pointer dereference in http2_connisdead
+  
+  This function can get called on a connection that isn't setup enough to
+  have the 'recv_underlying' function pointer initialized so it would try
+  to call the NULL pointer.
+  
+  Reported-by: Dario Weisser
+  
+  Follow-up to db1b2c7fe9b093f8 (never shipped in a release)
+  Closes #2536
 
-- ftpserver.pl: Added the ability to include spaces in capabilities
+- http2: get rid of another strstr()
   
-  For example:
+  Follow-up to 1514c44655e12e: replace another strstr() call done on a
+  buffer that might not be zero terminated - with a memchr() call, even if
+  we know the substring will be found.
   
-  CAPA "SIZE 1048576" 8BITMIME BINARYMIME
+  Assisted-by: Max Dymond
   
-  will populate the capabilities list with the following in:
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021
   
-  SIZE 1048576
-  8BITMIME
-  BINARYMIME
-
-- ftpserver.pl: Corrected response code for successful SMTP QUIT command
+  Closes #2534
 
-- ftpserver.pl: Fixed syntax error in commit 33c1f2876b9029
+- cyassl: adapt to libraries without TLS 1.0 support built-in
   
-  Can't modify constant item in postincrement line 727, near "i++"
+  WolfSSL doesn't enable it by default anymore
 
-- ftpserver.pl: Added CAPA & AUTH directive support to the SMTP EHLO handler
+- configure: provide --with-wolfssl as an alias for --with-cyassl
 
-- ftpserver.pl: Fixed SMTP QUIT handler from dadc495540946e
+- RELEASE-NOTES: synced
 
-- ftpserver.pl: Moved SMTP EHLO and QUIT handlers in own functions
+- [Daniel Gustafsson brought this change]
 
-- ftpserver.pl: Added support for SMTP HELO command
+  os400.c: fix ASSIGNWITHINCONDITION checksrc warnings
   
-  ...and updated test902 as explicit HELO response is no longer required.
-
-- ftpserver.pl: Added mailbox check to IMAP SELECT handler
-
-- ftpserver.pl: Corrected invalid user details check
+  All occurrences of assignment within conditional expression in
+  os400sys.c rewritten into two steps: first assignment and then the check
+  on the success of the assignment. Also adjust related incorrect brace
+  positions to match project indentation style.
   
-  ...in both the IMAP LOGIN and POP3 PASS handlers introduced in commit
-  187ac693744949 and 84ad1569e5fc93 respectively.
-
-- ftpserver.pl: Moved IMAP LOGIN handler into own function
-
-- ftpserver.pl: Moved POP3 USER and PASS handlers into own functions
-
-- ftpserver.pl: Corrected invalid argument check in POP3 TOP handler
+  This was spurred by seeing "if((inp = input_token))", but while in there
+  all warnings were fixed.
   
-  ...which was accidentally introduced in commit 4d6ef6297ae9b6.
-
-- ftpserver.pl: Added capability prerequisite for extended POP3 commands
-
-- tests: Updated descriptions to be more meaningful
-
-- ftpserver.pl: Added support for IMAP NOOP command
-
-- imap: Fixed response check for NOOP command
+  There should be no functional change from these changes.
+  
+  Closes #2525
 
-- tests: Updated descriptions to be more meaningful
+- [Daniel Gustafsson brought this change]
 
-Daniel Stenberg (13 Sep 2013)
-- curl.1: detail how short/long options work
+  cookies: ensure that we have cookies before writing jar
   
-  URL: http://curl.haxx.se/bug/view.cgi?id=1279
-  Suggested-by: Jerry Krinock
+  The jar should be written iff there are cookies, so ensure that we still
+  have cookies after expiration to avoid creating an empty file.
+  
+  Closes #2529
 
-Steve Holme (13 Sep 2013)
-- curl: Fixed usage of DNS options when not using c-ares resolver
+- strcpy_url: only %-encode values >= 0x80
+  
+  OSS-Fuzz detected
   
-  Commit 32352ed6adddcb introduced various DNS options, however, these
-  would cause curl to exit with CURLE_NOT_BUILT_IN when c-ares wasn't
-  being used as the backend resolver even if the options weren't set
-  by the user.
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000
   
-  Additionally corrected some minor coding style errors from the same
-  commit.
+  Broke in dd7521bcc1b7
 
-Daniel Stenberg (13 Sep 2013)
-- curl_easy_setopt.3: mention RTMP URL quirks
+- mime: avoid NULL pointer dereference risk
   
-  URL: http://curl.haxx.se/bug/view.cgi?id=1278
-  Reported-by: Gorilla Maguila
+  Coverity detected, CID 1435120
+  
+  Closes #2527
 
-- [Ben Greear brought this change]
+- [Stephan Mühlstrasser brought this change]
 
-  curl: Add support for various DNS binding options.
+  ctype: restore character classification for non-ASCII platforms
   
-  (Passed on to c-ares.)
+  With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic
+  character classification macros and functions were introduced in
+  curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on
+  non-ASCII, e.g. EBCDIC platforms. This change restores the previous set
+  of character classification macros when CURL_DOES_CONVERSIONS is
+  defined.
   
-  Allows something like this:
+  Closes #2494
+
+- ftplistparser: keep state between invokes
   
-  curl --dns-interface sta8 --dns-ipv4-addr 8.8.1.111 --interface sta8 \
-  --localaddr 8.8.1.111 --dns-servers 8.8.8.1 www.google.com
+  Fixes FTP wildcard parsing when done over a number of read buffers.
   
-  Signed-off-by: Ben Greear <greearb@candelatech.com>
-
-- [Kim Vandry brought this change]
-
-  libcurl: New options to bind DNS to local interfaces or IP addresses
-
-- libcurl.3: for multi interface connections are held in the multi handle
+  Regression from f786d1f14
   
-  ... and a few more cleanups/clarifications
-
-Steve Holme (12 Sep 2013)
-- ftpserver.pl: Fixed missing comma from 7fd84b14d219b1
+  Reported-by: wncboy on github
+  Fixes #2445
+  Closes #2526
 
-- ftpserver.pl: Fixed variable error introduced in 7fd84b14d219b1
+- examples/http2-upload: expand buffer to avoid silly warning
   
-  Global symbol "$mailbox" requires explicit package name
-
-- ftpserver.pl: Added support for UID command
-
-- ftpserver.pl: Added support for LSUB command
-
-- imap: Fixed response check for LSUB and UID commands
-
-- ftpserver.pl: Added support for IMAP COPY command
+  http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated
+  writing between 2 and 11 bytes into a region of size between 8 and 17
 
-- ftpserver.pl: Added support for IMAP CLOSE and EXPUNGE commands
-
-- ftpserver.pl: Added support for POP3 RSET command
-
-- ftpserver.pl: Added the ability to remember what messages are deleted
+- examples/sftpuploadresume: typecast fseek argument to long
   
-  ...as this will be required for IMAP CLOSE and EXPUNGE commands as well
-  as the POP3 RSET command.
+  /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long
+  int' from 'curl_off_t {aka long long int}' may alter its value
 
-Daniel Stenberg (10 Sep 2013)
-- NI_MAXSERV: remove all use of it
+- Revert "ftplistparser: keep state between invokes"
   
-  Solaris with the SunStudio Compiler is reportedly missing this define,
-  but as we're using it without any good reason on all the places it was
-  used I've now instead switched to just use sensible buffer sizes that
-  fit a 32 bit decimal number. Which also happens to be smaller than the
-  common NI_MAXSERV value which is 32 on most machines.
+  This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1277
-  Reported-by: D.Flinkmann
+  Caused fuzzer problems on travis not seen when this was a PR!
 
-- http2: use the support HTTP2 draft version in the upgrade header
+- Curl_memchr: zero length input can't match
   
-  ... instead of HTTP/2.0 to work fine with the nghttpx proxy/server.
-
-Steve Holme (10 Sep 2013)
-- ldap.c: Fix compilation warning
+  Avoids undefined behavior.
   
-  warning: comparison between signed and unsigned integer expressions
-
-- [Jiri Hruska brought this change]
+  Reported-by: Geeknik Labs
 
-  imap/pop3/smtp: Speed up SSL connection initialization
+- ftplistparser: keep state between invokes
   
-  Don't wait for the next callback call (usually 1 second) before
-  continuing with protocol specific connection initialization.
+  Fixes FTP wildcard parsing when doing over a number of read buffers.
+  
+  Regression from f786d1f14
+  
+  Reported-by: wncboy on github
+  Fixes #2445
+  Closes #2519
 
-- ldap.c: Corrected build error from commit 857f999353f333
+- ftplistparser: renamed some members and variables
+  
+  ... to make them better spell out what they're for.
 
-- RELEASE-NOTES: Corrected duplicate in bfefe2400a16b8
+- RELEASE-NOTES: synced
 
-- RELEASE-NOTES: Corrected typo from bfefe2400a16b8
+- [Christian Schmitz brought this change]
 
-- RELEASE-NOTES: synced with 25c68903756d6b
+  curl_global_sslset: always provide available backends
+  
+  Closes #2499
 
-Daniel Stenberg (10 Sep 2013)
-- README.http2: explain nghttp2 a little
+- http2: convert an assert to run-time check
+  
+  Fuzzing has proven we can reach code in on_frame_recv with status_code
+  not having been set, so let's detect that in run-time (instead of with
+  assert) and error error accordingly.
+  
+  (This should no longer happen with the latest nghttp2)
+  
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
+  Closes #2514
 
-Steve Holme (9 Sep 2013)
-- tests: Added test for POP3 TOP command
+- curl.1: clarify that options and URLs can be mixed
+  
+  Fixes #2515
+  Closes #2517
 
-- ftpserver.pl: Added support for POP3 TOP command
+Jay Satiro (23 Apr 2018)
+- [Archangel_SDY brought this change]
 
-- tests: Added test for POP3 UIDL command
+  CURLOPT_SSLCERT.3: improve WinSSL-specific usage info
+  
+  Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780
+  
+  Closes https://github.com/curl/curl/pull/2504
 
-- ftpserver.pl: Added support for POP3 UIDL command
+- [Archangel_SDY brought this change]
 
-Daniel Stenberg (9 Sep 2013)
-- http2: adjust to new nghttp2_pack_settings_payload proto
+  schannel: fix build error on targets <= XP
   
-  This function was modified in nghttp2 git commit a1c3f89c72e51
-
-Kamil Dudka (9 Sep 2013)
-- url: handle abortion by read/write callbacks, too
+  - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
+    support the latter.
   
-  Otherwise, the FTP protocol would unnecessarily hang 60 seconds if
-  aborted in the CURLOPT_HEADERFUNCTION callback.
+  Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668
   
-  Reported by: Tomas Mlcoch
-  Bug: https://bugzilla.redhat.com/1005686
+  Closes https://github.com/curl/curl/pull/2504
 
-Daniel Stenberg (9 Sep 2013)
-- ldap: fix the build for systems with ldap_url_parse()
+Daniel Stenberg (23 Apr 2018)
+- Revert "ftplistparser: keep state between invokes"
   
-  Make sure that the custom struct fields are only used by code that
-  doesn't use a struct defintion from the outside.
+  This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9.
   
-  Attempts to fix the problem introduced in 3dc6fc42bfc61b
+  Unfortunately this fix introduces memory leaks I've not been able to fix
+  in several days. Reverting this for now to get the leaks fixed.
 
-Steve Holme (9 Sep 2013)
-- [Jiri Hruska brought this change]
+Jay Satiro (21 Apr 2018)
+- tool_help: clarify --max-time unit of time is seconds
+  
+  Before:
+   -m, --max-time <time> Maximum time allowed for the transfer
+  
+  After:
+   -m, --max-time <seconds> Maximum time allowed for the transfer
 
-  pingpong: Check SSL library buffers for already read data
+Daniel Stenberg (20 Apr 2018)
+- http2: handle GOAWAY properly
+  
+  When receiving REFUSED_STREAM, mark the connection for close and retry
+  streams accordingly on another/fresh connection.
   
-  Otherwise the connection can get stuck during various phases, waiting
-  for new data on the socket using select() etc., but it will never be
-  received as the data has already been read into SSL library.
+  Reported-by: Terry Wu
+  Fixes #2416
+  Fixes #1618
+  Closes #2510
 
-- imap: Fixed calculation of transfer when partial FETCH received
+- http2: clear the "drain counter" when a stream is closed
   
-  The transfer size would be calculated incorrectly if the email contained
-  within the FETCH response, had been partially received by the pingpong
-  layer. As such the following, example output, would be seen if the
-  amount remaining was smaller than the amount received:
+  This fixes the notorious "httpc->drain_total >= data->state.drain"
+  assert.
   
-  * Excess found in a non pipelined read: excess = 1394, size = 262,
-    maxdownload = 262, bytecount = 1374
-  * transfer closed with -1112 bytes remaining to read
+  Reported-by: Anders Bakken
   
-  Bug: http://curl.haxx.se/mail/lib-2013-08/0170.html
-  Reported-by: John Dunn
+  Fixes #1680
+  Closes #2509
 
-- ftpserver.pl: Fixed empty array checks
+- http2: avoid strstr() on data not zero terminated
+  
+  It's not strictly clear if the API contract allows us to call strstr()
+  on a string that isn't zero terminated even when we know it will find
+  the substring, and clang's ASAN check dislikes us for it.
+  
+  Also added a check of the return code in case it fails, even if I can't
+  think of a situation how that can trigger.
   
-  ...from commits 28427b408326a1 and e8313697b6554b.
+  Detected by OSS-Fuzz
+  Closes #2513
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
 
-- ftpserver: Reworked AUTH support to allow for specifying the mechanisms
+- [Stephan Mühlstrasser brought this change]
+
+  openssl: fix subjectAltName check on non-ASCII platforms
   
-  Renamed SUPPORTAUTH to AUTH and added support for specifying a list of
-  supported SASL mechanisms to return to the client.
+  Curl_cert_hostcheck operates with the host character set, therefore the
+  ASCII subjectAltName string retrieved with OpenSSL must be converted to
+  the host encoding before comparison.
   
-  Additionally added the directive to the FILEFORMAT document.
+  Closes #2493
 
-- ftpserver: Reworked CAPA support to allow for specifying the capabilities
+Jay Satiro (20 Apr 2018)
+- openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
+  
+  - Support handling verbose-mode trace messages of type
+    SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
+    SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
+    SSL3_MT_MESSAGE_HASH
   
-  Renamed SUPPORTCAPA to CAPA and added support for specifying a list of
-  supported capabilities to return to the client.
+  Reported-by: iz8mbw@users.noreply.github.com
   
-  Additionally added the directive to the FILEFORMAT document.
+  Fixes https://github.com/curl/curl/issues/2403
 
-- ftpserver.pl: Corrected POP3 LIST as message numbers should be contiguous
+Daniel Stenberg (19 Apr 2018)
+- ftplistparser: keep state between invokes
   
-  The message numbers given in the LIST response are an index into the
-  list, which are only valid for the current session, rather than being a
-  unique message identifier. An index would only be missing from the LIST
-  response if a DELE command had been issued within the same session and
-  had not been committed by the end of session QUIT command. Once
-  committed the POP3 server will regenerate the message numbers in the
-  next session to be contiguous again. As such our LIST response should
-  list message numbers contiguously until we support a DELE command in the
-  same session.
+  Regression from f786d1f14
   
-  Should a POP3 user require the unique message ID for any or all
-  messages then they should use the extended UIDL command. This command
-  will be supported by the test ftpserver in an upcoming commit.
+  Reported-by: wncboy on github
+  Fixes #2445
+  Closes #2508
 
-Daniel Stenberg (8 Sep 2013)
-- [Clemens Gruber brought this change]
+- detect_proxy: only show proxy use if it had contents
 
-  curl_easy_pause: suggest one way to unpause
+- http2: handle on_begin_headers() called more than once
+  
+  This triggered an assert if called more than once in debug mode (and a
+  memory leak if not debug build). With the right sequence of HTTP/2
+  headers incoming it can happen.
+  
+  Detected by OSS-Fuzz
+  
+  Closes #2507
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
 
-Steve Holme (8 Sep 2013)
-- tests: Updated descriptions to be more meaningful
+Jay Satiro (18 Apr 2018)
+- [Dan McNulty brought this change]
 
-- tests: Added test for POP3 NOOP command
+  schannel: add support for CURLOPT_CAINFO
+  
+  - Move verify_certificate functionality in schannel.c into a new
+    file called schannel_verify.c. Additionally, some structure defintions
+    from schannel.c have been moved to schannel.h to allow them to be
+    used in schannel_verify.c.
+  
+  - Make verify_certificate functionality for Schannel available on
+    all versions of Windows instead of just Windows CE. verify_certificate
+    will be invoked on Windows CE or when the user specifies
+    CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
+  
+  - In verify_certificate, create a custom certificate chain engine that
+    exclusively trusts the certificate store backed by the CURLOPT_CAINFO
+    file.
+  
+  - doc updates of --cacert/CAINFO support for schannel
+  
+  - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
+    when available. This implements a TODO in schannel.c to improve
+    handling of multiple SANs in a certificate. In particular, all SANs
+    will now be searched instead of just the first name.
+  
+  - Update tool_operate.c to not search for the curl-ca-bundle.crt file
+    when using Schannel to maintain backward compatibility. Previously,
+    any curl-ca-bundle.crt file found in that search would have been
+    ignored by Schannel. But, with CAINFO support, the file found by
+    that search would have been used as the certificate store and
+    could cause issues for any users that have curl-ca-bundle.crt in
+    the search path.
+  
+  - Update url.c to not set the build time CURL_CA_BUNDLE if the selected
+    SSL backend is Schannel. We allow setting CA location for schannel
+    only when explicitly specified by the user via CURLOPT_CAINFO /
+    --cacert.
+  
+  - Add new test cases 3000 and 3001. These test cases check that the first
+    and last SAN, respectively, matches the connection hostname. New test
+    certificates have been added for these cases. For 3000, the certificate
+    prefix is Server-localhost-firstSAN and for 3001, the certificate
+    prefix is Server-localhost-secondSAN.
+  
+  - Remove TODO 15.2 (Add support for custom server certificate
+    validation), this commit addresses it.
+  
+  Closes https://github.com/curl/curl/pull/1325
 
-- ftpserver.pl: Added support for POP3 NOOP command
+- schannel: fix warning
+  
+  - Fix warning 'integer from pointer without a cast' on 3rd arg in
+    CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
+    type of the same size.
+  
+  Follow-up to e35b025.
+  
+  Caught by Marc's CI builds.
 
-- ftpserver.pl: Fixed 'Use of uninitialized value $args in string ne'
+- [Jakub Wilk brought this change]
 
-- tests: Added test for POP3 STAT command
+  docs: fix typos
+  
+  Closes https://github.com/curl/curl/pull/2503
 
-- ftpserver.pl: Added support for POP STAT command
+Daniel Stenberg (17 Apr 2018)
+- RELEASE-NOTES: synced
 
-- ftpserver.pl: Moved POP3 QUIT handler into own function
+Jay Satiro (17 Apr 2018)
+- [Kees Dekker brought this change]
 
-- ftpserver.pl: Reordered the POP3 handlers to be alphabetical
+  winbuild: Support custom devel paths for each dependency
   
-  In preparation for additional POP3 tests, re-ordered the command
-  function defintions to be sorted alphabetically.
-
-- ftpserver.pl: Corrected misaligned indentation in POP3 handlers
+  - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
+    OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
+    NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
   
-  Fixed incorrect indentation used in both the RETR_pop3 and LIST_pop3
-  functions which was 5 and 9 characters rather than 4 and 8.
-
-- tests: Added test for POP3 DELE command
-
-unknown (7 Sep 2013)
-- [Steve Holme brought this change]
-
-  ftpserver.pl: Added support for POP3 DELE command
-
-Daniel Stenberg (7 Sep 2013)
-- http2: include curl_memory.h
+  - Use lib.exe for making the static library instead of link.exe /lib.
+    The latter is undocumented and could cause problems as noted in the
+    comments.
   
-  Detected by test 1132
-
-Nick Zitzmann (7 Sep 2013)
-- http: fix build warning under LLVM
+  - Remove a dangling URL that no longer worked. (I was not able to find
+    the IDN download at MSDN/microsoft.com, so it seems to be removed.)
+  
+  - Remove custom override for release-ssh2-ssl-dll-zlib configuration.
+    Nobody knows why it was there and as far as we can see is unnecessary.
   
-  When building the code using LLVM Clang without NGHTTP2, I was getting
-  this warning:
-  ../lib/http.h:155:1: warning: empty struct is a GNU extension [-Wgnu]
-  Placing a dummy variable into the data structure silenced the warning.
+  Closes https://github.com/curl/curl/pull/2474
 
-Daniel Stenberg (7 Sep 2013)
-- http2: actually init nghttp2 and send HTTP2-Settings properly
+Daniel Stenberg (17 Apr 2018)
+- [Jess brought this change]
 
-- README.http2: how to use it best with the multi API?
+  README.md: add backers and sponsors
+  
+  Closes #2484
 
-- http2: first embryo toward Upgrade:
+- [Archangel_SDY brought this change]
 
-- http: rename use_http_1_1 to use_http_1_1plus
+  schannel: add client certificate authentication
   
-  Since it now actually says if 1.1 or a later version should be used.
-
-- configure: improve CURL_CHECK_COMPILER_PROTOTYPE_MISMATCH
+  Users can now specify a client certificate in system certificates store
+  explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`
   
-  The compiler test used a variable before it was assigned when it tried
-  to see how it acts on a mismatching prototype, which could cause a false
-  positive.
+  Closes #2376
 
-- [Petr Písař brought this change]
+Marcel Raad (16 Apr 2018)
+- [toughengineer brought this change]
 
-  Pass password to OpenSSL engine by user interface
+  ntlm_sspi: fix authentication using Credential Manager
   
-  Recent OpenSSL uses user interface abstraction to negotiate access to
-  private keys in the cryprographical engines. An OpenSSL application is
-  expected to implement the user interface. Otherwise a default one
-  provided by OpenSSL (interactive standard I/O) will be used and the
-  aplication will have no way how to pass a password to the engine.
+  If you pass empty user/pass asking curl to use Windows Credential
+  Storage (as stated in the docs) and it has valid credentials for the
+  domain, e.g.
+  curl -v -u : --ntlm example.com
+  currently authentication fails.
+  This change fixes it by providing proper SPN string to the SSPI API
+  calls.
   
-  Longer-desc: http://curl.haxx.se/mail/lib-2013-08/0265.html
+  Fixes https://github.com/curl/curl/issues/1622
+  Closes https://github.com/curl/curl/pull/1660
 
-- urlglob: improved error messages and column number on bad use
+Daniel Stenberg (16 Apr 2018)
+- configure: keep LD_LIBRARY_PATH changes local
   
-  Introduce a convenience macro and keep of the column better so that it
-  can point out the offending column better.
+  ... only set it when we actually have to run tests to reduce its impact
+  on for example build commands etc.
   
-  Updated test 75 accordingly.
+  Fixes #2490
+  Closes #2492
+  
+  Reported-by: Dmitry Mikhirev
 
-- urlglob: avoid error code translation
+Marcel Raad (16 Apr 2018)
+- urldata: make service names unconditional
+  
+  The ifdefs have become quite long. Also, the condition for the
+  definition of CURLOPT_SERVICE_NAME and for setting it from
+  CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
+  options for NTLM, at least when using SSPI, for
+  https://github.com/curl/curl/pull/1660.
+  Just make the definitions unconditional to make that easier.
   
-  By using the correct values from the start we don't have to translate
-  them!
+  Closes https://github.com/curl/curl/pull/2479
 
-- urlglob: avoid NULL pointer dereference
+Daniel Stenberg (16 Apr 2018)
+- test1148: tolerate progress updates better
   
-  Thanks to clang-analyzer
+  Fixes #2446
+  Closes #2488
 
-- [Gisle Vanem brought this change]
+- [Christian Schmitz brought this change]
 
-  http2: use correct include for snprintf
+  ssh: show libSSH2 error code when closing fails
   
-  Using the first little merge of nghttp2 into libcurl, I stumbeled on the
-  missing 'snprintf' in MSVCRT. Isn't this how we do it for other libcurl
-  files?  I.e. use 'curl_msnprintf' and not 'snprintf' directly:
-
-- --data: mention CRLF treatment when reading from file
+  Closes #2500
 
-- [Geoff Beier brought this change]
+Jay Satiro (15 Apr 2018)
+- [Daniel Gustafsson brought this change]
 
-  LDAP: fix bad free() when URL parsing failed
+  vauth: Fix typo
   
-  When an error occurs parsing an LDAP URL, The ludp->lud_attrs[i] entries
-  could be freed even though they sometimes point to data within an
-  allocated area.
+  Address various spellings of "credentials".
   
-  This change introduces a lud_attrs_dup[] array for the duplicated string
-  pointers, and it removes the unused lud_exts array.
-  
-  Bug: http://curl.haxx.se/mail/lib-2013-08/0209.html
+  Closes https://github.com/curl/curl/pull/2496
 
-Nick Zitzmann (5 Sep 2013)
-- darwinssl: add support for PKCS#12 files for client authentication
-  
-  I also documented the fact that the OpenSSL engine also supports them.
+- [Dagobert Michelsen brought this change]
 
-Daniel Stenberg (5 Sep 2013)
-- symbols: added HTTP2 symbols and sorted list
+  system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
   
-  CURL_HTTP_VERSION_2_0 and CURL_VERSION_HTTP2 are new
-
-- configure: add HTTP2 as a curl-config --feature output
+  With specific compiler options selecting the arch like -xarch=sparc on
+  newer compilers like Oracle Studio 12.4 there is no definition of
+  __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the
+  32ÎíÎñbit subset defined by the V8plus ISA specification, without the
+  Visual Instruction Set (VIS), and without other implementation-specific
+  ISA extensions. So it should be the same as __sparcv8.
   
-  Fixes the test 1014 failure
+  Closes https://github.com/curl/curl/pull/2491
 
-- curl: unbreak --http1.0 again
-  
-  I broke it in 2eabb7d590
+- [Daniel Gustafsson brought this change]
 
-- SASL: fix compiler warnings
+  checksrc: Fix typo
   
-  comparison between signed and unsigned integer expressions
+  Fix typo in "semicolon" spelling and remove stray tab character.
   
-  suggest parentheses around '&&' within '||' (twice)
+  Closes https://github.com/curl/curl/pull/2498
 
-- curl: add --http1.1 and --http2.0 options
+- [Daniel Gustafsson brought this change]
 
-- Curl_setopt: refuse CURL_HTTP_VERSION_2_0 if built without support
+  all: Refactor malloc+memset to use calloc
+  
+  When a zeroed out allocation is required, use calloc() rather than
+  malloc() followed by an explicit memset(). The result will be the
+  same, but using calloc() everywhere increases consistency in the
+  codebase and avoids the risk of subtle bugs when code is injected
+  between malloc and memset by accident.
+  
+  Closes https://github.com/curl/curl/pull/2497
 
-- http2: add http2.[ch] and add nghttp2 version output
+Daniel Stenberg (12 Apr 2018)
+- duphandle: make sure CURLOPT_RESOLVE is duplicated fine too
+  
+  Verified in test 1502 now
+  
+  Fixes #2485
+  Closes #2486
+  Reported-by: Ernst Sjöstrand
 
-- curl -V: output HTTP2 as a feature if present
+- mailmap: add a monnerat fixup [ci skip]
 
-- curl.h: add CURL_VERSION_HTTP2 as a feature
+- proxy: show getenv proxy use in verbose output
   
-  It isn't added as a separate protocol as HTTP2 will be done over HTTP://
-  URLs that can be upgraded to HTTP2 if the server supports it as well.
-
-Steve Holme (4 Sep 2013)
-- imap/smtp: Fixed incorrect SASL mechanism selection with XOAUTH2 servers
+  ... to aid debugging etc as it sometimes isn't immediately obvious why
+  curl uses or doesn't use a proxy.
   
-  XOAUTH2 would be selected in preference to LOGIN and PLAIN if the IMAP
-  or SMTP server advertised support for it even though a user's password
-  was supplied but bearer token wasn't.
+  Inspired by #2477
   
-  Modified the selection logic so that XOAUTH2 will only be selected if
-  the server supports it and A) The curl user/libcurl programmer has
-  specifically asked for XOAUTH via the ;AUTH=XOAUTH login option or 2)
-  The bearer token is specified. Obviously if XOAUTH is asked for via
-  the login option but no token is specified the user will receive a
-  authentication failure which makes more sense than no known
-  authentication mechanisms supported!
+  Closes #2480
 
-Daniel Stenberg (4 Sep 2013)
-- curl.h: added CURL_HTTP_VERSION_2_0
+- travis: build libpsl and make builds use it
   
-  Initial library considerations documented in lib/README.http2
-
-- configure: added --with-nghttp2
+  closes #2471
 
-- acinclude: fix --without-ca-path when cross-compiling
+- travis: bump to clang 6 and gcc 7
   
-  The commit 7b074a460b64811 to CURL_CHECK_CA_BUNDLE in 7.31 (don't check
-  for paths when cross-compiling) causes --without-ca-path to no longer
-  works when cross-compiling, since ca and capath only ever get set to
-  "no" when not cross-compiling, I attach a patch that works for me. Also
-  in the cross-compilation case, no ca-path seems to be a better default
-  (IMVHO) than empty ca-path.
+  Extra-eye-on-this-by: Marcel Raad
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1273
-  Patch-by: Stefan Neis
+  Closes #2478
 
-Steve Holme (2 Sep 2013)
-- lib1512.c: Fixed compilation warning
+Marcel Raad (10 Apr 2018)
+- travis: use trusty for coverage build
   
-  An enumerated type is mixed with another type.
+  This works now and precise is in the process of being decommissioned.
   
-  ...as well as a small coding style error.
+  Closes https://github.com/curl/curl/pull/2476
 
-Guenter Knauf (1 Sep 2013)
-- Killed warning 'res' might be used uninitialized.
-
-Steve Holme (1 Sep 2013)
-- url.c: Fixed compilation warning
+- lib: silence null-dereference warnings
   
-  An enumerated type is mixed with another type
-
-- easy.c: Fixed compilation warning
+  In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
+  when dereferencing pointers after DEBUGASSERT-ing that they are not
+  NULL.
+  Fix this by removing the DEBUGASSERTs.
   
-  warning: `code' might be used uninitialized in this function
+  Suggested-by: Daniel Stenberg
+  Ref: https://github.com/curl/curl/pull/2463
 
-Daniel Stenberg (31 Aug 2013)
-- -x: rephrased the --proxy section somewhat
+- [Kees Dekker brought this change]
 
-Steve Holme (31 Aug 2013)
-- tests: Added test for IMAP CHECK command
-
-- ftpserver.pl: Added support for the IMAP CHECK command
+  winbuild: fix URL
+  
+  Follow up on https://github.com/curl/curl/pull/2472.
+  Now using en-us instead of nl-nl as language code in the URL.
+  
+  Closes https://github.com/curl/curl/pull/2475
 
-Guenter Knauf (31 Aug 2013)
-- Removed reference to krb4.c.
+Daniel Stenberg (9 Apr 2018)
+- [Kees Dekker brought this change]
 
-Steve Holme (31 Aug 2013)
-- ftpserver.pl: Corrected flawed logic in commit 1ca6ed7b75cad0
+  winbuild: updated the documentation
+  
+  The setenv command no longer exists and visual studio build prompts got
+  changed. Used Visual Studio 2015/2017 as reference.
+  
+  Closes #2472
 
-- imap: Fixed response check for EXPUNGE command
+- test1136: fix cookie order after commit c990eadd1277
 
-- ftpserver.pl: Added argument check to IMAP command handlers
+- build: cleanup to fix clang warnings/errors
   
-  Added BAD argument check to the following IMAP command handlers:
+  unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
+  cast from integer to pointer is a GNU extension
   
-  APPEND, STORE, LIST, EXAMINE, STATUS and SEARCH
-
-- ftpserver.pl: More whitespace corrections
+  Reported-by: Rikard Falkeborn
   
-  LIST_imap() had a second level of indentation at 9 characters and not 8.
+  Fixes #2466
+  Closes #2468
 
-- ftpserver.pl: Small correction tidy up
+Jay Satiro (7 Apr 2018)
+- examples/sftpuploadresmue: Fix Windows large file seek
+  
+  - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows.
+  
+  - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print
+    curl_off_t.
   
-  Corrected some IMAP variable names and whitespace issues.
+  Caught by Marc's CI builds.
 
-- [Kyle L. Huff brought this change]
+Daniel Stenberg (7 Apr 2018)
+- curl_setup: provide a CURL_SA_FAMILY_T type if none exists
+  
+  ... and use this type instead of 'sa_family_t' in the code since several
+  platforms don't have it.
+  
+  Closes #2463
 
-  docs: Added documentation for CURLOPT_BEARER
+- [Eric Gallager brought this change]
 
-- [Kyle L. Huff brought this change]
+  build: add picky compiler warning flags for gcc 6 and 7
 
-  curl.1: Add usage of '--bearer' option
+- configure: detect sa_family_t
 
-- tests: Added tests for IMAP CREATE, DELETE and RENAME commands
+Jay Satiro (7 Apr 2018)
+- [Stefan Agner brought this change]
 
-Daniel Stenberg (30 Aug 2013)
-- ftpserver: Bareword "to_mailbox" not allowed
+  tool_operate: Fix retry on FTP 4xx to ignore other protocols
   
-  Added missing $
-
-Steve Holme (30 Aug 2013)
-- ftpserver.pl: Added support for IMAP CREATE, DELETE and RENAME commands
-
-Daniel Stenberg (29 Aug 2013)
-- FTP: fix getsock during DO_MORE state
+  Only treat response code as FTP response codes in case the
+  protocol type is FTP.
   
-  ... when doing upload it would return the wrong values at times. This
-  commit attempts to cleanup the mess.
+  This fixes an issue where an HTTP download was treated as FTP
+  in case libcurl returned with 33. This happens when the
+  download has already finished and the server responses 416:
+    HTTP/1.1 416 Requested Range Not Satisfiable
   
-  Bug: http://curl.haxx.se/mail/lib-2013-08/0109.html
-  Reported-by: Mike Mio
-
-- curl_multi_remove_handle: allow multiple removes
+  This should not be treated as an FTP error.
   
-  When removing an already removed handle, avoid that to ruin the
-  internals and just return OK instead.
+  Fixes #2464
+  Closes #2465
 
-Steve Holme (29 Aug 2013)
-- ftpserver.pl: Updated IMAP EXAMINE handler to use dynamic test data
+Daniel Stenberg (6 Apr 2018)
+- hash: calculate sizes with size_t instead of longs
+  
+  ... since they return size_t anyway!
+  
+  closes #2462
 
-Daniel Stenberg (29 Aug 2013)
-- unit1304: include memdebug and free everything correctly
+- RELEASE-NOTES: synced
 
-- Curl_parsenetrc: document that the arguments must be allocated
+- [Jay Satiro brought this change]
 
-- easy: rename struct monitor to socketmonitor
+  build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
   
-  'struct monitor', introduced in 6cf8413e, already exists in an IRIX
-  header file (sys/mon.h) which gets included via various standard headers
-  by lib/easy.c
+  .. and do the same for build-wolfssl.bat.
   
-  cc-1101 cc: ERROR File = ../../curl/lib/easy.c, Line = 458
-  "monitor" has already been declared in the current scope.
+  Because MS calls it VC14.1.
   
-  Reported-by: Tor Arntsen
+  Closes https://github.com/curl/curl/pull/2189
 
-Steve Holme (29 Aug 2013)
-- ftpserver.pl: Added SELECT check to IMAP FETCH and STORE handlers
+- [Kees Dekker brought this change]
 
-- ftpserver.pl: Corrected accidental move of logmsg() call
+  winbuild: make the clean target work without build-type
   
-  Corrected the call to logmsg() in the IMAP SEARCH handler from commit
-  4ae7b7ea691497 as it should have been outputting the what argument and
-  not the test number.
-
-Daniel Stenberg (28 Aug 2013)
-- ftpserver: add missing '}' from 4ae7b7ea69149
-
-Steve Holme (28 Aug 2013)
-- ftpserver.pl: Added SELECT check to IMAP SEARCH command
-
-- ftpserver.pl: Fixed IMAP SEARCH command
-
-Daniel Stenberg (28 Aug 2013)
-- bump: next release is 7.33.0 due to added features
-
-- symbols-in-versions: add CURLOPT_XOAUTH2_BEARER
+  Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
+  be invoked unless a build-type was specified. However, a clean target
+  only existed when a build type was specified. As a result, the clean
+  target was unreachable. Made clean target unconditional.
+  
+  Closes #2455
 
-Steve Holme (28 Aug 2013)
-- tests: Added test for IMAP SEARCH command
+- [patelvivekv1993 brought this change]
 
-Daniel Stenberg (28 Aug 2013)
-- valgrind.supp: fix for regular curl_easy_perform too
+  build-openssl.bat: allow custom paths for VS and perl
   
-  When we introduced curl_easy_perform_ev, this got a slightly modified
-  call trace. Without this, test 165 causes a false positive valgrind
-  error.
+  Fixes #2430
+  Closes #2457
 
-- valgrind.supp: add the event-based call stack-trace too
-  
-  Without this, test 165 triggers a valgrind error when ran with
-  curl_easy_perform_ev
+- [Laurie Clark-Michalek brought this change]
 
-- multi_socket: improved 100-continue timeout handling
+  FTP: allow PASV on IPv6 connections when a proxy is being used
   
-  When waiting for a 100-continue response from the server, the
-  Curl_readwrite() will refuse to run if called until the timeout has been
-  reached.
+  In the situation of a client connecting to an FTP server using an IPv6
+  tunnel proxy, the connection info will indicate that the connection is
+  IPv6. However, because the server behing the proxy is IPv4, it is
+  permissable to attempt PSV mode. In the case of the FTP server being
+  IPv4 only, EPSV will always fail, and with the current logic curl will
+  be unable to connect to the server, as the IPv6 fwdproxy causes curl to
+  think that EPSV is impossible.
   
-  We timeout code in multi_socket() allows code to run slightly before the
-  actual timeout time, so for test 154 it could lead to the function being
-  executed but refused in Curl_readwrite() and then the application would
-  just sit idling forever.
-  
-  This was detected with runtests.pl -e on test 154.
+  Closes #2432
 
-Steve Holme (27 Aug 2013)
-- ftpserver.pl: Added support for IMAP SEARCH command
+- [Jon DeVree brought this change]
 
-- tool_operate.c: Fixed compilation warning
+  file: restore old behavior for file:////foo/bar URLs
   
-  warning: implicit declaration of function 'checkpasswd'
-
-- curl: Moved check for password out of get parameter loop
+  curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
+  8089 but then returns an error saying this is unimplemented. This is
+  actually a regression in behavior on both Windows and Unix.
   
-  Moved the calls to checkpasswd() out of the getparameter() function
-  which allows for any related arguments to be specified on the command
-  line before or after --user (and --proxy-user).
+  Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
+  then passed to the relevant OS API. This means that the behavior of this
+  case is actually OS dependent.
   
-  For example: --bearer doesn't need to be specified before --user to
-  prevent curl from asking for an unnecessary password as is the case
-  with commit e7dcc454c67a2f.
-
-- RELEASE-NOTES: synced with acf59be7f09a7
-
-- [Kyle L. Huff brought this change]
-
-  curl: added --bearer option to help
+  The Unix path resolution rules say that the OS must handle swallowing
+  the extra "/" and so this path is the same as "/foo/bar"
   
-  Added the --bearer option to the help output
-
-- [Kyle L. Huff brought this change]
-
-  curl: added basic SASL XOAUTH2 support
+  The Windows path resolution rules say that this is a UNC path and
+  automatically handles the SMB access for the program. So curl on Windows
+  was already doing Appendix E.3.2 without any special code in curl.
   
-  Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the
-  --bearer option.
+  Regression
   
-  Example usage:
-    curl --url "imaps://imap.gmail.com:993/INBOX/;UID=1" --ssl-reqd
-    --bearer ya29.AHES6Z...OMfsHYI --user username@example.com
+  Closes #2438
 
-- tool_urlglob.c: Fixed compiler warnings
-  
-  warning: 'variable' may be used uninitialized in this function
+- [Gaurav Malhotra brought this change]
 
-Daniel Stenberg (26 Aug 2013)
-- security.h: rename to curl_sec.h to avoid name collision
+  Revert "openssl: Don't add verify locations when verifypeer==0"
   
-  I brought back security.h in commit bb5529331334e. As we actually
-  already found out back in 2005 in commit 62970da675249, the file name
-  security.h causes problems so I renamed it curl_sec.h instead.
-
-- runtests.pl: allow -vc point to a separate curl binary to verify with
+  This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.
   
-  The specified curl binary will then be used to verify the running
-  server(s) instead of the development version. This is very useful in
-  some cases when the development version fails to verify correctly as
-  then the test case may not run at all.
+  libcurl (with the OpenSSL backend) performs server certificate verification
+  even if verifypeer == 0 and the verification result is available using
+  CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
+  CURLINFO_SSL_VERIFYRESULT to not have useful information for the
+  verifypeer == 0 use case (it would always have
+  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
   
-  The actual test will still be run with the "normal" curl executable
-  (unless the test case specifies something differently).
+  Closes #2451
 
-Steve Holme (26 Aug 2013)
-- [Kyle L. Huff brought this change]
+- [Wyatt O'Day brought this change]
 
-  smtp: added basic SASL XOAUTH2 support
+  tls: fix mbedTLS 2.7.0 build + handle sha256 failures
   
-  Added the ability to use an XOAUTH2 bearer token [RFC6750] with SMTP for
-  authentication using RFC6749 "OAuth 2.0 Authorization Framework".
+  (mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)
   
-  The bearer token is expected to be valid for the user specified in
-  conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has
-  an advertised auth mechanism of "XOAUTH2", the user and access token are
-  formatted as a base64 encoded string and sent to the server as
-  "AUTH XOAUTH2 <bearer token>".
+  Closes #2453
 
-- [Kyle L. Huff brought this change]
+- [Lauri Kasanen brought this change]
 
-  imap: added basic SASL XOAUTH2 support
-  
-  Added the ability to use an XOAUTH2 bearer token [RFC6750] with IMAP for
-  authentication using RFC6749 "OAuth 2.0 Authorization Framework".
+  cookie: case-insensitive hashing for the domains
   
-  The bearer token is expected to be valid for the user specified in
-  conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has
-  an advertised auth mechanism of "XOAUTH2", the user and access token are
-  formatted as a base64 encoded string and sent to the server as
-  "A001 AUTHENTICATE XOAUTH2 <bearer token>".
+  closes #2458
 
-- security.h: Fixed compilation warning
+Patrick Monnerat (4 Apr 2018)
+- cookie: fix and optimize 2nd top level domain name extraction
   
-  ISO C forbids forward references to 'enum' types
-
-Daniel Stenberg (26 Aug 2013)
-- KNOWN_BUGS: refer to bug numbers with the existing number series
+  This fixes a segfault occurring when a name of the (invalid) form "domain..tld"
+  is processed.
   
-  The old numbers would still redirect but who knows for how long...
-
-Steve Holme (25 Aug 2013)
-- [Kyle L. Huff brought this change]
+  test46 updated to cover this case.
+  
+  Follow-up to commit c990ead.
+  
+  Ref: https://github.com/curl/curl/pull/2440
 
-  options: added basic SASL XOAUTH2 support
+Daniel Stenberg (4 Apr 2018)
+- openssl: provide defines for argument typecasts to build warning-free
   
-  Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the
-  option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth
-  2.0 Authorization Framework".
+  ... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
 
-- [Kyle L. Huff brought this change]
+- [Bernard Spil brought this change]
 
-  sasl: added basic SASL XOAUTH2 support
+  openssl: fix build with LibreSSL 2.7
   
-  Added the ability to generated a base64 encoded XOAUTH2 token
-  containing: "user=<username>^Aauth=Bearer <bearer token>^A^A"
-  as per RFC6749 "OAuth 2.0 Authorization Framework".
-
-Daniel Stenberg (25 Aug 2013)
-- FTP: remove krb4 support
+   - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API
   
-  We've announced this pending removal for a long time and we've
-  repeatedly asked if anyone would care or if anyone objects. Nobody has
-  objected. It has probably not even been working for a good while since
-  nobody has tested/used this code recently.
+  Fixes #2319
+  Closes #2447
+  Closes #2448
   
-  The stuff in krb4.h that was generic enough to be used by other sources
-  is now present in security.h
+  Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
 
-- easy: define away easy_events() for non-debug builds
+- [Lauri Kasanen brought this change]
 
-- FAQ: editorial updates
+  cookie: store cookies per top-level-domain-specific hash table
   
-  Several language fixes. Several reformats that should make the HTML
-  generation of this document look better.
+  This makes libcurl handle thousands of cookies much better and speedier.
   
-  Reported-by: Dave Thompson
+  Closes #2440
 
-- RELEASE-NOTES: synced with 22adb46a32bee
+- [Lauri Kasanen brought this change]
 
-- multi: move on from STATE_DONE faster
+  cookies: when reading from a file, only remove_expired once
   
-  Make sure we always return CURLM_CALL_MULTI_PERFORM when we reach
-  CURLM_STATE_DONE since the state is transient and it can very well
-  continue executing as there is nothing to wait for.
+  This drops the cookie load time for 8k cookies from 178ms to 15ms.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-08/0211.html
-  Reported-by: Yi Huang
+  Closes #2441
 
-- curl.h: name space pollution by "enum type"
+- test1148: set a fixed locale for the test
   
-  Renamed to "enum curl_khtype" now. Will break compilation for programs
-  that rely on the enum name.
+  ...as otherwise it might use a different decimal sign.
   
-  Bug: https://github.com/bagder/curl/pull/76
-  Reported-by: Shawn Landden
+  Bug: #2436
+  Reported-by: Oumph on github
 
-- TFTP: make the CURLOPT_LOW_SPEED* options work
+Jay Satiro (31 Mar 2018)
+- docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
   
-  ... this also makes sure that the progess callback gets called more
-  often during TFTP transfers.
+  - Put a percent sign before each CURL_FORMAT_CURL_OFF_T in printf.
   
-  Added test 1238 to verify.
+  For example "%" CURL_FORMAT_CURL_OFF_T becomes %lld or similar.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1269
-  Reported-by: Jo3
+  Bug: https://curl.haxx.se/mail/lib-2018-03/0140.html
+  Reported-by: David L.
 
-- tftpd: support "writedelay" within <servercmd>
+Sergei Nikulov (27 Mar 2018)
+- [Michał Janiszewski brought this change]
 
-- tftpd: convert 6 global variables into local ones
+  cmake: Add advapi32 as explicit link library for win32
+  
+  ARM targets need advapi32 explicitly.
+  
+  Closes #2363
 
-- [Gisle Vanem brought this change]
+Daniel Stenberg (27 Mar 2018)
+- TODO: connection cache sharing is now supporte
 
-  curl_easy_perform_ev: make it CURL_EXTERN
+Jay Satiro (26 Mar 2018)
+- travis: enable apt retry on fail
   
-  I build curl.exe (using MingW) with '-DCURLDEBUG' and by importing from
-  libcurl.dll.  Which means the new curl_easy_perform_ev() must be
-  exported from libcurl.dll.
-
-- CURLM_ADDED_ALREADY: new error code
+  This is a workaround for an unsolved travis issue that is causing CI
+  instances to sporadically fail due to 'unable to connect' issues during
+  apt stage.
   
-  Doing curl_multi_add_handle() on an easy handle that is already added to
-  a multi handle now returns this error code. It previously returned
-  CURLM_BAD_EASY_HANDLE for this condition.
+  Ref: https://github.com/travis-ci/travis-ci/issues/8507
+  Ref: https://github.com/travis-ci/travis-ci/issues/9112#issuecomment-376305909
 
-- multi_init: moved init code here from add_handle
+Michael Kaufmann (26 Mar 2018)
+- runtests.pl: fix warning 'use of uninitialized value'
   
-  The closure_handle is "owned" by the multi handle and it is
-  unconditional so the setting up of it should be in the Curl_multi_handle
-  function rather than curl_multi_add_handle.
-
-- multi: remove dns cache creation code from *add_handle
+  follow-up to a9a7b60
   
-  As it is done unconditionally in multi_init() this code will never run!
+  Closes #2428
 
-- curl_easy_perform_ev: debug/test function
-  
-  This function is meant to work *exactly* as curl_easy_perform() but will
-  use the event-based libcurl API internally instead of
-  curl_multi_perform(). To avoid relying on an actual event-based library
-  and to not use non-portable functions (like epoll or similar), there's a
-  rather inefficient emulation layer implemented on top of Curl_poll()
-  instead.
+Daniel Stenberg (24 Mar 2018)
+- gitignore: ignore more generated files
+
+- threaded resolver: track resolver time and set suitable timeout values
   
-  There's currently some convenience logging done in curl_easy_perform_ev
-  which helps when tracking down problems. They may be suitable to remove
-  or change once things seem to be fine enough.
+  In order to make curl_multi_timeout() return suitable "sleep" times even
+  when there's no socket to wait for while the name is being resolved in a
+  helper thread.
   
-  curl has a new --test-event option when built with debug enabled that
-  then uses curl_easy_perform_ev() instead of curl_easy_perform(). If
-  built without debug, using --test-event will only output a warning
-  message.
+  It will increases the timeouts as time passes.
   
-  NOTE: curl_easy_perform_ev() is not part if the public API on purpose.
-  It is only present in debug builds of libcurl and MUST NOT be considered
-  stable even then. Use it for libcurl-testing purposes only.
+  Closes #2419
+
+- [Howard Chu brought this change]
+
+  openldap: fix for NULL return from ldap_get_attribute_ber()
   
-  runtests.pl now features an -e command line option that makes it use
-  --test-event for all curl command line tests. The man page is updated.
+  Closes #2399
 
-- [Gisle Vanem brought this change]
+GitHub (22 Mar 2018)
+- [Sergei Nikulov brought this change]
+
+  travis-ci: enable -Werror for CMake builds (#2418)
 
-  transfer: the recent sessionhandle change broke CURL_DOES_CONVERSIONS
+- [Sergei Nikulov brought this change]
 
-- test1237: verify 1000+ letter user name + passwords
+  cmake: avoid warn-as-error during config checks (#2411)
+  
+  - Move the CURL_WERROR option processing after the configuration checks
+    to avoid failures in case of warnings during the configuration checks.
+  
+  This is a partial fix for #2358
 
-- [Jonathan Nieder brought this change]
+- [Sergei Nikulov brought this change]
 
-  url: handle arbitrary-length username and password before '@'
+  timeval: remove compilation warning by casting (#2417)
   
-  libcurl quietly truncates usernames, passwords, and options from
-  before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1)
-  characters to fit in fixed-size buffers on the stack.  Allocate a
-  buffer large enough to fit the parsed fields on the fly instead to
-  support longer passwords.
+  This is fixes #2358
+
+Daniel Stenberg (22 Mar 2018)
+- http2: read pending frames (including GOAWAY) in connection-check
   
-  After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH
-  left, so stop defining that constant while at it.  The hardcoded max
-  username and password length constants, on the other hand, are still
-  used in HTTP proxy credential handling (which this patch doesn't
-  touch).
+  If a connection has received a GOAWAY frame while not being used, the
+  function now reads frames off the connection before trying to reuse it
+  to avoid reusing connections the server has told us not to use.
   
-  Reported-by: Colby Ranger
+  Reported-by: Alex Baines
+  Fixes #1967
+  Closes #2402
+
+- [Bas van Schaik brought this change]
 
-- [Jonathan Nieder brought this change]
+  CI: add lgtm.yml for tweaking lgtm.com analysis
+  
+  Closes #2414
 
-  url: handle exceptional cases first in parse_url_login()
+- CURLINFO_SSL_VERIFYRESULT.3: fix the example, add some text
   
-  Instead of nesting "if(success)" blocks and leaving the reader in
-  suspense about what happens in the !success case, deal with failure
-  cases early, usually with a simple goto to clean up and return from
-  the function.
+  Reported-by: Michal Trybus
   
-  No functional change intended.  The main effect is to decrease the
-  indentation of this function slightly.
+  Fixes #2400
 
-- [Jonathan Nieder brought this change]
+- TODO: expand ~/ in config files
+  
+  Closes #2317
 
-  Curl_setopt: handle arbitrary-length username and password
+- cookie.d: mention that "-" as filename means stdin
   
-  libcurl truncates usernames, passwords, and options set with
-  curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters.
-  This doesn't affect the return value from curl_easy_setopt(), so from
-  the caller's point of view, there is no sign anything strange has
-  happened, except that authentication fails.
+  Reported-by: Dongliang Mu
+  Fixes #2410
+
+- CURLINFO_COOKIELIST.3: made the example not leak memory
   
-  For example:
+  Reported-by: Muz Dima
+
+- vauth/cleartext: fix integer overflow check
   
-    # Prepare a long (300-char) password.
-    s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s;
-    # Start a server.
-    nc -l -p 8888 | tee out & pid=$!
-    # Tell curl to pass the password to the server.
-    curl --user me:$s http://localhost:8888 & sleep 1; kill $pid
-    # Extract the password.
-    userpass=$(
-  	awk '/Authorization: Basic/ {print $3}' <out |
-  	tr -d '\r' |
-  	base64 -d
-    )
-    password=${userpass#me:}
-    echo ${#password}
+  Make the integer overflow check not rely on the undefined behavior that
+  a size_t wraps around on overflow.
   
-  Expected result: 300
-  Actual result: 255
+  Detected by lgtm.com
+  Closes #2408
+
+- lib/curl_path.h: add #ifdef header guard
   
-  The fix is simple: allocate appropriately sized buffers on the heap
-  instead of trying to squeeze the provided values into fixed-size
-  on-stack buffers.
+  Detected by lgtm.com
+
+- vauth/ntlm.h: fix the #ifdef header guard
   
-  Bug: http://bugs.debian.org/719856
-  Reported-by: Colby Ranger
+  Detected by lgtm.com
 
-- [Jonathan Nieder brought this change]
+Jay Satiro (20 Mar 2018)
+- examples/hiperfifo: checksrc compliance
 
-  netrc: handle longer username and password
+Daniel Stenberg (19 Mar 2018)
+- [Nikos Tsipinakis brought this change]
+
+  parsedate: support UT timezone
   
-  libcurl truncates usernames and passwords it reads from .netrc to
-  LOGINSIZE and PASSWORDSIZE (64) characters without any indication to
-  the user, to ensure the values returned from Curl_parsenetrc fit in a
-  caller-provided buffer.
+  RFC822 section 5.2 mentions Universal Time, 'UT', to be synonymous with
+  GMT.
   
-  Fix the interface by passing back dynamically allocated buffers
-  allocated to fit the user's input.  The parser still relies on a
-  256-character buffer to read each line, though.
+  Closes #2401
+
+- RELEASE-NOTES: synced
+
+- [Don brought this change]
+
+  cmake: add support for brotli
   
-  So now you can include an ~246-character password in your .netrc,
-  instead of the previous limit of 63 characters.
+  Currently CMake cannot detect Brotli support. This adds detection of the
+  libraries and associated header files. It also adds this to the
+  generated config.
   
-  Reported-by: Colby Ranger
+  Closes #2392
 
-- [Jonathan Nieder brought this change]
+- [Chris Araman brought this change]
 
-  url: allocate username, password, and options on the heap
-  
-  This makes it possible to increase the size of the buffers when needed
-  in later patches.  No functional change yet.
+  darwinssl: fix iOS build
+
+Patrick Monnerat (18 Mar 2018)
+- ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES
 
-- [Jonathan Nieder brought this change]
+Daniel Stenberg (17 Mar 2018)
+- [Rick Deist brought this change]
 
-  url: use goto in create_conn() for exception handling
+  resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES
   
-  Instead of remembering before each "return" statement which temporary
-  allocations, if any, need to be freed, take care to set pointers to
-  NULL when no longer needed and use a goto to a common block to exit
-  the function and free all temporaries.
+  This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request
+  shuffling of IP addresses returned for a hostname when there is more
+  than one. This is useful when the application knows that a round robin
+  approach is appropriate and is willing to accept the consequences of
+  potentially discarding some preference order returned by the system's
+  implementation.
   
-  No functional change intended.  Currently the only temporary buffer in
-  this function is "proxy" which is already correctly freed when
-  appropriate, but there will be more soon.
+  Closes #1694
 
-- [Jonathan Nieder brought this change]
-
-  sasl: allow arbitrarily long username and password
+- add_handle/easy_perform: clear errorbuffer on start if set
+  
+  To offer applications a more defined behavior, we clear the buffer as
+  early as possible.
   
-  Use appropriately sized buffers on the heap instead of fixed-size
-  buffers on the stack, to allow for longer usernames and passwords.
+  Assisted-by: Jay Satiro
   
-  Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp.
-  MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
+  Fixes #2190
+  Closes #2377
 
-Steve Holme (19 Aug 2013)
-- [Alex McLellan brought this change]
+- [Lawrence Matthews brought this change]
+
+  CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocol
+  
+  Add --haproxy-protocol for the command line tool
+  
+  Closes #2162
 
-  imap: Fixed response check for SEARCH command
+- curl_version_info.3: fix ssl_version description
   
-  Adding this line allows libcurl to return the server response when
-  performing a search command via a custom request.
+  Reported-by: Vincas Razma
+  Fixes #2364
 
-Daniel Stenberg (16 Aug 2013)
-- glob: error out on range overflow
+- multi: improved pending transfers handling => improved performance
+  
+  When a transfer is requested to get done and it is put in the pending
+  queue when limited by number of connections, total or per-host, libcurl
+  would previously very aggressively retry *ALL* pending transfers to get
+  them transferring. That was very time consuming.
   
-  The new multiply() function detects range value overflows. 32bit
-  machines will overflow on a 32bit boundary while 64bit hosts support
-  ranges up to the full 64 bit range.
+  By reducing the aggressiveness in how pending are being retried, we
+  waste MUCH less time on putting transfers back into pending again.
   
-  Added test 1236 to verify.
+  Some test cases got a factor 30(!) speed improvement with this change.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1267
-  Reported-by: Will Dietz
+  Reported-by: Cyril B
+  Fixes #2369
+  Closes #2383
 
-- urlglob: better detect unclosed braces, empty lists and overflows
+- pause: when changing pause state, update socket state
   
-  A rather big overhaul and cleanup.
+  Especially unpausing a transfer might have to move the socket back to the
+  "currently used sockets" hash to get monitored. Otherwise it would never get
+  any more data and get stuck. Easily triggered with pausing using the
+  multi_socket API.
+  
+  Reported-by: Philip Prindeville
+  Bug: https://curl.haxx.se/mail/lib-2018-03/0048.html
+  Fixes #2393
+  Closes #2391
+
+- [Philip Prindeville brought this change]
+
+  examples/hiperfifo.c: improved
   
-  1 - curl wouldn't properly detect and reject globbing that ended with an
-  open brace if there were brackets or braces before it. Like "{}{" or
-  "[0-1]{"
+   * use member struct event’s instead of pointers to alloc’d struct
+     events
   
-  2 - curl wouldn't properly reject empty lists so that "{}{}" would
-  result in curl getting (nil) strings in the output.
+   * simplify the cases for the mcode_or_die() function via macros;
   
-  3 - By using strtoul() instead of sscanf() the code will now detected
-  over and underflows. It now also better parses the step argument to only
-  accept positive numbers and only step counters that is smaller than the
-  delta between the maximum and minimum numbers.
+   * make multi_timer_cb() actually do what the block comment says it
+     should;
   
-  4 - By switching to unsigned longs instead of signed ints for the
-  counters, the max values for []-ranges are now very large (on 64bit
-  machines).
+   * accept a “stop” command on the FIFO to shut down the service;
   
-  5 - Bumped the maximum number of globs in a single URL to 100 (from 10)
+   * use cleaner notation for unused variables than the (void) hack;
   
-  6 - Simplified the code somewhat and now it stores fixed strings as
-  single- entry lists. That's also one of the reasons why I did (5) as now
-  all strings between "globs" will take a slot in the array.
+   * allow following redirections (304’s);
+
+- rate-limit: use three second window to better handle high speeds
   
-  Added test 1234 and 1235 to verify. Updated test 87.
+  Due to very frequent updates of the rate limit "window", it could
+  attempt to rate limit within the same milliseconds and that then made
+  the calculations wrong, leading to it not behaving correctly on very
+  fast transfers.
   
-  This commit fixes three separate bug reports.
+  This new logic updates the rate limit "window" to be no shorter than the
+  last three seconds and only updating the timestamps for this when
+  switching between the states TOOFAST/PERFORM.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1264
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1265
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1266
-  Reported-by: Will Dietz
+  Reported-by: 刘佩东
+  Fixes #2386
+  Closes #2388
 
-- [John Malmberg brought this change]
+- [luz.paz brought this change]
 
-  VMS: Add RELEASE-NOTES to vms document
+  cleanup: misc typos in strings and comments
   
-  Add the curl release notes to the release note document generated for
-  VMS packages.
+  Found via `codespell`
   
-  Add the different filenames generated by a daily build to the
-  cleanup procedures.
+  Closes #2389
 
-- [Tor Arntsen brought this change]
+- RELEASE-NOTES: toward 7.60.0
 
-  tests 2032, 2033: Don't hardcode port in expected output
+- [Kobi Gurkan brought this change]
 
-- ftp: convert state names to a global array
+  http2: fixes typo
   
-  ... just to make them easier to print in debug ouputs while debugging.
-  They are still within #ifdef [debugbuild].
+  Closes #2387
 
-- --help: fix the --sasl-ir in the help output
+- user-agent.d:: mention --proxy-header as well
+  
+  Bug: https://github.com/curl/curl/issues/2381
 
-- ftp_domore_getsock: when passive mode, the second conn is already there
+- transfer: make HTTP without headers count correct body size
   
-  This makes the socket callback get called with the proper bitmask as
-  otherwise the application could be left hanging waiting for reading on
-  an upload connection!
+  This is what "HTTP/0.9" basically looks like.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-08/0043.html
-  Reported-by: Bill Doyle
-
-- curl: make --no-[option] work properly for several options
+  Reported on IRC
   
-  --create-dirs, --crlf, --socks5-gssapi-nec and --sasl-ir
+  Closes #2382
 
-Kamil Dudka (12 Aug 2013)
-- nss: make sure that NSS is initialized
+- test1208: marked flaky
   
-  ... prior to calling PK11_GenerateRandom()
+  It fails somewhere between every 3rd to 10th travis-CI run
 
-Daniel Stenberg (12 Aug 2013)
-- multi: s/easy/data
+- SECURITY-PROCESS: mention how we write/add advisories
+
+- [dasimx brought this change]
+
+  FTP: fix typo in recursive callback detection for seeking
   
-  With everything being struct SessionHandle pointers now, this rename
-  makes multi.c use the library-wide practise of calling that pointer
-  'data' instead of the previously used 'easy'.
+  Fixes #2380
+
+Version 7.59.0 (13 Mar 2018)
+
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
 
-- cleanup: removed one function, made one static
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
   
-  Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to
-  easy_addmulti and made it static.
+  Detected by Coverity Analysis:
   
-  Removed Curl_easy_initHandleData() and uses of it since it was emptied
-  in commit cdda92ab67b47d74a.
+  Error: IDENTIFIER_TYPO:
+  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+  * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+  * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+  curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+  curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
+  
+  Closes #2379
 
-- SessionHandle: the protocol specific pointer is now a void *
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
   
-  All protocol handler structs are now opaque (void *) in the
-  SessionHandle struct and moved in the request-specific sub-struct
-  'SingleRequest'. The intension is to keep the protocol specific
-  knowledge in their own dedicated source files [protocol].c etc.
+  Reported-by: Aron Bergman
+  Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
   
-  There's some "leakage" where this policy is violated, to be addressed at
-  a later point in time.
+  [ci skip]
 
-- urldata: clean up the use of the protocol specific structs
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
   
-  1 - always allocate the struct in protocol->setup_connection. Some
-  protocol handlers had to get this function added.
+  This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
   
-  2 - always free at the end of a request. This is also an attempt to keep
-  less memory in the handle after it is completed.
+  The assignment really needs to be there or we risk working with an
+  uninitialized pointer.
 
-- version number: bump to 7.32.1 for now
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
   
-  Start working on the next version and up some counters.
-
-Version 7.32.0 (11 Aug 2013)
+  follow-up to 72a0f62
 
-Daniel Stenberg (11 Aug 2013)
-- THANKS: added contributors from the 7.32.0 release notes
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
+  
+  To sync it with changes made for the libssh2 project.
+  Also cleanup some whitespace.
 
-- [Fabian Keil brought this change]
+- curl-openssl.m4: fix spelling [ci skip]
 
-  test1228: add 'HTTP proxy' to the keywords
+- FAQ: fix a broken URL [ci skip]
 
-- [Fabian Keil brought this change]
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
+  
+  ... don't consider it an error!
+  
+  Assisted-by: Jay Satiro
+  Reported-by: Łukasz Domeradzki
+  Fixes #2365
+  Closes #2375
 
-  tests: add keywords for a couple of FILE tests
+- credits: Viktor prefers without accent
 
-- [Fabian Keil brought this change]
+- openldap: white space changes, fixed up the copyright years
 
-  tests: add 'FAILURE' keywords to tests 1409 and 1410
+- openldap: check ldap_get_attribute_ber() results for NULL before using
+  
+  CVE-2018-1000121
+  Reported-by: Dario Weisser
+  Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
 
-- [Fabian Keil brought this change]
+- FTP: reject path components with control codes
+  
+  Refuse to operate when given path components featuring byte values lower
+  than 32.
+  
+  Previously, inserting a %00 sequence early in the directory part when
+  using the 'singlecwd' ftp method could make curl write a zero byte
+  outside of the allocated buffer.
+  
+  Test case 340 verifies.
+  
+  CVE-2018-1000120
+  Reported-by: Duy Phan Thanh
+  Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
 
-  tests: add keywords for a couple of HTTP tests
+- readwrite: make sure excess reads don't go beyond buffer end
+  
+  CVE-2018-1000122
+  Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+  
+  Detected by OSS-fuzz
 
-- [Fabian Keil brought this change]
+- BUGS: updated link to security process
 
-  tests: add keywords for a couple of FTP tests
+- limit-rate: kick in even before "limit" data has been received
+  
+  ... and make sure to avoid integer overflows with really large values.
+  
+  Reported-by: 刘佩东
+  Fixes #2371
+  Closes #2373
 
-- [Fabian Keil brought this change]
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
 
-  test1511: consistently terminate headers with CRLF
+- SECURITY.md: call it the security process
 
-- DISABLED: shut of test 1512 for now
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
   
-  It shows intermittent failures and I haven't been able to track them
-  down yet. Disable this test for now.
+  follow-up to e04417d
 
-- curl_multi_add_handle.3: ... that timer callback is for event-based
+- hostip: fix compiler warning: 'variable set but not used'
+
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
+  
+  Reported-by: Michael Kaufmann
+  Fixes #2357
+  Closes #2362
 
-- comments: remove old and wrong multi/easy interface statements
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
+  
+  ... as it is interesting for many users.
 
-- curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION use
+- SECURITY: distros' max embargo time is 14 days now
 
-- [John E. Malmberg brought this change]
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
 
-  KNOWN_BUGS: 22 and 57 have been fixed and committed
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
 
-- RELEASE-NOTES: synced with d20def20462e7
+- [sergii.kavunenko brought this change]
 
-- global dns cache: fix memory leak
+  WolfSSL: adding TLSv1.3
   
-  The take down of the global dns cache didn't take CURLOPT_RESOLVE names
-  into account.
+  Closes #2349
 
-- global dns cache: didn't work [regression]
-  
-  CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been
-  broken since the libcurl 7.29.0 release). While this option has been
-  documented as deprecated for almost a decade and nobody even reported
-  this bug, it should remain functional.
-  
-  Added test case 1512 to verify
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
 
-Yang Tse (8 Aug 2013)
-- [John Malmberg brought this change]
+- [Richard Alcock brought this change]
 
-  packages/vms: update VMS build files
+  winbuild: prefer documented zlib library names
   
-  VMS modified files either missing from a previous commit and changes
-  to remove references to CVS repositories.
-
-Daniel Stenberg (8 Aug 2013)
-- FTP: renamed several local functions
+  Check for existence of import and static libraries with documented names
+  and use them if they do. Fallback to previous names.
   
-  The previous naming scheme ftp_state_post_XXXX() wasn't really helpful
-  as it wasn't always immediately after 'xxxx' and it wasn't easy to
-  understand what it does based on such a name.
+  According to
+  https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+  Windows, the names of the import library is "zdll.lib" and static
+  library is "zlib.lib".
   
-  This new one is instead ftp_state_yyyy() where yyyy describes what it
-  does or sends.
+  closes #2354
 
-- mk-ca-bundle.1: don't install on make install
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
   
-  Since the mk-ca-bundle tool itself isn't installed with make install,
-  there's no point in installing its documentation.
+  gss_seal/gss_unseal have been deprecated in favor of
+  gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+  version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+  1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+  "GSS_Unwrap() (formerly GSS_Unseal())".
   
-  Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html
-  Reported-by: Guenter Knauf
+  Use the nondeprecated functions to avoid deprecation warnings.
+  
+  [1] https://tools.ietf.org/html/rfc2078
+  [2] https://tools.ietf.org/html/rfc1964
+  
+  Closes https://github.com/curl/curl/pull/2356
 
-Yang Tse (7 Aug 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
 
-- [John Malmberg brought this change]
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
 
-  Building_vms_pcsi_kit
+- NO_PROXY: fix for IPv6 numericals in the URL
   
-  These are the files needed to build VMS distribution packages known as
-  PCSI kits.
+  Added test 1265 that verifies.
   
-  Also minor update to the existing files, mainly to the documentation and
-  file clean up code.
+  Reported-by: steelman on github
+  Fixes #2353
+  Closes #2355
 
-Daniel Stenberg (6 Aug 2013)
-- LIBCURL-STRUCTS: new document
+- build: get CFLAGS (including -werror) used for examples and tests
   
-  This is the first version of this new document, detailing the seven
-  perhaps most important internal structs in libcurl source code:
+  ... so that the CI and more detects compiler warnings/errors properly!
   
-    1.1 SessionHandle
-    1.2 connectdata
-    1.3 Curl_multi
-    1.4 Curl_handler
-    1.5 conncache
-    1.6 Curl_share
-    1.7 CookieInfo
+  Closes #2337
 
-- CONTRIBUTE: minor language polish
-
-- FTP: when EPSV gets a 229 but fails to connect, retry with PASV
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
   
-  This is a regression as this logic used to work. It isn't clear when it
-  broke, but I'm assuming in 7.28.0 when we went all-multi internally.
+  On MinGW and Cygwin, GCC and clang have been complaining about macro
+  redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+  by undefining the macros before redefining them as suggested in
+  https://github.com/curl/curl/pull/2269.
   
-  This likely never worked with the multi interface. As the failed
-  connection is detected once the multi state has reached DO_MORE, the
-  Curl_do_more() function was now expanded somewhat so that the
-  ftp_do_more() function can request to go "back" to the previous state
-  when it makes another attempt - using PASV.
+  Suggested-by: Daniel Stenberg
+
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
+
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
   
-  Added test case 1233 to verify this fix. It has the little issue that it
-  assumes no service is listening/accepting connections on port 1...
+  When targeting x64, MinGW-w64 complains about conversions between
+  32-bit long and 64-bit pointers. Fix this by reusing the
+  GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+  from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+  CURLX_INTEGER_TO_POINTER_CAST.
   
-  Reported-by: byte_bucket in the #curl IRC channel
+  Closes https://github.com/curl/curl/pull/2341
 
-Nick Zitzmann (5 Aug 2013)
-- md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of Leopard
+- travis: update compiler versions
   
-  For some reason, OS X 10.5's GCC suddenly stopped working correctly with
-  macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I
-  worked around this by removing use of the macros and inserting static
-  functions that just call CommonCrypto's implementations of the functions
-  instead.
-
-Guenter Knauf (5 Aug 2013)
-- Simplify check for trusted certificates.
+  Update clang to version 3.9 and GCC to version 6.
   
-  This changes the previous check for untrusted certs to a check for
-  certs explicitely marked as trusted.
-  The change is backward-compatible (tested with certdata.txt v1.80).
+  Closes https://github.com/curl/curl/pull/2345
 
-Daniel Stenberg (5 Aug 2013)
-- configure: warn on bad env variable use, don't error
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
   
-  Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS.
+  Fixes #2342
 
-- Revert "configure: don't error out on variable confusions, just warn"
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
   
-  This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a.
-
-- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
+  - Add OpenSSL 1.1.1 to the header/library version lists.
   
-  The internal function that's used to detect known file extensions for
-  the default Content-Type got the the wrong pointer passed in when
-  CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that
-  strlen() would be used which could lead to an out-of-bounds read (and
-  thus segfault). In most cases it would only lead to it not finding or
-  using the correct default content-type.
+  - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+    which was added in that version.
   
-  It also showed that test 554 and test 587 were testing for the
-  previous/wrong behavior and now they're updated as well.
+  Prior to this change an erroneous header/library mismatch was caused by
+  lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
+
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
+  
+  Closes https://github.com/curl/curl/pull/2335
+
+- spelling fixes
+  
+  Detected using the `codespell` tool.
+  
+  Also contains one URL protocol upgrade.
+  
+  Closes https://github.com/curl/curl/pull/2334
+
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
+  
+  Reported-by: Stefan Kanthak and Rod Widdowson
+  
+  Fixes #2325
+
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
+
+  winbuild: Use macros for the names of some build utilities
+  
+  - Add macros to the top of the makefile for rc and mt utilities so that
+    it is easier to change their locations.
+  
+  Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+  Reported-by: Stefan Kanthak
+  
+  Closes https://github.com/curl/curl/issues/2329
+
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
+
+- curl_share_setopt.3: connection cache is shared within multi handles
+
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
+
+  winbuild: Use CALL to run batch scripts
+  
+  Co-authored-by: Stefan Kanthak
+  
+  Closes https://github.com/curl/curl/issues/2330
+  Closes https://github.com/curl/curl/pull/2331
+
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
+
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
+
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
+
+  url: Add option CURLOPT_RESOLVER_START_FUNCTION
+  
+  - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+    will be called every time before a new resolve request is started
+    (ie before a host is resolved) with a pointer to backend-specific
+    resolver data. Currently this is only useful for ares.
+  
+  - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+    pass to the resolver start callback.
+  
+  Closes https://github.com/curl/curl/pull/2311
+
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
+  
+  - In keeping with the naming of our other connect timeout options rename
+    CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
+  
+  This change adds the _MS suffix since the option expects milliseconds.
+  This is more intuitive for our users since other connect timeout options
+  that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+  CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
+  
+  The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
+  
+  Follow-up to 2427d94 which added the lib and tool option yesterday.
+  
+  Ref: https://github.com/curl/curl/pull/2260
+
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
+  
+  SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+  PLAIN should be used instead if available.
+
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
+
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
+
+  url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
+  
+  - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+    eyeball timeout value.
+  
+  - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+    eyeballs timeout value (currently 200 ms).
+  
+  - Add new tool option --happy-eyeballs-timeout-ms to expose
+    CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+    other -timeout options in the tool expect seconds not milliseconds.
+  
+  Closes https://github.com/curl/curl/pull/2260
+
+- hostip: fix 'potentially uninitialized variable' warning
+  
+  Follow-up to 50d1b33.
+  
+  Caught by AppVeyor.
+
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
+
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
+
+  CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
+  
+  This enables users to preresolve but still take advantage of happy
+  eyeballs and trying multiple addresses if some are not connecting.
+  
+  Ref: https://github.com/curl/curl/pull/2260
+
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
+
+  examples/sftpuploadresume: resume upload via CURLOPT_APPEND
+  
+  URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
+
+- curl --version: show PSL if the run-time lib has it enabled
+  
+  ... not of the #define was set at build-time!
+
+- TODO: "Support in-memory certs/ca certs/keys"
+  
+  removed SSLKEYLOGFILE support (fixed)
+  
+  removed "consider SSL patches" (outdated)
+  
+  Closes #2310
+
+- CURLOPT_HEADER.3: clarify problems with different data sizes
+
+- test1556: verify >16KB headers to the header callback
+
+- header callback: don't chop headers into smaller pieces
+  
+  Reported-by: Guido Berhoerster
+  Fixes #2314
+  Closes #2316
+
+- test1154: verify that long HTTP headers get rejected
+
+- http: fix the max header length detection logic
+  
+  Previously, it would only check for max length if the existing alloc
+  buffer was to small to fit it, which often would make the header still
+  get used.
+  
+  Reported-by: Guido Berhoerster
+  Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
+  
+  Closes #2315
+
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
+  
+  Reported-by: Erik Johansson
+  Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
+
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
+
+- TODO: 1.1 Option to refuse usernames in URLs
+  
+  Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
+
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
+
+- ssh: add two missing state names
+  
+  The list of state names (used in debug builds) was out of sync in
+  relation to the list of states (used in all builds).
+  
+  I now added an assert to make sure the sizes of the two lists match, to
+  aid in detecting this mistake better in the future.
+  
+  Regression since c92d2e14cf, shipped in 7.58.0.
+  
+  Reported-by: Somnath Kundu
+  
+  Fixes #2312
+  Closes #2313
+
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
+  
+  This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
+  
+  Reported-by: Jay Satiro
+
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
+  
+  Follow-up to b46cfbc.
+  
+  Caught by Travis CI.
+
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
+  
+  ... to verify it builds and works fine.
+  
+  Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
+  
+  Closes #1872
+
+- TODO: 18.18 retry on network is unreachable
+  
+  Closes #1603
+
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
+  
+  Closes #1254
+
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
+  
+  ... so that the memory allocated by applications using libcurl does not
+  grow per each TLS connection.
+  
+  Bug: https://bugzilla.redhat.com/1510247
+  
+  Closes #2297
+
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
+
+  TODO fixed: Detect when called from within callbacks
+  
+  Closes #2302
+
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
+  
+  Reported-by: Klaus Stein
+
+- curl_gssapi: make sure this file too uses our *printf()
+
+- libcurl-security.3: separate file:// section
+  
+  ... just to make it more apparent. Even if it repeats
+  some pieces of information.
+
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
+  
+  Mentioned-By: Rich Moore
+
+- libcurl-security.3: mention the URL standards problems too
+
+- libcurl-security.3: split out from libcurl-tutorial.3
+  
+  To make more accessible.
+  
+  Merged in some new language from "URLs are dangerous things" as discussed on
+  the mailing list a few days ago:
+  
+  Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
+
+- RELEASE-NOTES: synced with e551910f8
+
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
+  
+  Test 319 checks proper raw mode data with non-chunked gzip
+  transfer-encoded server data.
+  Test 326 checks raw mode with chunked server data.
+  
+  Bug: #2303
+  Closes #2308
+
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
+  
+  Bug: https://bugzilla.redhat.com/1542256
+  
+  Closes #2306
+
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
+  
+  RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+  should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+  Thus a leading dot character in data is also subject to escaping.
+  
+  Tests 911 and test server are adapted to this situation.
+  New tests 951 and 952 check proper handling of initial dot in data.
+  
+  Closes #2304
+
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
+
+- [Douglas Mencken brought this change]
+
+  sha256: build with OpenSSL < 0.9.8 too
+  
+  support for SHA-2 was introduced in OpenSSL 0.9.8
+  
+  Closes #2305
+
+- [Bruno Grasselli brought this change]
+
+  README: language fix
+  
+  s/off/from
+  
+  Closes #2300
+
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
+  
+  Bug: #2303
+  Reported-By: Henry Roeland
+
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
+
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
+
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
+
+  content_encoding: Add "none" alias to "identity"
+  
+  Some servers return a "content-encoding" header with a non-standard
+  "none" value.
+  
+  Add "none" as an alias to "identity" as a work-around, to avoid
+  unrecognised content encoding type errors.
+  
+  Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+  
+  Closes https://github.com/curl/curl/pull/2298
+
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
+
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
+
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
+  
+  Closes #2296
+
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
+  
+  Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+  Added the necessary include file to curl_addrinfo.c.
+  
+  Note: The SDK (which is considered beta) has to be installed, VS 2017
+  project file has to be re-targeted for Windows 10.0.17061 and #define
+  enabled in config-win32.h.
+
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
+  
+  Reported-By: Daniel Stenberg
+  Fixes #2291
+  Closes #2293
+
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
+  
+  Whilst the compiler parameter is mandatory, platform is optional as it
+  is automatically calculated by the :configure section.
+  
+  This partially reverts commit 6d62d2c55d.
+
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
+
+  openssl: Don't add verify locations when verifypeer==0
+  
+  When peer verification is disabled, calling
+  SSL_CTX_load_verify_locations is not necessary. Only call it when
+  verification is enabled to save resources and increase performance.
+  
+  Closes #2290
+
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
+  
+  ...and not just the Community Edition.
+
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
+  
+  ...and not just the Community Edition.
+
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
+  
+  On Windows, stat() may adjust the unix file time by a daylight saving time
+  offset. Avoid this by calling GetFileTime() instead.
+  
+  Fixes #2164
+  Closes #2204
+
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
+  
+  Reduce code duplication by making Curl_mime_contenttype available and
+  used by the formdata function. This also makes the formdata function
+  recognize a set of more file extensions by default.
+  
+  PR #2280 brought this to my attention.
+  
+  Closes #2282
+
+- getdate: return -1 for out of range
+  
+  ...as that's how the function is documented to work.
+  
+  Reported-by: Michael Kaufmann
+  Bug found in an autobuild with 32 bit time_t
+  
+  Closes #2278
+
+- [Ben Greear brought this change]
+
+  build: fix termios issue on android cross-compile
+  
+  Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+  Signed-off-by: Ben Greear <greearb@candelatech.com>
+
+- time_t-fixes: remove typecasts to 'long' for info.filetime
+  
+  They're now wrong.
+  
+  Reported-by: Michael Kaufmann
+  
+  Closes #2277
+
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
+  
+  ... up to before it may be used for the TIME_T_MAX/MIN logic.
+  
+  Reported-by: Michael Kaufmann
+
+- parsedate: s/#if/#ifdef
+  
+  Reported-by: Michael Kaufmann
+  Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
+
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
+  
+  Whenever an expected pattern syntax rule cannot be matched, the
+  character starting the rule loses its special meaning and the parsing
+  is resumed:
+  - backslash at the end of pattern string matches itself.
+  - Error in [:keyword:] results in set containing :\[dekorwy.
+  
+  Unit test 1307 updated for this new situation.
+  
+  Closes #2273
+
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+  
+  Also be more tolerant about set pattern syntax.
+  Update unit test 1307 accordingly.
+  
+  Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
+
+- fnmatch: do not match the empty string with a character set
+
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
+  
+  - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+    curlx files since they are required by both src and lib.
+  
+  Follow-up to 4272a0b which added curl_ctype.
+
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
+  
+  ... since commit 993dd5651a6
+  
+  Reported-by: Martin Dreher
+  Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
+  
+  Closes #2271
+
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
+  
+  ... instead of doing it unconditionally in debug builds. It cluttered up
+  the output a little too much.
+
+- [Max Dymond brought this change]
+
+  file: Check the return code from Curl_range and bail out on error
+
+- [Max Dymond brought this change]
+
+  Curl_range: add check to ensure "from <= to"
+
+- [Max Dymond brought this change]
+
+  Curl_range: commonize FTP and FILE range handling
+  
+  Closes #2205
+
+- RELEASE-NOTES: synced with 811beab9f
+
+- curlver: next release will be 7.59.0
+
+- [Michał Janiszewski brought this change]
+
+  curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
+  
+  Closes #2275
+
+- time: support > year 2038 time stamps for system with 32bit long
+  
+  ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+  CURLINFO_FILETIME_T.
+  
+  Fixes #2238
+  Closes #2264
+
+- curl_easy_reset: clear digest auth state
+  
+  Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+  Reported-by: Ruurd Beerstra
+  Fixes #2255
+  Closes #2272
+
+- [Adam Marcionek brought this change]
+
+  winbuild: make linker generate proper PDB
+  
+  Link.exe requires /DEBUG to properly generate a full pdb file on release
+  builds.
+  
+  Closes #2274
+
+- curl: add --proxy-pinnedpubkey
+  
+  To verify a proxy's public key. For when using HTTPS proxies.
+  
+  Fixes #2192
+  Closes #2268
+
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
+  
+  The logic tries to figure out what the path separator in the $PATH
+  variable is, but if there's only one directory in the $PATH it
+  fails. This change make configure *guess* on colon instead of erroring
+  out, simply because that is probably the more common character.
+  
+  PATH_SEPARATOR can always be set by the user to override the guessing.
+  
+  (tricky bug to reproduce, as in my case for example the configure script
+  requires binaries in more than one directory so passing in a PATH with a
+  single dir fails.)
+  
+  Reported-by: Earnestly on github
+  Fixes #2202
+  Closes #2265
+
+- curl_ctype: private is*() type macros and functions
+  
+  ... since the libc provided one are locale dependent in a way we don't
+  want. Also, the "native" isalnum() (for example) works differently on
+  different platforms which caused test 1307 failures on macos only.
+  
+  Closes #2269
+
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
+  
+  Previously, they were opened with Visual Studio 2015 by default, which
+  cannot build them.
+
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
+
+- TODO: UTF-8 filenames in Content-Disposition
+  
+  Closes #1888
+
+- KNOWN_BUGS: DICT responses show the underlying protocol
+  
+  Closes #1809
+
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
+
+  docs: fix typos in man pages
+  
+  Closes https://github.com/curl/curl/pull/2266
+
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
+  
+  If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+  giving a result that is different from what is expected.
+  This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+  to upload in ascii.
+  
+  Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
+  
+  ... with clang on macos
+
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
+  
+  Data mismatch caused test 545 to fail when character encoding
+  conversion is enabled.
+  
+  Bug: https://github.com/curl/curl/pull/1872
+
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
+
+  GSKit: restore pinnedpubkey functionality
+  
+  inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
+  
+  Closes #2263
+
+- [Dair Grant brought this change]
+
+  darwinssl: Don't import client certificates into Keychain on macOS
+  
+  Closes #2085
+
+- configure: fix the check for unsigned time_t
+  
+  Assign the time_t variable negative value and then check if it is
+  greater than zero, which will evaluate true for unsigned time_t but
+  false for signed time_t.
+
+- parsedate: fix date parsing for systems with 32 bit long
+  
+  Make curl_getdate() handle dates before 1970 as well (returning negative
+  values).
+  
+  Make test 517 test dates for 64 bit time_t.
+  
+  This fixes bug (3) mentioned in #2238
+  
+  Closes #2250
+
+- [McDonough, Tim brought this change]
+
+  openssl: fix pinned public key build error in FIPS mode
+  
+  Here is a version that should work with all versions of openssl 0.9.7
+  through 1.1.0.
+  
+  Links to the docs:
+  https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+  https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
+  
+  At the very bottom of the 1.1.0 documentation there is a history section
+  that states, " stack allocated EVP_MD_CTXs are no longer supported."
+  
+  If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+  simple mapping can be used as described here:
+  https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
+  
+  Closes #2258
+
+- [Travis Burtrum brought this change]
+
+  SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
+
+- [Travis Burtrum brought this change]
+
+  SChannel/WinSSL: Implement public key pinning
+  
+  Closes #1429
+
+- bump: towards 7.58.1
+
+- cookies: remove verbose "cookie size:" output
+  
+  It was once used for some debugging/verifying logic but should never have
+  ended up in git!
+
+- TODO: hardcode the "localhost" addresses
+
+- TODO: CURL_REFUSE_CLEARTEXT
+  
+  An idea that popped up in discussions on twitter.
+
+- progress-bar: don't use stderr explicitly, use bar->out
+  
+  Reported-By: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
+
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
+
+  Fixes for MSDOS etc.
+  
+  djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+  But djgpp seems the only choice for MSDOS anyway.
+  
+  PellesC do have a 'F_OK' defined in it's <unistd.h>.
+  
+  Update year in Copyright.
+
+- [Gisle Vanem brought this change]
+
+  Fix small typo.
+
+Version 7.58.0 (23 Jan 2018)
+
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
+
+- [Gisle Vanem brought this change]
+
+  progress-bar: get screen width on windows
+
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
+
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
+  
+  Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+  Reported-by: John Hascall
+  
+  Closes #2257
+
+- docs: fix man page syntax to make test 1140 OK again
+
+- http: prevent custom Authorization headers in redirects
+  
+  ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+  curl already handles Authorization headers created internally.
+  
+  Note: this changes behavior slightly, for the sake of reducing mistakes.
+  
+  Added test 317 and 318 to verify.
+  
+  Reported-by: Craig de Stigter
+  Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
+
+- curl: progress bar refresh, get width using ioctl()
+  
+  Get screen width from the environment variable COLUMNS first, if set. If
+  not, use ioctl(). If nether works, assume 79.
+  
+  Closes #2242
+  
+  The "refresh" is for the -# output when no total transfer size is
+  known. It will now only use a single updated line even for this case:
+  
+  The "-=O=-" ship moves when data is transferred. The four flying
+  "hashes" move (on a sine wave) on each refresh, independent of data.
+
+- RELEASE-NOTES: synced with bb0ffcc36
+
+- libcurl-env.3: first take
+
+- TODO: two possible name resolver improvements
+
+- [Kartik Mahajan brought this change]
+
+  http2: don't close connection when single transfer is stopped
+  
+  Fixes #2237
+  Closes #2249
+
+- test558: fix for multissl builds
+  
+  vtls.c:multissl_init() might do a curl_free() call so strip that out to
+  make this work with more builds. We just want to verify that
+  memorytracking works so skipping one line is no harm.
+
+- examples/url2file.c: add missing curl_global_cleanup() call
+  
+  Reported-by: XhstormR on github
+  Fixes #2245
+
+- [Michael Gmelin brought this change]
+
+  SSH: Fix state machine for ssh-agent authentication
+  
+  In case an identity didn't match[0], the state machine would fail in
+  state SSH_AUTH_AGENT instead of progressing to the next identity in
+  ssh-agent. As a result, ssh-agent authentication only worked if the
+  identity required happened to be the first added to ssh-agent.
+  
+  This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+  stated that the "else" statement was required to prevent getting stuck
+  in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+  interface I couldn't see how this could happen or reproduce it and I
+  also couldn't find a more detailed description of the problem which
+  would explain a test case to reproduce the problem this was supposed to
+  fix.
+  
+  [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
+  
+  Closes #2248
+
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
+  
+  Coverity CID 1427646.
+
+- openssl: fix the libressl build again
+  
+  Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+  late OpenSSL version...
+  
+  Fixes #2246
+  Closes #2247
+  
+  Reported-by: jungle-boogie on github
+
+- unit1307: test many wildcards too
+
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
+  
+  ... to avoid excessive recursive calls. The number 5 is totally
+  arbitrary and could be modified if someone has a good motivation.
+
+- ftp-wildcard: fix matching an empty string with "*[^a]"
+  
+  .... and avoid advancing the pointer to trigger an out of buffer read.
+  
+  Detected by OSS-fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+  Assisted-by: Max Dymond
+
+- SMB: fix numeric constant suffix and variable types
+  
+  1. don't use "ULL" suffix since unsupported in older MSVC
+  2. use curl_off_t instead of custom long long ifdefs
+  3. make get_posix_time() not do unaligned data access
+  
+  Fixes #2211
+  Closes #2240
+  Reported-by: Chester Liu
+
+- [rouzier brought this change]
+
+  CURLOPT_TCP_NODELAY.3: fix typo
+  
+  Closes #2239
+
+- smtp/pop3/imap_get_message: decrease the data length too...
+  
+  Follow-up commit to 615edc1f73 which was incomplete.
+  
+  Assisted-by: Max Dymond
+  Detected by OSS-fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
+
+- openssl: enable SSLKEYLOGFILE support by default
+  
+  Fixes #2210
+  Closes #2236
+
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
+  
+  A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+  strongly bound to the handle: there is a pointer to the easy handle in
+  each item of the mime tree and following the parent pointer list
+  of mime items ends in a dummy part stored within the handle.
+  
+  Because of this binding, a mime tree cannot be shared between different
+  easy handles, thus it needs to be cloned upon easy handle duplication.
+  
+  There is no way for the caller to get the duplicated mime tree
+  handle: it is then set to be automatically destroyed upon freeing the
+  new easy handle.
+  
+  New test 654 checks proper mime structure duplication/release.
+  
+  Add a warning note in curl_mime_data_cb() documentation about sharing
+  user data between duplicated handles.
+  
+  Closes #2235
+
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
+
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
+
+- test394: verify abort of rubbish in Content-Length: value
+
+- test393: verify --max-filesize with excessive Content-Length
+
+- HTTP: bail out on negative Content-Length: values
+  
+  ... and make the max filesize check trigger if the value is too big.
+  
+  Updates test 178.
+  
+  Reported-by: Brad Spencer
+  Fixes #2212
+  Closes #2223
+
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
+
+  configure.ac: append extra linker flags instead of prepending them.
+  
+  Link order should list libraries after the libraries that use them,
+  so when we're guessing that we might also need to add -ldl in order
+  to use -lssl, we should add -ldl after -lssl.
+  
+  Closes https://github.com/curl/curl/pull/2234
+
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
+
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
+  
+  Broken since f121575 (precedes 7.56.1).
+  
+  Bug: https://github.com/curl/curl/issues/2225
+  Reported-by: cmfrolick@users.noreply.github.com
+  
+  Closes https://github.com/curl/curl/pull/2227
+
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
+  
+  This also upgrades ILE/RPG bindings with latest setopt options.
+  
+  Reported-By: jonrumsey on github
+  Fixes #2230
+  Closes #2233
+
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
+
+  http2: fix incorrect trailer buffer size
+  
+  Prior to this change the stored byte count of each trailer was
+  miscalculated and 1 less than required. It appears any trailer
+  after the first that was passed to Curl_client_write would be truncated
+  or corrupted as well as the size. Potentially the size of some
+  subsequent trailer could be erroneously extracted from the contents of
+  that trailer, and since that size is used by client write an
+  out-of-bounds read could occur and cause a crash or be otherwise
+  processed by client write.
+  
+  The bug appears to have been born in 0761a51 (precedes 7.49.0).
+  
+  Closes https://github.com/curl/curl/pull/2231
+
+- [Basuke Suzuki brought this change]
+
+  easy: fix connection ownership in curl_easy_pause
+  
+  Before calling Curl_client_chop_write(), change the owner of connection
+  to the current Curl_easy handle. This will fix the issue #2217.
+  
+  Fixes https://github.com/curl/curl/issues/2217
+  Closes https://github.com/curl/curl/pull/2221
+
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
+
+  system.h: Additionally check __LONG_MAX__ for defining curl_off_t
+  
+  __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+  in GCC 3.3.
+  
+  Closes #2216
+
+- COPYING: it's 2018!
+
+- progress: calculate transfer speed on milliseconds if possible
+  
+  to increase accuracy for quick transfers
+  
+  Fixes #2200
+  Closes #2206
+
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
+  
+  - Enable execute permission (chmod +x)
+  
+  - Change interpreter to /usr/bin/env perl
+  
+  Closes https://github.com/curl/curl/pull/2222
+
+- mail-rcpt.d: fix short-text description
+
+- build: remove HAVE_LIMITS_H check
+  
+  .. because limits.h presence isn't optional, it's required by C89.
+  
+  Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
+  
+  Closes https://github.com/curl/curl/pull/2215
+
+- openssl: fix memory leak of SSLKEYLOGFILE filename
+  
+  - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+    initialization.
+  
+  Caught by ASAN.
+
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
+  
+  This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
+  
+  SIZEOF_LONG should not be checked in system.h since that macro is only
+  defined when building libcurl.
+  
+  Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+  Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
+
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
+
+- test1554: add global initialization and cleanup
+
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
+  
+  Reported-by: Pete Lomax
+  Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
+
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
+
+  brotli: data at the end of content can be lost
+  
+  Decoding loop implementation did not concern the case when all
+  received data is consumed by Brotli decoder and the size of decoded
+  data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+  For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+  can result in the loss of data at the end of content.
+  
+  Closes #2194
+
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
+  
+  - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+    since it's possible the cert may have already been loaded by libcurl.
+  
+  - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+    Instead have it direct the reader to this cacertinmem.c example.
+  
+  - Fix the CA certificate to use the right CA for example.com, Digicert.
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+  Reported-by: Thomas van Hesteren
+  
+  Closes https://github.com/curl/curl/pull/2182
+
+- [Gisle Vanem brought this change]
+
+  tool_getparam: Support size modifiers for --max-filesize
+  
+  - Move the size modifier detection code from limit-rate to its own
+    function so that it can also be used with max-filesize.
+  
+  Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
+  
+  For example --max-filesize 1G
+  
+  Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
+  
+  Closes https://github.com/curl/curl/pull/2179
+
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
+
+- Makefile.vc: Added our standard copyright header
+
+- winbuild: Added support for VC15
+
+- build: Added Visual Studio 2017 project files
+
+- build-wolfssl.bat: Added support for VC15
+
+- build-openssl.bat: Added support for VC15
+
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
+
+  curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
+  
+  Closes https://github.com/curl/curl/pull/2186
+
+- [Mattias Fornander brought this change]
+
+  examples/rtsp: fix error handling macros
+  
+  Closes https://github.com/curl/curl/pull/2185
+
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
+  
+  Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+  functions dealing with UserDefined structure contents.
+  This avoids memory leakages on curl-generated part mime headers.
+  New test 2073 checks this using the cli tool --next option: it
+  triggers a valgrind error if bug is present.
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+  Reported-by: Martin Galvan
+
+- content_encoding: rework zlib_inflate
+  
+  - When zlib version is < 1.2.0.4, process gzip trailer before considering
+  extra data as an error.
+  - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+  and minimize corrupt data output.
+  - Do not try to restart deflate decompression in raw mode if output has
+  started or if the leading data is not available anymore.
+  - New test 232 checks inflating raw-deflated content.
+  
+  Closes #2068
+
+- brotli: allow compiling with version 0.6.0.
+  
+  Some error codes were not yet defined in brotli 0.6.0: do not issue code
+  for them in this case.
+
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
+  
+  Bug: #2175
+  
+  [ci skip]
+
+- rand: add a clang-analyzer work-around
+  
+  scan-build would warn on a potential access of an uninitialized
+  buffer. I deem it a false positive and had to add this somewhat ugly
+  work-around to silence it.
+
+- krb5: fix a potential access of uninitialized memory
+  
+  A scan-build warning.
+
+- conncache: fix a return code [regression]
+  
+  This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+  out by scan-build!
+
+- curl: support >256 bytes warning messsages
+  
+  Bug: #2174
+
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
+  
+  Follow-up to c92d2e1
+  
+  Closes #2172
+
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
+  
+  ... to make it clearer that the options want address-only, while the
+  headers in an email can also have the real name.
+  
+  Assisted-by: Sean MacLennan
+
+- THANKS: added missing names
+  
+  ... as I reran the contrithanks script after the mailmap name fixups.
+
+- mailmap: added/clarified several names
+
+- setopt: less *or equal* than INT_MAX/1000 should be fine
+  
+  ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+  CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
+  
+  Reported-by: Dominik Hölzl
+  Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
+  
+  Closes #2173
+
+- [Dmitry Kostjuchenko brought this change]
+
+  vtls: replaced getenv() with curl_getenv()
+  
+  Fixed undefined symbol of getenv() which does not exist when compiling
+  for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+  curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+  is defined.
+  
+  Closes #2171
+
+- RELEASE-NOTES: synced with 3b9ea70ee
+
+- TODO: Expose tried IP addresses that failed
+  
+  Suggested-by: Rainer Canavan
+  
+  Closes #2126
+
+- curl.1: mention http:// and https:// as valid proxy prefixes
+
+- curl.1: documented two missing valid exit codes
+
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
+
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
+  
+  This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
+  
+  It was actually added rather recently in 8e8afa82cbb629 due to a crash
+  that would otherwise happen in the RTSP code. As I don't think we've
+  fixed that behavior yet, we better keep this work-around until we have
+  fixed it better.
+
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
+
+- tests: update .gitignore for libtests
+
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
+  
+  Prune the DNS cache immediately after the dns entry is unlocked in
+  multi_done. Timed out entries will then get discarded in a more orderly
+  fashion.
+  
+  Test506 is updated
+  
+  Reported-by: Oleg Pudeyev
+  
+  Fixes #2169
+  Closes #2170
+
+- mailmap: fixup two old git Author "aliases"
+
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
+  
+  Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+  like it does for other platforms. However, the Windows CRT does not
+  actually support line buffering (_IOLBF) and will use full buffering
+  (_IOFBF) instead. We can't use full buffering because multiple processes
+  may be writing to the file and that could lead to corruption, and since
+  full buffering is the only buffering available this commit disables
+  buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
+  
+  Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
+
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
+  
+  ... to help users understand what is or isn't done!
+
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
+
+- [John DeHelian brought this change]
+
+  sftp: allow quoted commands to use relative paths
+  
+  Closes #1900
+
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
+
+  CURLOPT_PRIVATE.3: fix grammar
+  
+  - Change "never does nothing" double-negative to "never does anything".
+  
+  Closes https://github.com/curl/curl/pull/2168
+
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
+  
+  These are OS/2-specific things added to the code in the year 2000. They
+  were always ugly. If there's any user left, they still don't need it
+  done this way.
+  
+  Closes #2166
+
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
+  
+  - Allow proxy_ssl to be checked for pending data even when connssl does
+    not yet have an SSL handle.
+  
+  This change is for posterity. Currently there doesn't seem to be a code
+  path that will cause a pending data check when proxyssl could have
+  pending data and the connssl handle doesn't yet exist [1].
+  
+  [1]: Recall that an https proxy connection starts out in connssl but if
+  the destination is also https then the proxy SSL backend data is moved
+  from connssl to proxyssl, which means connssl handle is temporarily
+  empty until an SSL handle for the destination can be created.
+  
+  Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
+  
+  Closes https://github.com/curl/curl/pull/1916
+
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
+  
+  That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+  and that option isn't set or used by the curl tool!
+  
+  Updates the 9 tests that verify --libcurl
+  
+  Closes #2167
+
+- curl.h: remove incorrect comment about ERRORBUFFER
+  
+  ... error messages are _not_ sent to stderr if this is not set.
+
+- [Michael Felt brought this change]
+
+  configure: add AX_CODE_COVERAGE only if using gcc
+  
+  Fixes #2076
+  Closes #2125
+
+- curl: limit -# update frequency for unknown total size
+  
+  Make it use a max 10Hz update frequency for this case as well. Return
+  early if the "point" hasn't moved since last invoke.
+  
+  Reported-by: Elliot Saba
+  
+  Fixes #2158
+  Closes #2163
+
+- BINDINGS: another PostgreSQL client
+  
+  ...the former link is dead.
+  
+  Reported-by: Frank Gevaerts
+
+- [Zachary Seguin brought this change]
+
+  CONNECT: keep close connection flag in http_connect_state struct
+  
+  Fixes #2088
+  Closes #2157
+
+- [Per Malmberg brought this change]
+
+  include: get netinet/in.h before linux/tcp.h
+  
+  ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+  4.8.5)
+  
+  Closes #2160
+
+- openldap: fix checksrc nits
+
+- [Stepan Broz brought this change]
+
+  openldap: add commented out debug possibilities
+  
+  ... to aid debugging openldap library using its built-in debug messages.
+  
+  Closes #2159
+
+- examples: move threaded-shared-conn.c to the "complicated" ones
+  
+  ... due it relying on pthreads to link.
+
+- RELEASE-NOTES: synced with b261c44e8
+  
+  ... and bump next release version to 7.58.0
+
+- [Jan Ehrhardt brought this change]
+
+  URL: tolerate backslash after drive letter for FILE:
+  
+  ... as in "file://c:\some\path\curl.out"
+  
+  Reviewed-by: Matthew Kerwin
+  Closes #2154
+
+- [Randall S. Becker brought this change]
+
+  tests: added netinet/in6.h includes in test servers
+
+- [Randall S. Becker brought this change]
+
+  configure: check for netinet/in6.h
+  
+  Needed by HPE NonStop NSE and NSX systems
+  
+  Fixes #2146
+  Closes #2155
+
+- curl-config: add --ssl-backends
+  
+  Lists all SSL backends that were enabled at build-time.
+  
+  Suggested-by: Oleg Pudeyev
+  Fixes #2128
+
+- conncache: only allow multiplexing within same multi handle
+  
+  Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+  only get additional transfers added to them if the existing connection
+  is held by the same multi or easy handle. libcurl does not support doing
+  HTTP/2 streams in different threads using a shared connection.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1262
-  Reported-by: Konstantin Isakov
+  Closes #2152
+
+- threaded-shared-conn.c: fixed typo in commenta
+
+- threaded-shared-conn.c: new example
 
-Guenter Knauf (4 Aug 2013)
-- Skip more untrusted certificates.
+- conncache: fix several lock issues
   
-  Christian Heimes brought to our attention that the certdata.txt
-  format has recently changed [1], causing ca-bundle.crt created
-  with mk-ca-bundle.[pl|vbs] to include untrusted certs.
+  If the lock is released before the dealings with the bundle is over, it may
+  have changed by another thread in the mean time.
   
-  [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
+  Fixes #2132
+  Fixes #2151
+  Closes #2139
 
-Daniel Stenberg (4 Aug 2013)
-- configure: don't error out on variable confusions, just warn
+- libssh: remove dead code in sftp_qoute
+  
+  ... by removing a superfluous NULL pointer check that also confuses
+  Coverity.
+  
+  Fixes #2143
+  Closes #2153
 
-- configure: rephrase the notice in _XC_CHECK_VAR_*
+- sasl_getmesssage: make sure we have a long enough string to pass
+  
+  For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+  case.
+  
+  For this, I enhanced the pingpong test server to be able to send back
+  responses with LF-only instead of always using CRLF.
   
-  Instead of claiming it is an error, we call it a "note" to reduce the
-  severity level. But the following text now says the [variable] "*should*
-  only be used to specify"... instead of previously having said "may".
+  Closes #2150
 
-- multi: remove data->state.current_conn struct field
+- libssh2: remove dead code from SSH_SFTP_QUOTE
   
-  Not needed
+  Figured out while reviewing code in the libssh backend. The pointer was
+  checked for NULL after having been dereferenced, so we know it would
+  always equal true or it would've crashed.
+  
+  Pointed-out-by: Nikos Mavrogiannopoulos
+  
+  Bug #2143
+  Closes #2148
 
-- multi: remove the one_easy struct field
+- ssh-libssh.c: please checksrc
+
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
+  
+  The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+  handling fails.
   
-  Since the merge of SessionHandle with Curl_one_easy, this indirection
-  isn't used anymore.
+  Fixes #2142
 
-- multi: rename all Curl_one_easy to SessionHandle
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
 
-- multi: remove the multi_pos struct field
+  RESOURCES: update spec names
   
-  Since Curl_one_easy is really a SessionHandle now, this indirection
-  doesn't exist anymore.
+  Closes #2145
 
-- multi: remove easy_handle struct field
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
   
-  It isn't needed anymore
+  The previous code was incorrectly following the libssh2 error detection
+  for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
+  
+  Fixes #2142
+  
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 
-- multi: remove 'Curl_one_easy' struct, phase 1
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
   
-  The motivation for having a separate struct that keep track of an easy
-  handle when using the multi handle was removed when we switched to
-  always using the multi interface internally. Now they were just two
-  separate struct that was always allocated for each easy handle.
+  Fixes #2141
   
-  This first step just moves the Curl_one_easy struct members into the
-  SessionHandle struct and hides this somehow (== keeps the source code
-  changes to a minimum) by defining Curl_one_easy to SessionHandle
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
   
-  The biggest changes in this commit are:
+  - remove superfluous NULL check which otherwise tricks the static code
+  analyzers to assume NULL pointer dereferences.
   
-   1 - the linked list of easy handles had to be changed somewhat due
-       to the new struct layout. This made the main linked list pointer
-       get renamed to 'easyp' and there's also a new pointer to the last
-       node, called easylp. It is no longer circular but ends with ->next
-       pointing to NULL. New nodes are still added last.
+  - fix fallthrough in switch()
   
-   2 - easy->state is now called easy->mstate to avoid name collision
+  - indent mistake
 
-Steve Holme (2 Aug 2013)
-- Revert "DOCS: Added IMAP URL example for listing new messages"
+- openssl: pkcs12 is supported by boringssl
+  
+  Removes another #ifdef for BoringSSL
   
-  This reverts commit 82ab5f1b0c7c3f as this was the wrong place to
-  document the complexity of IMAP URLs and Custom Requests.
+  Pointed-out-by: David Benjamin
+  
+  Closes #2134
+
+- [Jay Satiro brought this change]
 
-- DOCS: Added IMAP URL example for listing new messages
+  travis: use pip2 instead of pip
+  
+  .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
+  
+  0.01s$ pip install --user cpp-coveralls
+  /Users/travis/.travis/job_stages: line 57: pip: command not found
   
-  In addition to listing the folder contents, in the URL examples, added
-  an example to list the new messages waiting in the user's inbox.
+  Ref: https://github.com/travis-ci/travis-ci/issues/8829
+  
+  Closes https://github.com/curl/curl/pull/2133
+
+- [Nikos Mavrogiannopoulos brought this change]
 
-Yang Tse (1 Aug 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+  lib582: do not verify host for SFTP
+  
+  This SFTP test fails with libssh back-end due to failure to verify
+  the peer. Disable peer verification in the test as there seems to
+  be the intention of the test.
+  
+  Note that the libssh back-end automatically verifies the peer's
+  host using the default known_hosts file.
+  
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 
-- [John Malmberg brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
 
-  Add in the files needed to build libcurl shared images on VMS.
+  libssh: added SFTP support
+  
+  The SFTP back-end supports asynchronous reading only, limited
+  to 32-bit file length. Writing is synchronous with no other
+  limitations.
   
-  Update the packages/vms/readme file to be current.
+  This also brings keyboard-interactive authentication.
   
-  Also some files for the GNV based build were either missing or needed an
-  update.
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+  symbols-in-versions: added new symbols with 7.56.3 version
   
-  curl_crtl_init.c is a special file that is run before main() to
-  set up the proper C runtime behavior.
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+  .travis.yml: added build --with-libssh
   
-  generate_vax_transfer.com generates the VAX transfer vector modules from
-  the gnv_libcurl_symbols.opt file.
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+  libssh2: return CURLE_UPLOAD_FAILED on failure to upload
   
-  gnv_conftest.c_first is a helper file needed for configure scripts to
-  come up with the expected answers on VMS.
+  This brings its in sync with the error code returned by the
+  libssh backend.
   
-  gnv_libcurl_symbols.opt is the public symbols for the libcurl shared
-  image.
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+- [Nikos Mavrogiannopoulos brought this change]
+
+  libssh2: send the correct CURLE error code on scp file not found
   
-  gnv_link_curl.com builds the shared libcurl image and rebuilds other
-  programs to use it.
+  That also updates tests to expect the right error code
   
-  macro32_exactcase.patch is a hack to make a local copy of the VMS Macro32
-  assembler case sensitive, which is needed to build the VAX transfer modules.
+  libssh2 back-end returns CURLE_SSH error if the remote file
+  is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+  which is sent by the libssh backend.
   
-  report_openssl_version.c is a tool for help verify that the libcurl
-  shared image is being built for a minium version of openssl.
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 
-- curl: second follow-up for commit 5af2bfb9
+- [Nikos Mavrogiannopoulos brought this change]
+
+  Added support for libssh SSH SCP back-end
+  
+  libssh is an alternative library to libssh2.
+  https://www.libssh.org/
   
-  Display progress-bar unconditionally on first call
+  That patch set also introduces support for ECDSA
+  ed25519 keys, as well as gssapi authentication.
+  
+  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+- RELEASE-NOTES: synced with af8cc7a69
+
+- curlver: towards 7.57.1
+
+- [W. Mark Kubacki brought this change]
 
-- curl: follow-up for commit 5af2bfb9
+  lib: don't export all symbols, just everything curl_*
   
-  Use tvnow() and tvdiff() to avoid introducing new linkage issues
+  Absent any 'symbol map' or script to limit what gets exported, static
+  linking of libraries previously resulted in a libcurl with curl's and
+  those other symbols being (re-)exported.
+  
+  This did not happen if 'versioned symbols' were enabled (which is not
+  the default) because then a version script is employed.
+  
+  This limits exports to everything starting in 'curl_*'., which is
+  what "libcurl.vers" exports.
+  
+  This avoids strange side-effects such as with mixing methods
+  from system libraries and those erroneously offered by libcurl.
+  
+  Closes #2127
 
-Daniel Stenberg (31 Jul 2013)
-- curl: --progress-bar max update frequency now at 5Hz
+- [Johannes Schindelin brought this change]
 
-- curl: make --progress-bar update the line less frequently
+  SSL: Avoid magic allocation of SSL backend specific data
   
-  Also, use memset() instead of a lame loop.
+  Originally, my idea was to allocate the two structures (or more
+  precisely, the connectdata structure and the four SSL backend-specific
+  strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+  that they all could be free()d together.
   
-  The previous logic that tried to avoid too many updates were very
-  ineffective for really fast transfers, as then it could easily end up
-  doing hundreds of updates per second that would make a significant
-  impact in transfer performance!
+  However, getting the alignment right is tricky. Too tricky.
   
-  Bug: http://curl.haxx.se/mail/archive-2013-07/0031.html
-  Reported-by: Marc Doughty
+  So let's just bite the bullet and allocate the SSL backend-specific
+  data separately.
+  
+  As a consequence, we now have to be very careful to release the memory
+  allocated for the SSL backend-specific data whenever we release any
+  connectdata.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+  
+  Closes #2119
 
-Nick Zitzmann (30 Jul 2013)
-- darwinssl: added LFs to some strings passed into infof()
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
   
-  (This doesn't need to appear in the release notes.) I noticed a few places
-  where infof() was called, and there should've been an LF at the end of the
-  string, but there wasn't.
+  Reported-by: Dima Tisnek
 
-- darwinssl: fix build error in crypto authentication under Snow Leopard
+- travis: add boringssl build
+  
+  Uses a separate build without --enable-debug and no valgrind.
   
-  It turns out Snow Leopard not only has SecItemCopyMatching() defined in
-  a header not included by the omnibus header, but it won't work for our
-  purposes, because searching for SecIdentityRef objects wasn't added
-  to that API until Lion. So we now use the old SecKeychainSearch API
-  instead if the user is building under, or running under, Snow Leopard.
+  The debug option causes far too many warnings in boringssl's headers
+  (C++ comments, trailing commas etc).  Valgrind triggers some false
+  positive errors in thread-local data used by boringssl.
   
-  Bug: http://sourceforge.net/p/curl/bugs/1255/
-  Reported by: Edward Rudd
+  Closes #2118
 
-- md5 & metalink: use better build macros on Apple operating systems
+Version 7.57.0 (29 Nov 2017)
+
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
+
+- THANKS: added contributors from 7.57.0 release
+
+- openssl: fix boringssl build again
   
-  Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating
-  code that was specific to OS X and iOS. Now we use
-  __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED
-  instead of those macros.
+  commit d3ab7c5a21e broke the boringssl build since it doesn't have
+  RSA_flags(), so we disable that code block for boringssl builds.
   
-  Bug: http://sourceforge.net/p/curl/bugs/1255/
-  Reported by: Edward Rudd
+  Reported-by: W. Mark Kubacki
+  Fixes #2117
 
-Yang Tse (29 Jul 2013)
-- tool_operhlp.c: fix add_file_name_to_url() OOM handling
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
 
-- tool_operate.c: fix brace placement for vi/emacs delimiter matching
+- libcurl-share.3: the connection cache is shareable now
 
-- tool_operate.c: move <fabdef.h> header inclusion location
+- global_init: ignore CURL_GLOBAL_SSL's absense
+  
+  This bit is no longer used. It is not clear what it meant for users to
+  "init the TLS" in a world with different TLS backends and since the
+  introduction of multissl, libcurl didn't properly work if inited without
+  this bit set.
+  
+  Not a single user responded to the call for users of it:
+  https://curl.haxx.se/mail/lib-2017-11/0072.html
+  
+  Reported-by: Evgeny Grin
+  Assisted-by: Jay Satiro
+  
+  Fixes #2089
+  Fixes #2083
+  Closes #2107
 
-Daniel Stenberg (29 Jul 2013)
-- RELEASE-NOTES: synced with b5478a0e033e7
+- ntlm: avoid integer overflow for malloc size
+  
+  Reported-by: Alex Nichols
+  Assisted-by: Kamil Dudka and Max Dymond
+  
+  CVE-2017-8816
+  
+  Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
 
-- curl_easy_pause: on unpause, trigger mulit-socket handling
+- wildcardmatch: fix heap buffer overflow in setcharset
+  
+  The code would previous read beyond the end of the pattern string if the
+  match pattern ends with an open bracket when the default pattern
+  matching function is used.
+  
+  Detected by OSS-Fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
   
-  When the multi-socket API is used, we need the handle to be checked
-  again when it gets unpaused.
+  CVE-2017-8817
   
-  Bug: http://curl.haxx.se/mail/lib-2013-07/0239.html
-  Reported-by: Justin Karneges
+  Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
 
-- [John E. Malmberg brought this change]
+- [Jay Satiro brought this change]
 
-  curl_formadd: fix file upload on VMS
+  url: fix alignment of ssl_backend_data struct
   
-  For the standard VMS text file formats, VMS needs to read the file to
-  get the actual file size.
+  - Align the array of ssl_backend_data on a max 32 byte boundary.
   
-  For the standard VMS binary file formats, VMS needs a special format of
-  fopen() call so that it stops reading at the logical end of file instead
-  of at the end of the blocks allocated to the file.
+  8 is likely to be ok but I went with 32 for posterity should one of
+  the ssl_backend_data structs change to contain a larger sized variable
+  in the future.
   
-  I structured the patch this way as I was not sure about changing the
-  structures or parameters to the routines, but would prefer to only call
-  the stat() function once and pass the information to where the fopen()
-  call is made.
+  Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+  structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+  because long long * was mistakenly used for alignment instead of
+  long long, with the intention being an 8 byte boundary. Also long long
+  may not be an available type.
   
-  Bug: https://sourceforge.net/p/curl/bugs/758/
+  The undersized connectdata could lead to oob read/write past the end in
+  what was expected to be the last 4 bytes of the connection's secondary
+  socket https proxy ssl_backend_data struct (the secondary socket in a
+  connection is used by ftp, others?).
+  
+  Closes https://github.com/curl/curl/issues/2093
+  
+  CVE-2017-8818
+  
+  Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
 
-- formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
+- ssh: remove check for a NULL pointer (!)
   
-  The code for CURLFORM_FILECONTENT had its check for duplicate options
-  wrong so that it would reject CURLFORM_PTRNAME if used in combination
-  with it (but not CURLFORM_COPYNAME)! The flags field used for this
-  purpose cannot be interpreted that broadly.
+  With this check present, scan-build warns that we might dereference this
+  point in other places where it isn't first checked for NULL. Thus, if it
+  *can* be NULL we have a problem on a few places. However, this pointer
+  should not be possible to be NULL here so I remove the check and thus
+  also three different scan-build warnings.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html
-  Reported-by: Byrial Jensen
+  Closes #2111
+
+- [Matthew Kerwin brought this change]
 
-Yang Tse (25 Jul 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+  test: add test for bad UNC/SMB path in file: URL
 
-- [John E. Malmberg brought this change]
+- [Matthew Kerwin brought this change]
 
-  VMS: intial set of files to allow building using GNV toolkit.
+  test: add tests to ensure basic file: URLs
 
-- string formatting: fix too many arguments for format
+- [Matthew Kerwin brought this change]
 
-- string formatting: fix zero-length printf format string
+  URL: update "file:" URL handling
+  
+  * LOTS of comment updates
+  * explicit error for SMB shares (e.g. "file:////share/path/file")
+  * more strict handling of authority (i.e. "//localhost/")
+  * now accepts dodgy old "C:|" drive letters
+  * more precise handling of drive letters in and out of Windows
+    (especially recognising both "file:c:/" and "file:/c:/")
+  
+  Closes #2110
 
-- easy.c: curl_easy_getinfo() fix va_start/va_end matching
+- metalink: fix memory-leak and NULL pointer dereference
+  
+  Reported by scan-build
+  
+  Closes #2109
 
-- imap.c: imap_sendf() fix va_start/va_end matching
+- [Alessandro Ghedini brought this change]
 
-- string formatting: fix 15+ printf-style format strings
+  connect: add support for new TCP Fast Open API on Linux
+  
+  The new API added in Linux 4.11 only requires setting a socket option
+  before connecting, without the whole sento() machinery.
+  
+  Notably, this makes it possible to use TFO with SSL connections on Linux
+  as well, without the need to mess around with OpenSSL (or whatever other
+  SSL library) internals.
+  
+  Closes #2056
 
-Patrick Monnerat (24 Jul 2013)
-- OS400: sync ILE/RPG binding with current curl.h
+- make: fix "make distclean"
+  
+  Fixes #2097
+  Closes #2108
 
-Yang Tse (24 Jul 2013)
-- string formatting: fix 25+ printf-style format strings
+- RELEASE-NOTES: synced with 31f18d272
 
-Daniel Stenberg (23 Jul 2013)
-- Makefile.am: use LDFLAGS as well when linking libcurl
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
+  
+  eg consider a non-existent interface eth8, curl --interface eth8
   
-  Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded
-  automake for the release builds.
+  Before: curl: (45) Could not resolve host: eth8
+  After: curl: (45) Couldn't bind to 'eth8'
+  
+  Bug: https://github.com/curl/curl/issues/2104
+  Reported-by: Alfonso Martone
+
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1217
-  Reported-by: Dagobert Michelsen
+  Fixes #2106
+  Reported-by: youngchopin on github
 
-- [Fabian Keil brought this change]
+- [Michael Kaufmann brought this change]
 
-  url.c: Fix dot file path cleanup when using an HTTP proxy
+  test1264: verify URL with space in host name being rejected
+
+- url: reject ASCII control characters and space in host names
+  
+  Host names like "127.0.0.1 moo" would otherwise be accepted by some
+  getaddrinfo() implementations.
   
-  Previously the path was cleaned, but the URL wasn't properly updated.
+  Updated test 1034 and 1035 accordingly.
+  
+  Fixes #2073
+  Closes #2092
 
-- [Fabian Keil brought this change]
+- Curl_open: fix OOM return error correctly
+  
+  Closes #2098
 
-  tests: test1232 verifies dotdot removal from path with proxy
+- http2: fix "Value stored to 'end' is never read" scan-build error
 
-- [Fabian Keil brought this change]
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
 
-  dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify()
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
 
-- [John E. Malmberg brought this change]
+- mime: fix "Value stored to 'sz' is never read" scan-build error
 
-  build_vms.com: fix debug and float options
+- Curl_llist_remove: fix potential NULL pointer deref
   
-  In the reorganization of the build_vms.com the debug and float options
-  were not fixed up correctly.
+  Fixes a scan-build warning.
 
-- [John E. Malmberg brought this change]
+- ntlm: remove unnecessary NULL-check to please scan-build
 
-  curl: fix upload of a zip file in OpenVMS
+- BUGS: spellchecked
+
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
+
+  examples/curlx: Fix code style
   
-  Two fixes:
+  - Add braces around multi-line if statement.
+  
+  Closes https://github.com/curl/curl/pull/2096
+
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
   
-  1. Force output file format to be stream-lf so that partial downloads
-  can be continued.
+  ... so that IPv6 addresses can be passed like they can for connect-to
+  and how they're used in URLs.
   
-  This should have minor impact as if the file does not exist, it was
-  created with stream-lf format.  The only time this was an issue is if
-  there was already an existing file with a different format.
+  Added test 1324 to verify
+  Reported-by: Alex Malinovich
   
-  2. Fix file uploads are now fixed.
+  Fixes #2087
+  Closes #2091
+
+- [Pavol Markovic brought this change]
+
+  macOS: Fix missing connectx function with Xcode version older than 9.0
   
-     a. VMS binary files such as ZIP archives are now uploaded
-        correctly.
+  The previous fix https://github.com/curl/curl/pull/1788 worked just for
+  Xcode 9. This commit extends the fix to older Xcode versions effectively
+  by not using connectx function.
   
-     b. VMS text files are read once to get the correct size
-        and then converted to line-feed terminated records as
-        they are read into curl.
+  Fixes https://github.com/curl/curl/issues/1330
+  Fixes https://github.com/curl/curl/issues/2080
+  Closes https://github.com/curl/curl/pull/1336
+  Closes #2082
+
+- [Dirk Feytons brought this change]
+
+  openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
   
-  The default VMS text formats do not contain either line-feed or
-  carriage-return terminated records.  Those delimiters are added by the
-  operating system file read calls if the application requests them.
+  Fixes #2079
+  Closes #2081
+
+- TODO: ignore private IP addresses in PASV response
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=496
+  Closes #1455
 
-Yang Tse (22 Jul 2013)
-- libtest: fix data type of some *_setopt() 'long' arguments
+- RELEASE-NOTES: synced with ae7369b6d
 
-- curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
+  
+  Follow-up to aadb7c7. Verified by new test 1263.
+  
+  Closes #2072
 
-- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
 
-- tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
   
-  We no longer pass our 'bool' data type variables nor constants as
-  an argument to my_setopt(), instead we use proper 1L or 0L values.
+  There is a conflict on symbol 'free_func' between openssl/crypto.h and
+  zlib.h on AIX. This is an attempt to resolve it.
   
-  This also fixes macro used to pass string argument for CURLOPT_SSLCERT,
-  CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of
-  my_setopt().
+  Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+  Reported-By: Michael Felt
+
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
   
-  This also casts enum or int argument data types to long when passed to
-  my_setopt_enum().
+  Reported-by: Brian Carpenter
 
-Daniel Stenberg (21 Jul 2013)
-- curl_multi_wait: fix revents
+- [Orgad Shaneh brought this change]
+
+  connect.c: remove executable bit on file
   
-  Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong
-  array index, but this fix also:
+  Closes #2071
+
+- [hsiao yi brought this change]
+
+  README.md: fixed layout
   
-  1 - only does the copying if indeed there was any activity
+  Closes #2069
+
+- setopt: split out curl_easy_setopt() to its own file
   
-  2 - makes sure to properly translate between internal and external
-  bitfields, which are not guaranteed to match
+  ... to make url.c smaller.
   
-  Reported-by: Evgeny Turnaev
+  Closes #1944
 
-- RELEASE-NOTES: synced with d529f3882b9bca
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
 
-- curl_easy_perform: gradually increase the delay time
+  cmake: Add missing setmode check
   
-  Instead of going 50,100,150 etc millisecond delay time when nothing has
-  been found to do or wait for, we now start lower and double each loop as
-  in 4,8,16,32 etc.
+  Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+  curl will corrupt binary files when writing them to stdout on Windows.
   
-  This lowers the minimum wait without sacrifizing the longer wait too
-  much with unnecessary CPU cycles burnt.
+  Closes https://github.com/curl/curl/pull/2067
+
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
+  
+  CID 984459, detected by Coverity
+
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
+
+  cmake: Correctly include curl.rc in Windows builds (#2064)
   
-  Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html
-  Reported-by: Andreas Malzahn
+  Update CMakeLists.txt to add curl.rc to the correct list.
 
-- ftp_do_more: consider DO_MORE complete when server connects back
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
+
+- [Luca Boccassi brought this change]
+
+  --interface: add support for Linux VRF
+  
+  The --interface command (CURLOPT_INTERFACE option) already uses
+  SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+  address first, which fails in case the user passes a VRF.
+  
+  Try to use the socket option immediately and parse it as a fallback
+  instead.  Update the documentation to mention this feature, and that it
+  requires the binary to be ran by root or with CAP_NET_RAW capabilities
+  for this to work.
   
-  In the case of an active connection when ftp_do_more() detects that the
-  server has connected back, it must make sure to mark it as complete so
-  that the multi_runsingle() function will detect this and move on to the
-  next state.
+  Closes #2024
+
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
   
-  Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html
-  Reported-by: Clemens Gruber
+  Closes #2043
+
+- examples: add shared-connection-cache
 
-Yang Tse (19 Jul 2013)
-- Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1
+- test1554: verify connection cache sharing
 
-- WIN32 MemoryTracking: require UNICODE for wide strdup code support
+- share: add support for sharing the connection cache
+
+- imap: deal with commands case insensitively
+  
+  As documented in RFC 3501 section 9:
+  https://tools.ietf.org/html/rfc3501#section-9
+  
+  Closes #2061
 
-Daniel Stenberg (18 Jul 2013)
-- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
+- connect: store IPv6 connection status after valid connection
   
-  CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function
-  and CURLOPT_PROGRESSFUNCTION is considered deprecated.
+  ... previously it would store it already in the happy eyeballs stage
+  which could lead to the IPv6 bit being set for an IPv4 connection,
+  leading to curl not wanting to do EPSV=>PASV for FTP transfers.
   
-  This new callback uses pure 'curl_off_t' arguments to pass on full
-  resolution sizes. It otherwise retains the same characteristics: the
-  same call rate, the same meanings for the arguments and the return code
-  is used the same way.
+  Closes #2053
+
+- curl_multi_fdset.3: emphasize curl_multi_timeout
   
-  The progressfunc.c example is updated to show how to use the new
-  callback for newer libcurls while supporting the older one if built with
-  an older libcurl or even built with a newer libcurl while running with
-  an older.
+  ... even when there's no socket to wait for, the timeout can still be
+  very short.
 
-Yang Tse (18 Jul 2013)
-- Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage".
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
   
-  This reverts commit 7ed25cc, reinstating commit 8ec2cb5.
+  - Don't call zlib's inflate() when avail_in stream bytes is 0.
   
-  As of 18-jul-2013 we still do have code in libcurl that makes use of these
-  memory functions. Commit 8ec2cb5 comment still applies and is yet valid.
+  This is a follow up to the parent commit 19e66e5. Prior to that change
+  libcurl's inflate_stream could call zlib's inflate even when no bytes
+  were available, causing inflate to return Z_BUF_ERROR, and then
+  inflate_stream would treat that as a hard error and return
+  CURLE_BAD_CONTENT_ENCODING.
   
-  These memory functions are solely used in Windows builds, so all related
-  code is protected with '#ifdef WIN32' preprocessor conditional compilation
-  directives.
+  According to the zlib FAQ, Z_BUF_ERROR is not fatal.
   
-  Specifically, wcsdup() _wcsdup() are used when building a Windows target with
-  UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case
-  when building a Windows UNICODE target with Windows native SSL/TLS support
-  enabled.
+  This bug would happen randomly since packet sizes are arbitrary. A test
+  of 10,000 transfers had 55 fail (ie 0.55%).
   
-  Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage
-  of these is hidden behind _tcsdup() which is MS way of dealing with code
-  that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS
-  header files and those compatible from other compilers use this preprocessor
-  conditional compilation directive in order to select at compilation time
-  whether 'wide' or 'ansi' MS API functions are used.
+  Ref: https://zlib.net/zlib_faq.html#faq05
   
-  Without this code, Windows build targets with Windows native SSL/TLS support
-  enabled and MemoryTracking support enabled misbehave in tracking memory usage,
-  regardless of being a UNICODE enabled build or not.
+  Closes https://github.com/curl/curl/pull/2060
+
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
 
-- xc-am-iface.m4: comments refinement
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
+  
+  There was a duplicate check for backslashes in the setcharset()
+  function.
+  
+  Coverity CID 1420611
 
-- configure: fix 'subdir-objects' distclean related issue
+- url: remove unncessary NULL-check
   
-  See XC_AMEND_DISTCLEAN comments for details.
+  Since 'conn' won't be NULL in there and we also access the pointer in
+  there without the check.
+  
+  Coverity CID 1420610
 
-Daniel Stenberg (18 Jul 2013)
-- [Evgeny Turnaev brought this change]
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
+  
+  Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
 
-  curl_multi_wait: set revents for extra fds
+- Makefile.m32: allow to customize brotli libs
   
-  Pass back the revents that happened for the user-provided file
-  descriptors.
+  It adds the ability to link against static brotli libs.
+  
+  Also fix brotli include path.
 
-- [Ben Greear brought this change]
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
+
+- [Viktor Szakats brought this change]
+
+  Makefile.m32: add brotli support
 
-  asyn-ares: Don't blank ares servers if none configured.
+- HTTP: implement Brotli content encoding
   
-  Best to just let c-ares use it's defaults if none are configured
-  in (lib)curl.
+  This uses the brotli external library (https://github.com/google/brotli).
+  Brotli becomes a feature: additional curl_version_info() bit and
+  structure fields are provided for it and CURLVERSION_NOW bumped.
   
-  Signed-off-by: Ben Greear <greearb@candelatech.com>
+  Tests 314 and 315 check Brotli content unencoding with correct and
+  erroneous data.
+  
+  Some tests are updated to accomodate with the now configuration dependent
+  parameters of the Accept-Encoding header.
 
-- [Sergei Nikulov brought this change]
+- HTTP: support multiple Content-Encodings
+  
+  This is implemented as an output streaming stack of unencoders, the last
+  calling the client write procedure.
+  
+  New test 230 checks this feature.
+  
+  Bug: https://github.com/curl/curl/pull/2002
+  Reported-By: Daniel Bankhead
+
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
+  
+  Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+  check on this option is incorrect; we have to accept any value.
+  
+  Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+  erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
+  
+  Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
+
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
+  
+  It triggers an assert() when built with memdebug since malloc(0) may
+  return NULL *or* a valid pointer.
+  
+  Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
+  
+  Assisted-by: Max Dymond
+  Closes #2054
 
-  cmake: Fix for MSVC2010 project generation
+- RELEASE-NOTES: synced with ee8016b3d
+
+- curl: speed up handling of many URLs
+  
+  By properly keeping track of the last entry in the list of URLs/uploads
+  to handle, curl now avoids many meaningless traverses of the list which
+  speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+  URLs).
   
-  Fixed issue with static build for MSVC2010.
+  Added test 1291, to verify that it doesn't take ages - but we don't have
+  any detection of "too slow" command in the test suite.
   
-  After some investigation I've discovered known issue
-  http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked
-  to static lib it fails with following linker error
+  Reported-by: arainchik on github
+  Fixes #1959
+  Closes #2052
+
+- curl: pass through [] in URLs instead of calling globbing error
   
-  LINK : warning LNK4068: /MACHINE not specified; defaulting to X86
-  file.obj : fatal error LNK1112: module machine type 'x64' conflicts with
-  target machine type 'X86'
+  Assisted-by: Per Lundberg
+  Fixes #2044
+  Closes #2046
+  Closes #2048
+
+- CURLOPT_INFILESIZE: accept -1
   
-  Fix add target property /MACHINE: for MSVC generation.
+  Regression since f121575
   
-  Also removed old workarounds - it caused errors during msvc build.
+  Reported-by: Petr Voytsik
+  Fixes #2047
+
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
   
-  Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html
+  Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+  erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
 
-- mk-ca-bundle.1: point out certdata.txt format docs
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
+  
+  This caused the torture tests on test 1800 to fail.
 
-Yang Tse (16 Jul 2013)
-- slist.c: Curl_slist_append_nodup() OOM handling fix
+- tests: Fixed torture tests on tests 556 and 650
+  
+  Test cleanup after OOM wasn't being consistently performed.
 
-Daniel Stenberg (16 Jul 2013)
-- test1414: FTP PORT download without SIZE support
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
+  
+  ... which is valid according to documentation. Regression since
+  f121575c0b5f.
+  
+  Verified now in test 501.
+  
+  Reported-by: cbartl on github
+  Fixes #2038
+  Closes #2039
 
-Yang Tse (16 Jul 2013)
-- tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES
+- include: remove conncache.h inclusion from where its not needed
 
-Patrick Monnerat (15 Jul 2013)
-- curl_slist_append(): fix error detection
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
+  
+  .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
+  
+  Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+  erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+  Reported-by: Andrew Lambert
 
-- slist.c: fix indentation
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
+  
+  ... when expiring old cookies.
+  
+  Reported-by: Pavel Gushchin
+  Fixes #2032
+  Closes #2035
 
-- OS400: new SSL backend GSKit
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
+  
+  This avoids build errors and warnings caused by implicit casts.
+  
+  Closes https://github.com/curl/curl/pull/2031
 
-- OS400: add slist and certinfo EBCDIC support
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
 
-- config-os400.h: enable system strdup(), strcmpi(), etc.
+  mkhelp.pl: support reproducible build
+  
+  Do not generate line with the current date, such as:
+  
+  * Generation time: Tue Oct-24 18:01:41 2017
+  
+  This will improve reproducibility. The generated string is only
+  part of a comment, so there should be no adverse consequences.
+  
+  Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+  
+  closes #2026
 
-- x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract
-  Use from qssl backend
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
 
-- ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
+  
+  Pointed-out-by: Dmitri Tikhonov
+  Bug: #2034
 
-- Merge branch 'master' of github.com:bagder/curl
+- select: update comments
   
-  Merge for resync
+  s/curlx_tvnow/Curl_now
+
+- INTERNALS: remove curlx_tv* functions no longer provided
 
-- slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()
+- [Dmitri Tikhonov brought this change]
 
-Yang Tse (15 Jul 2013)
-- sslgen.c: fix Curl_rand() compiler warning
+  timeval: use mach time on MacOS
   
-  Use simple seeding method upon RANDOM_FILE seeding method failure.
+  If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
+  
+  closes #2033
+
+Patrick Monnerat (29 Oct 2017)
+- cli tool: improve ";type=" handling in -F option arguments
 
-- sslgen.c: fix unreleased Curl_rand() infinite recursion
+- cli tool: in -F option arg, comma is a delimiter for files only
+  
+  Also upgrade test 1133 to cover this case and clarify man page about
+  form data quoting.
+  
+  Bug: https://github.com/curl/curl/issues/2022
+  Reported-By: omau on github
 
-Daniel Stenberg (14 Jul 2013)
-- [Dave Reisner brought this change]
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
 
-  src/tool: allow timeouts to accept decimal values
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
   
-  Implement wrappers around strtod to convert the user argument to a
-  double with sane error checking. Use this to allow --max-time and
-  --connect-timeout to accept decimal values instead of strictly integers.
+  The config files define curl and libcurl targets as imported targets
+  CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+  provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+  also set.
   
-  The manpage is updated to make mention of this feature and,
-  additionally, forewarn that the actual timeout of the operation can
-  vary in its precision (particularly as the value increases in its
-  decimal precision).
+  Closes #1879
 
-- [Dave Reisner brought this change]
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
 
-  curl.1: fix long line, found by checksrc.pl
+- [Florin Petriuc brought this change]
+
+  auth: Added test cases for RFC7616
+  
+  Updated docs to include support for RFC7616
+  
+  Signed-off-by: Florin <petriuc.florin@gmail.com>
+  
+  Closes #1934
 
-- [Dave Reisner brought this change]
+- [Florin Petriuc brought this change]
 
-  src/tool_paramhlp: try harder to catch negatives
+  auth: add support for RFC7616 - HTTP Digest access authentication
   
-  strto* functions happily chomp off leading whitespace, so simply
-  checking for str[0] can lead to false negatives. Do the full parse and
-  check the out value instead.
+  Signed-off-by: Florin <petriuc.florin@gmail.com>
 
-- [John E. Malmberg brought this change]
+- [Daniel Bankhead brought this change]
 
-  build_vms.com: detect and use zlib shared image
+  TODO: support multiple Content-Encodings
   
-  Update the build_vms.com to detect and use zlib shared image installed
-  by the ZLIB kit produced by Jean-Francois Pieronne, and the also the
-  future ZLIB 1.2.8 kit in addition to the older ZLIB kits.
+  Closes #2002
+
+- ROADMAP: cleanup
   
-  Also fix the indentation to match one of the common standards used for
-  VMS DCL command files and removed the hard tab characters.
+  Removed done stuff. Removed entries no longer considered for the near
+  term.
+
+- [Magicansk brought this change]
+
+  ROADMAP.md: spelling fixes
   
-  Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX.
+  Closes #2028
 
-Yang Tse (14 Jul 2013)
-- url.c: fix parse_url_login() OOM handling
+- Curl_timeleft: change return type to timediff_t
+  
+  returning 'time_t' is problematic when that type is unsigned and we
+  return values less than zero to signal "already expired", used in
+  several places in the code.
+  
+  Closes #2021
 
-- http_digest.c: SIGSEGV and OOM handling fixes
+- appveyor: add a win32 build
 
-- url.c: fix parse_login_details() OOM handling
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
+  
+  Regression since f121575c0b5f
+  
+  Reported-by: Rob Cotrone
 
-- [John E. Malmberg brought this change]
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
+  
+  This avoids warnings about unused stuff.
+  
+  Closes https://github.com/curl/curl/pull/2023
 
-  setup-vms.h: sk_pop symbol tweak
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
   
-  Newer versions of curl are referencing a sk_pop symbol while the HP
-  OpenSSL library has the symbol in uppercase only.
+  "PR-welcome" was the former name.
+
+- curl_setup.h: oops, shorten the too long line
 
-- getinfo.c: fix enumerated type mixed with another type
+- [Martin Storsjo brought this change]
 
-- test 1511: fix enumerated type mixed with another type
+  curl_setup: Improve detection of CURL_WINDOWS_APP
+  
+  If WINAPI_FAMILY is defined, it should be safe to try to include
+  winapifamily.h to check what the define evaluates to.
+  
+  This should fix detection of CURL_WINDOWS_APP if building with
+  _WIN32_WINNT set to 0x0600.
+  
+  Closes #2025
+
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
+  
+  - When uploading via chunked-encoding don't compare file size to bytes
+    sent to determine whether the upload has finished.
+  
+  Chunked-encoding adds its own overhead which why the bytes sent is not
+  equal to the file size. Prior to this change if a file was uploaded in
+  chunked-encoding and its size was known it was possible that the upload
+  could end prematurely without sending the final few chunks. That would
+  result in a server hang waiting for the remaining data, likely followed
+  by a disconnect.
+  
+  The scope of this bug is limited to some arbitrary file sizes which have
+  not been determined. One size that triggers the bug is 475020.
+  
+  Bug: https://github.com/curl/curl/issues/2001
+  Reported-by: moohoorama@users.noreply.github.com
+  
+  Closes https://github.com/curl/curl/pull/2010
 
-- url.c: fix SIGSEGV
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
+  
+  ... by using curl_off_t for the typedef if time_t is larger than 4
+  bytes.
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+  mmitcomment-25205058
+  Closes #2019
 
-- dotdot.c: fix global declaration shadowing
+- curl_fnmatch: return error on illegal wildcard pattern
+  
+  ... instead of doing an infinite loop!
+  
+  Added test 1162 to verify.
+  
+  Reported-by: Max Dymond
+  Fixes #2015
+  Closes #2017
 
-- easy.c: fix global declaration shadowing
+- [Max Dymond brought this change]
 
-Kamil Dudka (9 Jul 2013)
-- Revert "curl.1: document the --time-cond option in the man page"
+  wildcards: don't use with non-supported protocols
   
-  This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because
-  the documentation of --time-cond was duplicated by mistake.
+  Fixes timeouts in the fuzzing tests for non-FTP protocols.
   
-  Reported by: Dave Reisner
+  Closes #2016
 
-- curl.1: document the --sasl-ir option in the man page
+- [Max Dymond brought this change]
 
-- curl.1: document the --post303 option in the man page
+  multi: allow table handle sizes to be overridden
+  
+  Allow users to specify their own hash define for
+  CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
+  
+  Closes #1982
 
-- curl.1: document the --time-cond option in the man page
+- time: rename Curl_tvnow to Curl_now
+  
+  ... since the 'tv' stood for timeval and this function does not return a
+  timeval struct anymore.
+  
+  Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+  clean up the descriptive comments.
+  
+  Closes #2011
 
-Yang Tse (9 Jul 2013)
-- configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE)
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
 
-- xc-am-iface.m4: provide XC_AUTOMAKE macro
+- [Max Dymond brought this change]
 
-Guenter Knauf (8 Jul 2013)
-- Added winssl-zlib target to VC builds.
+  ftplistparser: free off temporary memory always
+  
+  When using the FTP list parser, ensure that the memory that's
+  allocated is always freed.
+  
+  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+  Closes #2013
 
-- Synced Makefile.vc6 with recent changes.
+- timediff: return timediff_t from the time diff functions
+  
+  ... to cater for systems with unsigned time_t variables.
+  
+  - Renamed the functions to curlx_timediff and Curl_timediff_us.
+  
+  - Added overflow protection for both of them in either direction for
+    both 32 bit and 64 bit time_ts
   
-  Issue posted to the list by malinowsky AT FTW DOT at.
+  - Reprefixed the curlx_time functions to use Curl_*
+  
+  Reported-by: Peter Piekarski
+  Fixes #2004
+  Closes #2005
 
-- Added libmetalink URL; added Android versions.
+- [Paul Howarth brought this change]
 
-Dan Fandrich (3 Jul 2013)
-- examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES
+  libtest: Add required test libraries for lib1552 and lib1553
+  
+  They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
+  
+  This fixes build failures on Fedora 13.
   
-  This prevents it from being built during a "make check" since it
-  depends on OpenSSL.
+  Closes #2006
 
-Nick Zitzmann (2 Jul 2013)
-- Merge branch 'master' of https://github.com/bagder/curl
+- [Alessandro Ghedini brought this change]
 
-- darwinssl: SSLv2 connections are aborted if unsupported by the OS
+  libcurl-tutorial.3: fix typo
   
-  I just noticed that OS X no longer supports SSLv2. Other TLS engines return
-  an error if the requested protocol isn't supported by the underlying
-  engine, so we do that now for SSLv2 if the framework returns an error
-  when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is
-  only enabled in curl when starting the app with the -2 argument; it's off
-  by default. SSLv2 is really old and insecure.)
+  closes #2008
+
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
 
-Marc Hoersken (1 Jul 2013)
-- lib506.c: Fixed possible use of uninitialized variables
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
 
-Kamil Dudka (30 Jun 2013)
-- url: restore the functionality of 'curl -u :'
+- [Max Dymond brought this change]
+
+  travis: exit if any steps fail
+  
+  We don't expect any steps to fail in travis. Exit the script if they do.
   
-  This commit fixes a regression introduced in
-  fddb7b44a79d78e05043e1c97e069308b6b85f79.
+  Closes #1966
+
+Version 7.56.1 (23 Oct 2017)
+
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
+
+- THANKS: update at 7.56.1 release time
+
+- [Jon DeVree brought this change]
+
+  mk-ca-bundle: Remove URL for aurora
   
-  Reported by: Markus Moeller
-  Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
+  Aurora is no longer used by Mozilla
+  https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
+
+- [Jon DeVree brought this change]
 
-Daniel Stenberg (25 Jun 2013)
-- digest: append the timer to the random for the nonce
+  mk-ca-bundle: Fix URL for NSS
+  
+  The 'tip' is the most recent branch committed to, this should be
+  'default' like the URLs for the browser are.
+  
+  Closes #1998
 
-- digest: improve nonce generation
+- imap: if a FETCH response has no size, don't call write callback
   
-  Use the new improved Curl_rand() to generate better random nonce for
-  Digest auth.
+  CVE-2017-1000257
+  
+  Reported-by: Brian Carpenter and 0xd34db347
+  Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
 
-- curl.1: fix typo in --xattr description
+- ftp: reject illegal IP/port in PASV 227 response
+  
+  ... by using range checks. Among other things, this avoids an undefined
+  behavior for a left shift that could happen on negative or very large
+  values.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1252
-  Reported-by: Jean-Noël Rouvignac
+  Closes #1997
+  
+  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
 
-- RELEASE-NOTES: synced with 365c5ba39591
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
   
-  The 10 first bug fixes for the pending release...
+  See issue #1999
 
-- formpost: better random boundaries
+- mime: do not reuse previously computed multipart size
   
-  When doing multi-part formposts, libcurl used a pseudo-random value that
-  was seeded with time(). This turns out to be bad for users who formpost
-  data that is provided with users who then can guess how the boundary
-  string will look like and then they can forge a different formpost part
-  and trick the receiver.
+  The contents might have changed: size must be recomputed.
   
-  My advice to such implementors is (still even after this change) to not
-  rely on the boundary strings being cryptographically strong. Fix your
-  code and logic to not depend on them that much!
+  Reported-by: moteus on github
+  Fixes #1999
+
+- test308: disable if MultiSSL feature enabled
   
-  I moved the Curl_rand() function into the sslgen.c source file now to be
-  able to take advantage of the SSL library's random function if it
-  provides one. If not, try to use the RANDOM_FILE for seeding and as a
-  last resort keep the old logic, just modified to also add microseconds
-  which makes it harder to properly guess the exact seed.
+  Even if OpenSSL is enabled, it might not be the default backend when
+  multi-ssl is enabled, causing the test to fail.
+
+- runtests: support MultiSSL client feature
+
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
   
-  The formboundary() function in formdata.c is now using 64 bit entropy
-  for the boundary and therefore the string of dashes was reduced by 4
-  letters and there are 16 hex digits following it. The total length is
-  thus still the same.
+  On OS/400, `close' is an ASCII system macro that corrupts the code if
+  not used in a context not targetting the close() system API.
+
+- os400: add missing symbols in config file.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1251
-  Reported-by: "Floris"
+  Also adjust makefile to renamed files and warn about installation dirs mix-up.
+
+- test652: curl_mime_data + base64 encoder with large contents
 
-- printf: make sure %x are treated unsigned
-  
-  When using %x, the number must be treated as unsigned as otherwise it
-  would get sign-extended on for example 64bit machines and do wrong
-  output. This problem showed when doing printf("%08x", 0xffeeddcc) on a
-  64bit host.
+- mime: limit bas64-encoded lines length to 76 characters
 
-- tests: add test1395 to the tarball
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
 
-- SIGPIPE: don't use 'data' in sigpipe restore
-  
-  Follow-up fix from 7d80ed64e43515.
+- setopt: range check most long options
   
-  The SessionHandle may not be around to use when we restore the sigpipe
-  sighandler so we store the no_signal boolean in the local struct to know
-  if/how to restore.
+  ... filter early instead of risking "funny values" having to be dealt
+  with elsewhere.
 
-- TODO: 1.8 Modified buffer size approach
+- setopt: avoid integer overflows when setting millsecond values
   
-  Thoughts around buffer sizes and what might be possible to do...
-
-- c-ares: improve error message on failed resolve
+  ... that are multiplied by 1000 when stored.
   
-  When the c-ares based resolver backend failed to resolve a name, it
-  tried to show the name that failed from existing structs. This caused
-  the wrong output and shown hostname when for example --interface
-  [hostname] was used and that name resolving failed.
+  For 32 bit long systems, the max value accepted (2147483 seconds) is >
+  596 hours which is unlikely to ever be set by a legitimate application -
+  and previously it didn't work either, it just caused undefined behavior.
   
-  Now we use the hostname used in the actual resolve attempt in the error
-  message as well.
+  Also updated the man pages for these timeout options to mention the
+  return code.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1191
-  Reported-by: Kim Vandry
+  Closes #1938
 
-- ossl_recv: check for an OpenSSL error, don't assume
-  
-  When we recently started to treat a zero return code from SSL_read() as
-  an error we also got false positives - which primarily looks to be
-  because the OpenSSL documentation is wrong and a zero return code is not
-  at all an error case in many situations.
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
   
-  Now ossl_recv() will check with ERR_get_error() to see if there is a
-  stored error and only then consider it to be a true error if SSL_read()
-  returned zero.
+  Allow to ovverride certain build tools, making it possible to
+  use LLVM/Clang to build curl. The default behavior is unchanged.
+  To build with clang (as offered by MSYS2), these settings can
+  be used:
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1249
-  Reported-by: Nach M. S.
-  Patch-by: Nach M. S.
-
-Nick Zitzmann (22 Jun 2013)
-- Merge branch 'master' of https://github.com/bagder/curl
-
-- darwinssl: fix crash that started happening in Lion
+  CURL_CC=clang
+  CURL_AR=llvm-ar
+  CURL_RANLIB=llvm-ranlib
   
-  Something (a recent security update maybe?) changed in Lion, and now it
-  has changed SSLCopyPeerTrust such that it may return noErr but also give
-  us a null trust, which caught us off guard and caused an eventual crash.
+  Closes https://github.com/curl/curl/pull/1993
 
-Daniel Stenberg (22 Jun 2013)
-- SIGPIPE: ignored while inside the library
+- ldap: silence clang warning
   
-  ... and restore the ordinary handling again when it returns. This is
-  done for curl_easy_perform() and curl_easy_cleanup() only for now - and
-  only when built to use OpenSSL as backend as this is the known culprit
-  for the spurious SIGPIPEs people have received.
+  Use memset() to initialize a structure to avoid LLVM/Clang warning:
+  ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1180
-  Reported by: Lluís Batlle i Rossell
+  Closes https://github.com/curl/curl/pull/1992
 
-- KNOWN_BUGS: #83 unable to load non-default openssl engines
-
-- test1396: invoke the correct test tool!
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
   
-  This erroneously run unit test 1310 instead of 1396!
+  NOTE: it makes them terribly slow. I recommend only using valgrind for
+  specific torture tests or using lots of patience.
 
-Kamil Dudka (22 Jun 2013)
-- test1230: avoid using hard-wired port number
+- memdebug: trace send, recv and socket
   
-  ... to prevent failure when a non-default -b option is given
-
-- curl-config.in: replace tabs by spaces
-
-Nick Zitzmann (22 Jun 2013)
-- darwinssl: reform OS-specific #defines
+  ... to allow them to be included in torture tests too.
   
-  This doesn't need to be in the release notes. I cleaned up a lot of the #if
-  lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and
-  MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like
-  __MAC_10_6 or whatever were defined, because for some SDKs Apple has released
-  they were defined out of place.
-
-Daniel Stenberg (22 Jun 2013)
-- [Alessandro Ghedini brought this change]
-
-  docs: fix typo in curl_easy_getinfo manpage
+  closes #1980
 
-- dotdot: introducing dot file path cleanup
+- configure: remove the C++ compiler check
   
-  RFC3986 details how a path part passed in as part of a URI should be
-  "cleaned" from dot sequences before getting used. The described
-  algorithm is now implemented in lib/dotdot.c with the accompanied test
-  case in test 1395.
+  ... we used it only for the fuzzer, which we now have in a separate git
+  repo.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1200
-  Reported-by: Alex Vinnik
+  Closes #1990
 
-- bump: start working towards what most likely will become 7.32.0
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
 
-- THANKS: added 24 new contributors from the 7.31.0 release
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
 
-Version 7.31.0 (22 Jun 2013)
+- mime: fix the content reader to handle >16K data properly
+  
+  Reported-by: Jeroen Ooms
+  Closes #1988
 
-Daniel Stenberg (22 Jun 2013)
-- RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
+  
+  Include test cases in 554, 587, 650.
+  
+  Fixes https://github.com/curl/curl/issues/1986
 
-- unit1396: unit tests to verify curl_easy_(un)escape
+- cli tool: use file2memory() to buffer stdin in -F option.
+  
+  Closes PR https://github.com/curl/curl/pull/1985
 
-- Curl_urldecode: no peeking beyond end of input buffer
+- cli tool: reimplement stdin buffering in -F option.
   
-  Security problem: CVE-2013-2174
+  If stdin is not a regular file, its content is memory-buffered to enable
+  a possible data "rewind".
+  In all cases, stdin data size is determined before real use to avoid
+  having an unknown part's size.
   
-  If a program would give a string like "%FF" to curl_easy_unescape() but
-  ask for it to decode only the first byte, it would still parse and
-  decode the full hex sequence. The function then not only read beyond the
-  allowed buffer but it would also deduct the *unsigned* counter variable
-  for how many more bytes there's left to read in the buffer by two,
-  making the counter wrap. Continuing this, the function would go on
-  reading beyond the buffer and soon writing beyond the allocated target
-  buffer...
+  --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+  part with unknown data size.
   
-  Bug: http://curl.haxx.se/docs/adv_20130622.html
-  Reported-by: Timo Sirainen
+  Buffering is not supported in deprecated curl_formadd() API.
 
-Guenter Knauf (20 Jun 2013)
-- Use opened body.out file and write content to it.
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
 
-Daniel Stenberg (20 Jun 2013)
-- multi_socket: react on socket close immediately
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
   
-  As a remedy to the problem when a socket gets closed and a new one is
-  opened with the same file descriptor number and as a result
-  multi.c:singlesocket() doesn't detect the difference, the new function
-  Curl_multi_closed() gets told when a socket is closed so that it can be
-  removed from the socket hash. When the old one has been removed, a new
-  socket should be detected fine by the singlesocket() on next invoke.
-  
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1248
-  Reported-by: Erik Johansson
+  following the new github "standard"
 
-- RELEASE-NOTES: synced with e305f5ec715f
+- RELEASE-NOTES: synced with 5505df7d2
 
-- TODO: mention the DANE patch from March
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
 
-- CURLOPT_COOKIELIST: take cookie share lock
+  url: Update current connection SSL verify params in setopt
   
-  When performing COOKIELIST operations the cookie lock needs to be taken
-  for the cases where the cookies are shared among multiple handles!
+  Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+  connection updates the current connection's (i.e.'connectdata'
+  structure) appropriate ssl_config (and ssl_proxy_config) structures
+  variables, making these options effective for ongoing connection.
   
-  Verified by Benjamin Gilbert's updated test 506
+  This functionality was available before and was broken by the
+  following change:
+  "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+  CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1215
-  Reported-by: Benjamin Gilbert
-
-- [Benjamin Gilbert brought this change]
-
-  test506: verify that CURLOPT_COOKIELIST takes share lock
+  Bug: https://github.com/curl/curl/issues/1941
   
-  It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215
+  Closes https://github.com/curl/curl/pull/1951
 
-- TODO: HTTP2/SPDY support
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
 
-- curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency
+  openssl: don't use old BORINGSSL_YYYYMM macros
   
-  Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be
-  called more frequently than once per second when things are happening.
-
-- RELEASE-NOTES: synced with 9c3e098259b82
+  Those were temporary things we'd add and remove for our own convenience
+  long ago. The last few stayed around for too long as an oversight but
+  have since been removed. These days we have a running
+  BORINGSSL_API_VERSION counter which is bumped when we find it
+  convenient, but 2015-11-19 was quite some time ago, so just check
+  OPENSSL_IS_BORINGSSL.
   
-  Mention 7 recent bug fixes and their associated contributors
+  Closes #1979
+
+- test950; verify SMTP with custom request
 
-- curl_multi_wait.3: clarify the numfds counter
+- ftpserver: support case insensitive commands
 
-- curl_easy_perform: avoid busy-looping
+- smtp_done: free data before returning (on send failure)
   
-  When curl_multi_wait() finds no file descriptor to wait for, it returns
-  instantly and this must be handled gracefully within curl_easy_perform()
-  or cause a busy-loop. Starting now, repeated fast returns without any
-  file descriptors is detected and a gradually increasing sleep will be
-  used (up to a max of 1000 milliseconds) before continuing the loop.
+  ... as otherwise it could leak that memory.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1238
-  Reported-by: Miguel Angel
-
-- [YAMADA Yasuharu brought this change]
-
-  cookies: follow-up fix for path checking
+  Detected by OSS-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
   
-  The initial fix to only compare full path names were done in commit
-  04f52e9b4db0 but found out to be incomplete. This takes should make the
-  change more complete and there's now two additional tests to verify
-  (test 31 and 62).
+  Assisted-by: Max Dymond
+  Closes #1977
 
-- [Sergei Nikulov brought this change]
+- FTP: URL decode path for dir listing in nocwd mode
+  
+  Reported-by: Zenju on github
+  
+  Test 244 added to verify
+  Fixes #1974
+  Closes #1976
 
-  lib1900: use tutil_tvnow instead of gettimeofday
+- test298: verify --ftp-method nowcwd with URL encoded path
   
-  Makes it build on windows
+  Ref: #1974
 
-- [Eric Hu brought this change]
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
 
-  axtls: now done non-blocking
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
 
-- [Eric Hu brought this change]
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
 
-  test2033: requires NTLM support
+- openssl: enable PKCS12 support for !BoringSSL
+  
+  Enable PKCS12 for all non-boringssl builds without relying on configure
+  or cmake checks.
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+  Reported-by: Christian Schmitz
+  Closes #1948
 
-- KNOWN_BUGS: #82 failed build with Borland compiler
+- [Kristiyan Tsaklev brought this change]
 
-- Curl_output_digest: support auth-int for empty entity body
+  curl: don't pass semicolons when parsing Content-Disposition
   
-  By always returning the md5 for an empty body when auth-int is asked
-  for, libcurl now at least sometimes does the right thing.
+  Test 1422 updated to verify.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1235
-  Patched-by: Nach M. S.
+  Closes #1964
 
-- multi_socket: reduce timeout inaccuracy margin
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
   
-  Allow less room for "triggered too early" mistakes by applications /
-  timers on non-windows platforms. Starting now, we assume that a timeout
-  call is never made earlier than 3 milliseconds before the actual
-  timeout. This greatly improves timeout accuracy on Linux.
+  This allows freeing a mime structure bound to the easy handle before
+  curl_easy_cleanup().
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1228
-  Reported-by: Hang Su
+  Fixes #1970.
 
-- cert_stuff: avoid double free in the PKCS12 code
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
   
-  In the pkcs12 code, we get a list of x509 records returned from
-  PKCS12_parse but when iterating over the list and passing each to
-  SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from
-  the "stack", which made them get freed twice (both in sk_X509_pop_free()
-  and then later in SSL_CTX_free).
+  ... like a very large non-existing RTSP version number.
   
-  This isn't really documented anywhere...
+  Added test 577 to verify.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1236
-  Reported-by: Nikaiw
+  Detected by OSS-fuzz.
+  Closes #1969
 
-- cert_stuff: remove code duplication in the pkcs12 logic
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
 
-- [Aleksey Tulinov brought this change]
+- test643: verify curl_mime_subparts() rejects cyclic additions.
 
-  axtls: honor disabled VERIFYHOST
+- mime: refuse to add subparts to one of their own descendants.
   
-  When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
+  Reported-by: Alexey Melnichuk
+  Fixes #1962
 
-- [Peter Gal brought this change]
+- mime: avoid resetting a part's encoder when part's contents change.
 
-  curl_easy_setopt.3: HTTP header with no content
+- mime: improve unbinding top multipart from easy handle.
   
-  Update the documentation on how to specify a HTTP header with no
-  content.
+  Also avoid dangling pointers in referencing parts.
 
-- RELEASE-NOTES: synced with 87cf677eca55
-  
-  Added 11 bugs and 7 contributors
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
 
-- lib1500: remove bad check
-  
-  After curl_multi_wait() returns, this test checked that we got exactly
-  one file descriptor told to read from, but we cannot be sure that is
-  true. curl_multi_wait() will sometimes return earlier without any file
-  descriptor to handle, just just because it is a suitable time to call
-  *perform().
-  
-  This problem showed up with commit 29bf0598.
-  
-  Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html
-  Reported-by: Fabian Keil
+- curlver.h: next expected release is 7.57.0
 
-- tests/Makefile: typo in the perlcheck target
-  
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1239
-  Reported-by: Christian Weisgerber
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
 
-- test1230: verify CONNECT to a numerical ipv6-address
+- docs: clarify form/mime usage of non-regular data files.
 
-- sws: support extracting test number from CONNECT ipv6-address!
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
   
-  If an ipv6-address is provided to CONNECT, the last hexadecimal group in
-  the address will be used as the test number! For example the address
-  "[1234::ff]" would be treated as test case 255.
-
-- curl_multi_wait: only use internal timer if not -1
+  This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
   
-  commit 29bf0598aad5 introduced a problem when the "internal" timeout is
-  prefered to the given if shorter, as it didn't consider the case where
-  -1 was returned. Now the internal timeout is only considered if not -1.
+  Caused memory leaks in the fuzzer, needs to be done differently.
   
-  Reported-by: Tor Arntsen
-  Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html
+  Disable test 1553 for now too, as it causes memory leaks without this
+  commit!
 
-Dan Fandrich (3 Jun 2013)
-- libcurl-tutorial.3: added a section on IPv6
+- remove_handle: call multi_done() first, then clear dns cache pointer
   
-  Also added a (correctly-escaped) backslash to the autoexec.bat
-  example file and a new Windows character device name with
-  a colon as examples of other characters that are special
-  and potentially dangerous (this reverts and reworks commit
-  7d8d2a54).
+  Closes #1960
 
-Daniel Stenberg (3 Jun 2013)
-- curl_multi_wait: reduce timeout if the multi handle wants to
+- multi_done: wait for name resolve to finish if still ongoing
   
-  If the multi handle's pending timeout is less than what is passed into
-  this function, it will now opt to use the shorter time anyway since it
-  is a very good hint that the handle wants to process something in a
-  shorter time than what otherwise would happen.
-  
-  curl_multi_wait.3 was updated accordingly to clarify
-  
-  This is the reason for bug #1224
-  
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1224
-  Reported-by: Andrii Moiseiev
+  ... as we must clean up memory.
 
-- multi_runsingle: switch an if() condition for readability
+- pingpong: return error when trying to send without connection
   
-  ... because there's an identical check right next to it so using the
-  operators in the check in the same order increases readability.
-
-Marc Hoersken (2 Jun 2013)
-- curl_schannel.c: Removed variable unused since 35874298e4
-
-- curl_setup.h: Fixed redefinition warning using mingw-w64
-
-Daniel Stenberg (30 May 2013)
-- multi_runsingle: add braces to clarify the code
-
-- libcurl-tutorial.3: remove incorrect backslash
+  When imap_done() got called before a connection is setup, it would try
+  to "finish up" and dereffed a NULL pointer.
   
-  A single backslash in the content is not legal nroff syntax.
+  Test case 1553 managed to reproduce. I had to actually use a host name
+  to try to resolve to slow it down, as using the normal local server IP
+  will make libcurl get a connection in the first curl_multi_perform()
+  loop and then the bug doesn't trigger.
   
-  Reported and fixed by: Eric S. Raymond
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1234
+  Fixes #1953
+  Assisted-by: Max Dymond
 
-- curl_formadd.3: fixed wrong "end-marker" syntax
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
   
-  Reported and fixed by: Eric S. Raymond
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1233
-
-- curl.1: clarify that --silent still outputs data
+  These are around 5% flaky in my Linux x86 autobuilds.
 
-- Digest auth: escape user names with \ or " in them
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
   
-  When sending the HTTP Authorization: header for digest, the user name
-  needs to be escaped if it contains a double-quote or backslash.
+  When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+  are not used.
+
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
   
-  Test 1229 was added to verify
+  ... fixes a memory leak with at least IMAP when remove_handle is never
+  called and the transfer is abruptly just abandoned early.
   
-  Reported and fixed by: Nach M. S
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1230
-
-- [Mike Giancola brought this change]
-
-  ossl_recv: SSL_read() returning 0 is an error too
+  Test 1552 added to verify
   
-  SSL_read can return 0 for "not successful", according to the open SSL
-  documentation: http://www.openssl.org/docs/ssl/SSL_read.html
+  Detected by OSS-fuzz
+  Assisted-by: Max Dymond
+  Closes #1954
 
-- [Mike Giancola brought this change]
+- [Benbuck Nason brought this change]
 
-  ossl_send: SSL_write() returning 0 is an error too
-  
-  We found that in specific cases if the connection is abruptly closed,
-  the underlying socket is listed in a close_wait state. We continue to
-  call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs
-  report the socket closed / connection finished.  Since we have cases
-  where the multi connection is only used once, this can pose a problem
-  for us. I've read that if another connection was to come in, curl would
-  see the socket as bad and attempt to close it at that time -
-  unfortunately, this does not work for us.
+  strtoofft: Remove extraneous null check
   
-  I found that in specific situations, if SSL_write returns 0, curl did
-  not recognize the socket as closed (or errored out) and did not report
-  it to the application. I believe we need to change the code slightly, to
-  check if ssl_write returns 0. If so, treat it as an error - the same as
-  a negative return code.
+  Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+  argument.
   
-  For OpenSSL - the ssl_write documentation is here:
-  http://www.openssl.org/docs/ssl/SSL_write.html
+  Closes #1952
 
-- KNOWN_BUGS: curl -OJC- fails to resume
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1169
+  Reported-by: Javier Sixto
+  Fixes #1955
+  Closes #1956
 
-- Curl_cookie_add: handle IPv6 hosts
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
   
-  1 - don't skip host names with a colon in them in an attempt to bail out
-  on HTTP headers in the cookie file parser. It was only a shortcut anyway
-  and trying to parse a file with HTTP headers will still be handled, only
-  slightly slower.
+  The source code is now prepared to handle the case when both
+  Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+  at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+  whenever the targeted Windows version supports it. Since this
+  matches the minimum Windows version supported by curl
+  (Windows 2000), enable it unconditionally for the Win32 platform.
   
-  2 - don't skip domain names based on number of dots. The original
-  netscape cookie spec had this oddity mentioned and while our code
-  decreased the check to only check for two, the existing cookie spec has
-  no such dot counting required.
+  This in turn enables SMB (and SMBS) protocol support whenever
+  Win32 Crypto is available, regardless of what other crypto backends
+  are enabled.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1221
-  Reported-by: Stefan Neis
+  Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
+  
+  Closes https://github.com/curl/curl/pull/1943
 
-- curl_easy_setopt.3: expand the PROGRESSFUNCTION section
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
   
-  Explain the callback and its arguments better and with more descriptive
-  text.
+  Reported-by: Wyatt O'Day
+  Fixes #1945
+  Closes #1947
 
-- tests: add test1394 file to the tarball
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
 
-- tarball: include the xmlstream example
+  darwinssl: add support for TLSv1.3
+  
+  Closes https://github.com/curl/curl/pull/1794
 
-- [David Strauss brought this change]
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
 
-  xmlstream: XML stream parsing example source code
+  docs: fix typo in curl_mime_data_cb man page
   
-  Add an XML stream parsing example using Expat. Add missing ignore for
-  the binary from an unrelated example.
+  Closes #1946
 
-- [YAMADA Yasuharu brought this change]
-
-  cookies: only consider full path matches
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
   
-  I found a bug which cURL sends cookies to the path not to aim at.
-  For example:
-  - cURL sends a request to http://example.fake/hoge/
-  - server returns cookie which with path=/hoge;
-    the point is there is NOT the '/' end of path string.
-  - cURL sends a request to http://example.fake/hogege/ with the cookie.
+  - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+    libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+    it can live in the same directory as the 32-bit one. By default
+    this is empty.
   
-  The reason for this old "feature" is because that behavior is what is
-  described in the original netscape cookie spec:
-  http://curl.haxx.se/rfc/cookie_spec.html
+  - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+    generated import library (implib) for libcurl .dll. It defaults
+    to `dll`, and it's useful to modify that to `.dll` to have the
+    standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
   
-  The current cookie spec (RFC6265) clarifies the situation:
-  http://tools.ietf.org/html/rfc6265#section-5.2.4
-
-- [Eric Hu brought this change]
+  Closes https://github.com/curl/curl/pull/1942
 
-  axtls: prevent memleaks on SSL handshake failures
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
 
-- Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage"
+  fuzzer: move to using external curl-fuzzer
   
-  This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab.
+  Use the external curl-fuzzer repository for fuzzing.
   
-  We don't have any code anywhere in libcurl (or the curl tool) that use
-  wcsdup so there's no such memory use to track. It seems to cause mild
-  problems with the Borland compiler though that we may avoid by reverting
-  this change again.
+  Closes #1923
+
+- failf: skip the sprintf() if there are no consumers
   
-  Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html
+  Closes #1936
 
-- RELEASE-NOTES: synced with ae26ee3489588f0
+- ftp: UBsan fixup 'pointer index expression overflowed'
+  
+  Closes #1939
 
-Guenter Knauf (11 May 2013)
-- Updated zlib version in build files.
+- RELEASE-PROCEDURE: update the release schedule
 
-Daniel Stenberg (9 May 2013)
-- [Renaud Guillard brought this change]
+Version 7.56.0 (4 Oct 2017)
 
-  OS X framework: fix invalid symbolic link
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
 
-Kamil Dudka (9 May 2013)
-- [Daniel Stenberg brought this change]
+- THANKS: added new 7.56.0 contributors
 
-  nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
   
-  Reported by: David Strauss
-  Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html
+  Ref: https://github.com/curl/curl/issues/1002
 
-Daniel Stenberg (8 May 2013)
-- libtest: gitignore more binary files
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
 
-- servercert: allow empty subject
+- vtls: compare and clone ssl configs properly
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1220
-  Patch by: John Gardiner Myers
-
-- [Steve Holme brought this change]
+  Compare these settings in Curl_ssl_config_matches():
+  - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+  - random_file (CURLOPT_RANDOM_FILE)
+  - egdsocket (CURLOPT_EGDSOCKET)
+  
+  Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+  and copy the setting "sessionid" unconditionally.
+  
+  This means that reusing connections that are secured with a client
+  certificate is now possible, and the statement "TLS session resumption
+  is disabled when a client certificate is used" in the old advisory at
+  https://curl.haxx.se/docs/adv_20170419.html is obsolete.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #1917
 
-  tests: Added new SMTP tests to verify commit 99b40451836d
+- proxy: read the "no_proxy" variable only if necessary
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #1919
 
-- runtests.pl: support nonewline="yes" in client/stdin sections
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
 
-- build: fixed unit1394 for debug and metlink builds
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
+  
+  ... now with a -formadd suffix. While the new mime API is introduced in
+  7.56.0 we must acknowledge that lots of users can't upgrade their curl
+  versions immediately.
 
-Kamil Dudka (6 May 2013)
-- unit1394.c: plug the curl tool unit test in
+- test1153: verify quoted double-qoutes in PWD response
 
-- [Jared Jennings brought this change]
+- FTP: zero terminate the entry path even on bad input
+  
+  ... a single double quote could leave the entry path buffer without a zero
+  terminating byte. CVE-2017-1000254
+  
+  Test 1152 added to verify.
+  
+  Reported-by: Max Dymond
+  Bug: https://curl.haxx.se/docs/adv_20171004.html
 
-  unit1394.c: basis of a unit test for parse_cert_parameter()
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
 
-- src/Makefile.am: build static lib for unit tests if enabled
+  cmake: disable tests and man generation if perl/nroff not found
+  
+  Fixes https://github.com/curl/curl/issues/1500
+  Reported-by: Jay Satiro
+  
+  Fixes https://github.com/curl/curl/pull/1662
+  Assisted-by: Tom Seddon
+  Assisted-by: dpull@users.noreply.github.com
+  Assisted-by: elelel@users.noreply.github.com
+  
+  Closes https://github.com/curl/curl/pull/1924
 
-- tool_getparam: ensure string termination in parse_cert_parameter()
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
 
-- tool_getparam: fix memleak in handling the -E option
+- TODO: remove deprecated form API items.
 
-- tool_getparam: describe what parse_cert_parameter() does
+- libcurl-tutorial: describe MIME API and deprecate form API.
   
-  ... and de-duplicate the code initializing *passphrase
-
-- curl.1: document escape sequences recognized by -E
-
-- [Jared Jennings brought this change]
+  Include a guide to form/mime API conversion.
 
-  curl -E: allow to escape ':' in cert nickname
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
+  
+  ... this will let the second occurance override the first.
+  
+  Added test 1161 to verify.
+  
+  Reported-by: Max Dymond
+  Fixes #1932
+  Closes #1933
 
-Marc Hoersken (5 May 2013)
-- curl_schannel.c: Fixed invalid memory access during SSL shutdown
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
+  
+  Otherwise, the test fails when the -b test option is used to set a
+  different test port range.
 
-Steve Holme (4 May 2013)
-- smtp: Fix trailing whitespace warning
+- Set and use more necessary options when some protocols are disabled
+  
+  When curl and libcurl are built with some protocols disabled, they stop
+  setting and receiving some options that don't make sense with those
+  protocols.  In particular, when HTTP is disabled many options aren't set
+  that are used only by HTTP.  However, some options that appear to be
+  HTTP-only are actually used by other protocols as well (some despite
+  having HTTP in the name) and should be set, but weren't. This change now
+  causes some of these options to be set and used for more (or for all)
+  protocols. In particular, this fixes tests 646 through 649 in an
+  HTTP-disabled build, which use the MIME API in the mail protocols.
 
-- smtp: Fix compilation warning
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
   
-  comparison between signed and unsigned integer expressions
+  The fix done in 20ea22ff735
 
-- RELEASE-NOTES: synced with 92ef5f19c801
+- cookie: fix memory leak on oversized rejection
+  
+  Regression brought by 2bc230de63b
+  
+  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+  Assisted-by: Max Dymond
+  
+  Closes #1930
 
-- smtp: Updated RFC-2821 references to RFC-5321
+- [Anders Bakken brought this change]
 
-- smtp: Fixed sending of double CRLF caused by first in EOB
+  connect: fix race condition with happy eyeballs timeout
   
-  If the mail sent during the transfer contains a terminating <CRLF> then
-  we should not send the first <CRLF> of the EOB as specified in RFC-5321.
+  The timer should be started after conn->connecttime is set. Otherwise
+  the timer could expire without this condition being true:
   
-  Additionally don't send the <CRLF> if there is "no mail data" as the
-  DATA command already includes it.
-
-- tests: Corrected MAIL SIZE for CRLF line endings
+      /* should we try another protocol family? */
+      if(i == 0 && conn->tempaddr[1] == NULL &&
+        curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
   
-  ... which was missed in commit: f5c3d9538452
+  Ref: #1928
 
-- tests: Corrected infilesize for CRLF line endings
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
   
-  ... which was missed in commit: f5c3d9538452
-
-- tests: Corrected test1406 to be RFC2821 compliant
+  Closes #1922
 
-- tests: Corrected test1320 to be RFC2821 compliant
+- docs: clarify the use of environment variables for proxy
+  
+  Closes #1921
 
-- tests: Corrected typo in test909
+- http: add custom empty headers to repeated requests
   
-  Introduced in commit: 514817669e9e
+  Closes #1920
 
-- tests: Corrected test909 to be RFC2821 compliant
+- reuse_conn: don't copy flags that are known to be equal
+  
+  A connection can only be reused if the flags "conn_to_host" and
+  "conn_to_port" match. Therefore it is not necessary to copy these flags
+  in reuse_conn().
+  
+  Closes #1918
 
-- tests: Updated test references to 909 from 1411
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
+  
+  When building with -std=c++14 on cygwin, this header won't be
+  automatically included as it otherwise is.
   
-  ...and removed references to libcurl and test1406.
+  The <sys/select.h> include decision should ideally be reversed and be
+  avoided where that header file doesn't exist.
+  
+  Reported-by: Ian Fette
+  Fixes #1925
 
-- tests: Renamed test1411 to test909 as this is a main SMTP test
+- RELEASE-NOTES: synced with d8ab5dc50
 
-Daniel Stenberg (1 May 2013)
-- [Lars Johannesen brought this change]
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
 
-  bindlocal: move brace out of #ifdef
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
+  
+  .. and include the core NTLM header in all NTLM-related source files.
   
-  The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two
-  closing braces when it should only have one, so builds without that
-  define would fail.
+  Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+  but did not include vtls.h where it was defined.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html
+  Closes https://github.com/curl/curl/pull/1911
 
-Steve Holme (30 Apr 2013)
-- smtp: Tidy up to move the eob counter to the per-request structure
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
   
-  Move the eob counter from the smtp_conn structure to the SMTP structure
-  as it is associated with a SMTP payload on a per-request basis.
+  When trying to bump the value with one and the value is already at max,
+  it causes an integer overflow.
+  
+  Closes #1908
+  Detected by oss-fuzz:
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
+  
+  Assisted-by: Max Dymond
 
-- TODO: Updated following the addition of CURLOPT_SASL_IR
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
 
-- smtp: Fixed unknown percentage complete in progress bar
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
   
-  The curl command line utility would display the the completed progress
-  bar with a percentage of zero as the progress routines didn't know the
-  size of the transfer.
+  - Use spaces instead of tabs as the delimiter.
+  
+  Follow up to 7c52b12 which added the entry. The entry had used tabs but
+  the symbol-scan parser doesn't recognize tabs and would fail the symbol.
 
-Daniel Stenberg (29 Apr 2013)
-- ftpserver: silence warnings
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
+  
+  In MultiSSL mode (i.e. when more than one SSL backend is compiled
+  in), we cannot use the compile time flag `USE_NSS` as indicator that
+  the NSS backend is in use. As far as Metalink is concerned, the SSL
+  backend is only used for MD5, SHA-1 and SHA-256 calculations,
+  therefore one of the available SSL backends is selected at compile
+  time, in a strict order of preference.
   
-  Fix regressions in commit b56e3d43e5d. Make @data local and filter off
-  non-numerical digits from $testno in STATUS_imap.
+  Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+  to determine whether the SSL backend used for Metalink is the NSS
+  backend, and use that to guard the code that wants to de-initialize
+  the NSS-specific data structure.
+  
+  Ref: https://github.com/curl/curl/pull/1848
 
-Steve Holme (29 Apr 2013)
-- ftpserver.pl: Corrected the imap LOGIN response
+- ntlm: use strict order for SSL backend #if branches
+  
+  With the recently introduced MultiSSL support multiple SSL backends
+  can be compiled into cURL That means that now the order of the SSL
+  
+  One option would be to use the same SSL backend as was configured
+  via `curl_global_sslset()`, however, NTLMv2 support would appear
+  to be available only with some SSL backends. For example, when
+  eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+  support for NTLMv1 using Windows' Crypt API, it specifically did
+  *not* introduce NTLMv2 support using Crypt API at the same time.
+  
+  So let's select one specific SSL backend for NTLM support when
+  compiled with multiple SSL backends, using a priority order such
+  that we support NTLMv2 even if only one compiled-in SSL backend can
+  be used for that.
   
-  ...to be more realistic and consistent with the other imap responses.
+  Ref: https://github.com/curl/curl/pull/1848
 
-- tests: Added imap STATUS command test
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
+  
+  ...fixup from b8e0fe19ec
 
-- tests: Corrected the SMTP tests to be RFC2821 compliant
+- imap: quote atoms properly when escaping characters
   
-  The emails that are sent to the server during these tests were
-  incorrectly formatted as they contained one or more LF terminated lines
-  rather than being CRLF terminated as per Section 2.3.7 of RFC-2821.
+  Updates test 800 to verify
   
-  This wasn't a problem for the test suite as the <stdin> data matched the
-  <upload> data but anyone using these tests as reference would be sending
-  incorrect data to a server.
+  Fixes #1902
+  Closes #1903
 
-- email: Tidy up of *_perform_authenticate()
+- tests: make the imap server not verify user+password
+  
+  ... as the test cases themselves do that and it makes it easier to add
+  crazy test cases.
+  
+  Test 800 updated to use user name + password that need quoting.
+  
+  Test 856 updated to trigger an auth fail differently.
   
-  Removed the hard returns from imap and pop3 by using the same style for
-  sending the authentication string as smtp. Moved the "Other mechanisms
-  not supported" check in smtp to match that of imap and pop3 to provide
-  consistency between the three email protocols.
+  Ref: #1902
 
-- smtp: Updated limit check to be more readable like the check in pop3
+- vtls: provide curl_global_sslset() even in non-SSL builds
+  
+  ... it just returns error:
+  
+  Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+  Reported-by: Marcel Raad
+  
+  Closes #1906
 
-- pop3: Added 255 octet limit check when sending initial response
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
   
-  Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034.
+  Also suppress length argument of curl_mime_name() (names are always
+  zero-terminated).
 
-- DOCS: Corrected line length of recent Secure Transport changes
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
 
-Nick Zitzmann (27 Apr 2013)
-- darwinssl: add TLS crypto authentication
+  openssl: only verify RSA private key if supported
+  
+  In some cases the RSA key does not support verifying it because it's
+  located on a smart card, an engine wants to hide it, ...
+  Check the flags on the key before trying to verify it.
+  OpenSSL does the same thing internally; see ssl/ssl_rsa.c
   
-  Users using the Secure Transport (darwinssl) back-end can now use a
-  certificate and private key to authenticate with a site using TLS. Because
-  Apple's security system is based around the keychain and does not have any
-  non-public function to create a SecIdentityRef data structure from data
-  loaded outside of the Keychain, the certificate and private key have to be
-  loaded into the Keychain first (using the certtool command line tool or
-  the Security framework's C API) before we can find it and use it.
+  Closes #1904
 
-Steve Holme (27 Apr 2013)
-- Corrected version numbers after bump
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
+  
+  Otherwise, typecheck-gcc.h warns on MinGW-w64.
 
-Daniel Stenberg (27 Apr 2013)
-- bump version
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
   
-  Since we're adding new stuff, the next release will bump the minor
-  version and we're looking forward to 7.31.0
+  ... in hope coverity will like it much.
 
-Steve Holme (27 Apr 2013)
-- RELEASE-NOTES: synced with f4e6e201b146
+- mime: fix an explicit null dereference (#1899)
 
-- DOCS: Updated following the addition of CURLOPT_SASL_IR
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
   
-  Documented the the option in curl_easy_setopt() and added it to
-  symbols-in-versions.
+  Detected by coverity. CID 1418137.
 
-- tests: Corrected command line arguments in test907 and test908
+- smtp: fix memory leak in OOM
+  
+  Regression since ce0881edee
+  
+  Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+  torture testing.
 
-- tests: Added SMTP AUTH with initial response tests
+- RELEASE-NOTES: synced with 5fe85587c
 
-- tests: Updated SMTP tests to decouple client initial response
-  
-  Updated test903 and test904 following the addition of CURLOPT_SASL_IR
-  as the default behaviour of SMTP AUTH responses is now to not include
-  the initial response. New tests with --sasl-ir support to follow.
+- [Pavel Pavlov brought this change]
 
-- imap: Added support for overriding the SASL initial response
+  cookies: use lock when using CURLINFO_COOKIELIST
   
-  In addition to checking for the SASL-IR capability the user can override
-  the sending of the client's initial response in the AUTHENTICATION
-  command with the use of CURLOPT_SASL_IR should the server erroneously
-  not report SASL-IR when it does support it.
+  Closes #1896
 
-- smtp: Added support for disabling the SASL initial response
+- [Max Dymond brought this change]
+
+  ossfuzz: changes before merging the generated corpora
   
-  Updated the default behaviour of sending the client's initial response in the AUTH
-  command to not send it and added support for CURLOPT_SASL_IR to allow the user to
-  specify including the response.
+  Before merging in the oss-fuzz corpora from Google, there are some changes
+  to the fuzzer.
+  - Add a read corpus script, to display corpus files nicely.
+  - Change the behaviour of the fuzzer so that TLV parse failures all now
+    go down the same execution paths, which should reduce the size of the
+    corpora.
+  - Make unknown TLVs a failure to parse, which should decrease the size
+    of the corpora as well.
   
-  Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html
-  Reported-by: Gokhan Sengun
+  Closes #1881
 
-- pop3: Added support for enabling the SASL initial response
+- mime:escape_string minor clarification change
   
-  Allowed the user to specify whether to send the client's intial response
-  in the AUTH command via CURLOPT_SASL_IR.
-
-- sasl-ir: Added --sasl-ir option to curl command line tool
+  ... as it also removes a warning with old gcc versions.
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+  Reported-by: Ben Greear
 
-- sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response
+- [Max Dymond brought this change]
 
-Daniel Stenberg (26 Apr 2013)
-- curl_easy_init: use less mallocs
+  ossfuzz: don't write out to stdout
   
-  By introducing an internal alternative to curl_multi_init() that accepts
-  parameters to set the hash sizes, easy handles will now use tiny socket
-  and connection hash tables since it will only ever add a single easy
-  handle to that multi handle.
+  Don't make the fuzzer write out to stdout - instead write some of the
+  contents to a memory block so we exercise the data output code but
+  quietly.
   
-  This decreased the number mallocs in test 40 (which is a rather simple
-  and typical easy interface use case) from 1142 to 138. The maximum
-  amount of memory allocated used went down from 118969 to 78805.
+  Closes #1885
 
-Steve Holme (26 Apr 2013)
-- ftpserver.pl: Fixed imap logout confirmation data
+- cookies: reject oversized cookies
   
-  An IMAP server should response with the BYE continuation response before
-  confirming the LOGOUT command was successful.
-
-Daniel Stenberg (26 Apr 2013)
-- ftp_state_pasv_resp: connect through proxy also when set by env
+  ... instead of truncating them.
   
-  When connecting back to an FTP server after having sent PASV/EPSV,
-  libcurl sometimes didn't use the proxy properly even though the proxy
-  was used for the initial connect.
+  There's no fixed limit for acceptable cookie names in RFC 6265, but the
+  entire cookie is said to be less than 4096 bytes (section 6.1). This is
+  also what browsers seem to implement.
   
-  The function wrongly checked for the CURLOPT_PROXY variable to be set,
-  which made it act wrongly if the proxy information was set with an
-  environment variable.
+  We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+  cookie name and value. Name + value together may not exceed 4096 bytes.
   
-  Added test case 711 to verify (based on 707 which uses --socks5). Also
-  added test712 to verify another variation of setting the proxy: with
-  --proxy socks5://
+  Added test 1151 to verify
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1218
-  Reported-by: Zekun Ni
-
-Kamil Dudka (26 Apr 2013)
-- [Zdenek Pavlas brought this change]
+  Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+  Reported-by: Kevin Smith
+  
+  Closes #1894
 
-  url: initialize speed-check data for file:// protocol
+- travis: on mac, don't install openssl or libidn
   
-  ... in order to prevent an artificial timeout event based on stale
-  speed-check data from a previous network transfer.  This commit fixes
-  a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e.
+  - openssl is already installed and causes warnings when trying to
+    install again
   
-  Bug: https://bugzilla.redhat.com/906031
-
-Daniel Stenberg (25 Apr 2013)
-- test709: clarify the test in the name
+  - libidn isn't used these days, and homebrew doesn't seem to have a
+    libidn2 package to replace with easily
+  
+  Closes #1895
 
-- sshserver: disable StrictHostKeyChecking
+- curl: make str2udouble not return values on error
   
-  I couldn't figure out why the host key logic isn't working, but having
-  it set to yes prevents my SSH-based test cases to run. I also don't see
-  a strong need to use strict host key checking on this test server.
+  ... previously it would store a return value even when it returned
+  error, which could make the value get used anyway!
   
-  So I disabled it.
+  Reported-by: Brian Carpenter
+  Closes #1893
 
-- runtests: log more commands in verbose mode
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
   
-  ... to aid tracking down failures
+  Prior to this change it appears the SOCKS5 port parsing was erroneously
+  used for the SOCKS4 error message, and as a result an incorrect port
+  would be shown in the error message.
+  
+  Bug: https://github.com/curl/curl/issues/1892
+  Reported-by: Jackarain@users.noreply.github.com
+
+- [Marc Aldorasi brought this change]
 
-Steve Holme (25 Apr 2013)
-- TODO: Corrected copy/paste typo
+  schannel: Support partial send for when data is too large
+  
+  Schannel can only encrypt a certain amount of data at once.  Instead of
+  failing when too much data is to be sent at once, send as much data as
+  we can and let the caller send the remaining data by calling send again.
+  
+  Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
+  
+  Closes https://github.com/curl/curl/pull/1890
 
-- TODO: Added new ideas for future SMTP, POP3 and IMAP features
+- [David Benjamin brought this change]
 
-- TODO: Updated following the addition of ;auth=<MECH> support
+  openssl: add missing includes
+  
+  lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+  their headers directly rather than relying on other OpenSSL headers
+  including things.
+  
+  Closes https://github.com/curl/curl/pull/1891
 
-- DOCS: Minor rewording / clarification of host name protocol detection
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
 
-- RELEASE-NOTES: synced with a8c92cb60890
+- server/getpart: provide dummy function to build conversion enabled
 
-- DOCS: Added reference to IETF draft for SMTP URL Interface
+- non-ascii: use iconv() with 'char **' argument
   
-  ...when mentioning login options. Additional minor clarification of
-  "Windows builds" to be "Windows builds with SSPI"as a way of enabling
-  NTLM as Windows builds may be built with OpenSSL to enable NTLM or
-  without NTLM support altogether.
+  Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
 
-Linus Nielsen Feltzing (23 Apr 2013)
-- HISTORY: Fix spelling error.
+- escape.c: error: pointer targets differ in signedness
 
-Steve Holme (23 Apr 2013)
-- DOCS: Reworked the scheme calculation explanation under CURLOPT_URL
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
 
-- url: Added smtp and pop3 hostnames to the protocol detection list
+- [Max Dymond brought this change]
 
-Daniel Stenberg (23 Apr 2013)
-- HISTORY: correct some years/dates
+  rtsp: Segfault in rtsp.c when using WRITEDATA
   
-  Thanks to archive.org's wayback machine I updated this document with
-  some facts from the early httpget/urlget web page:
+  If the INTERLEAVEFUNCTION is defined, then use that plus the
+  INTERLEAVEDATA information when writing RTP. Otherwise, use
+  WRITEFUNCTION and WRITEDATA.
   
-  http://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html
+  Fixes #1880
+  Closes #1884
 
-- [Alessandro Ghedini brought this change]
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
 
-  tests: add test1511 to check timecond clean-up
+  tests: enable gssapi in travis-ci linux build
   
-  Verifies the timecond fix in commit c49ed0b6c0f
+  Closes https://github.com/curl/curl/pull/1687
 
-- [Alessandro Ghedini brought this change]
+- [Isaac Boukris brought this change]
 
-  getinfo.c: reset timecond when clearing session-info variables
+  tests: add initial gssapi test using stub implementation
   
-  Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
-  Reported-by: Ludovico Cavedon <cavedon@debian.org>
-
-Steve Holme (22 Apr 2013)
-- DOCS: Added information about login options to CURLOPT_USERPWD
+  The stub implementation is pre-loaded using LD_PRELOAD
+  and emulates common gssapi uses (only builds if curl is
+  initially built with gssapi support).
+  
+  The initial tests are currently disabled for debug builds
+  as LD_PRELOAD is not used then.
+  
+  Ref: https://github.com/curl/curl/pull/1687
 
-- DOCS: Added information about login options in the URL
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
+  
+  Closes #1889
 
-- url: Fixed missing length check in parse_proxy()
+- URL: on connection re-use, still pick the new remote port
+  
+  ... as when a proxy connection is being re-used, it can still get a
+  different remote port.
   
-  Commit 11332577b3cb removed the length check that was performed by the
-  old scanf() code.
+  Fixes #1887
+  Reported-by: Oli Kingshott
 
-- url: Fixed crash when no username or password supplied for proxy
+- RELEASE-NOTES: synced with 87501e57f
+
+- code style: remove wrong uses of multiple spaces
   
-  Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb,
-  where an empty username or password (For example: http://:@example.com)
-  would cause a crash.
+  Closes #1878
 
-- url: Removed unused text length constants
+- checksrc: detect and warn for multiple spaces
 
-- url: Updated proxy URL parsing to use parse_login_details()
+- code style: use space after semicolon
 
-- url: Tidy up of setstropt_userpwd() parameters
-  
-  Updated the naming convention of the login parameters to match those of
-  other functions.
+- checksrc: verify space after semicolons
 
-- url: Tidy up of code and comments following recent changes
-  
-  Tidy up of variable names and comments in setstropt_userpwd() and
-  parse_login_details().
+- code style: use spaces around pluses
 
-- url: Simplified setstropt_userpwd() following recent changes
-  
-  There is no need to perform separate clearing of data if a NULL option
-  pointer is passed in. Instead this operation can be performed by simply
-  not calling parse_login_details() and letting the rest of the code do
-  the work.
+- checksrc: detect and warn for lack of spaces next to plus signs
 
-- url: Correction to scope of if statements when setting data
+- code style: use spaces around equals signs
 
-- url: Fixed memory leak in setstropt_userpwd()
+- checksrc: verify spaces around equals signs
   
-  setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to
-  set each of the login details which would duplicate the strings and
-  subsequently cause a memory leak.
+  ... as the code style mandates.
 
-- RELEASE-NOTES: synced with d535c4a2e1f7
+- Curl_checkheaders: make it available for IMAP and SMTP too
+  
+  ... not only HTTP uses this now.
+  
+  Closes #1875
 
-- url: Added overriding of URL login options from CURLOPT_USERPWD
+- travis: add build without HTTP/SMTP/IMAP
 
-- tool_paramhlp: Fixed options being included in username
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
   
-  Fix to prevent the options from being displayed when curl requests the
-  user's password if the following command line is specified:
+  CA path processing was implemented when mbedtls.c was added to libcurl
+  in fe7590f, but it was never enabled.
   
-  --user username;options
+  Bug: https://github.com/curl/curl/issues/1877
+  Reported-by: SBKarr@users.noreply.github.com
 
-- url: Added support for parsing login options from the CURLOPT_USERPWD
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
   
-  In addition to parsing the optional login options from the URL, added
-  support for parsing them from CURLOPT_USERPWD, to allow the following
-  supported command line:
+  If the default write callback is used and no destination has been set, a
+  NULL pointer would be passed to fwrite()'s 4th argument.
   
-  --user username:password;options
+  OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+  (not publicly open yet)
+  
+  Detected by OSS-fuzz
+  Closes #1874
 
-- url: Added bounds checking to parse_login_details()
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
   
-  Added bounds checking when searching for the separator characters within
-  the login string as this string may not be NULL terminated (For example
-  it is the login part of a URL). We do this in preference to allocating a
-  new string to copy the login details into which could then be passed to
-  parse_login_details() for performance reasons.
+  ... to avoid a clang bug
 
-- url: Added size_t cast to pointer based length calculations
+- [Max Dymond brought this change]
 
-- url: Corrected minor typo in comment
+  ossfuzz: add some more handled CURL options
+  
+  Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+  MAIL_FROM and uploading data.
 
-Daniel Stenberg (18 Apr 2013)
-- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
+- configure: check for C++ compiler after C, to make it non-fatal
   
-  When cross-compiling we can't scan and detect existing files or paths.
+  The tests for object file/executable file extensions are presumably only
+  done for the first of these macros in the configure file.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-04/0294.html
+  Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+  Reported-by: Marcel Raad
+  Closes #1873
 
-- [Ishan SinghLevett brought this change]
-
-  usercertinmem.c: add example showing user cert in memory
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
   
-  Relies on CURLOPT_SSL_CTX_FUNCTION, which is OpenSSL specific
-
-Steve Holme (18 Apr 2013)
-- url: Fix chksrc longer than 79 columns warning
+  Now that the form API is deprecated and not used anymore in curl tool,
+  a lot of its features left untested. Test 650 attempts to check all these
+  features not tested elsewhere.
 
-- url: Fix incorrect variable type for result code
-
-- url: Fix compiler warning
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
   
-  signed and unsigned type in conditional expression
-
-- url: Moved parsing of login details out of parse_url_login()
+  - Prepend srcdir include path instead of append.
   
-  Separated the parsing of login details from the processing of them in
-  parse_url_login() ready for use by setstropt_userpwd().
-
-- url: Re-factored set_userpass() and parse_url_userpass()
+  Prior to this change it was possible that during the check for the size
+  of curl_off_t the include path of a user's already installed curl could
+  come before the include path of the to-be-built curl, resulting in the
+  system.h of the former being incorrectly included for that check.
   
-  Re-factored these functions to reflect their new behaviour following the
-  addition of login options.
+  Closes https://github.com/curl/curl/pull/1870
 
-- url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD
+Daniel Stenberg (7 Sep 2017)
+- [Jakub Zakrzewski brought this change]
 
-Daniel Stenberg (18 Apr 2013)
-- maketgz: make bzip2 creation work with Parallel BZIP2 too
+  KNOWN_BUGS: Remove CMake symbol hiding issue
   
-  Apparently the previous usage didn't work with that implementation,
-  while this updated version works with at least both Parallel BZIP2
-  v1.1.8 and regular bzip "Version 1.0.6, 6-Sept-2010".
-
-Linus Nielsen Feltzing (18 Apr 2013)
-- Add tests/http_pipe.py to the tarball build
+  It has already been fixed in 6140dfc
 
-Steve Holme (16 Apr 2013)
-- smtp: Re-factored all perform based functions
+- http-proxy: when not doing CONNECT, that phase is done immediately
   
-  Standardised the naming of all perform based functions to be in the form
-  smtp_perform_something().
-
-- smtp: Added description comments to all perform based functions
-
-- smtp: Moved smtp_quit() to be with the other perform functions
-
-- smtp: Moved smtp_rcpt_to() to be with the other perform functions
-
-- smtp: Moved smtp_mail() to be with the other perform functions
+  `conn->connect_state` is NULL when doing a regular non-CONNECT request
+  over the proxy and should therefor be considered complete at once.
+  
+  Fixes #1853
+  Closes #1862
+  Reported-by: Lawrence Wagerfield
 
-Daniel Stenberg (16 Apr 2013)
-- [Wouter Van Rooy brought this change]
+- [Johannes Schindelin brought this change]
 
-  curl-config: don't output static libs when they are disabled
+  OpenSSL: fix yet another mistake while encapsulating SSL backend data
   
-  Curl-config outputs static libraries even when they are disabled in
-  configure.
+  Another mistake in my manual fixups of the largely mechanical
+  search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+  commit concerning HTTPS proxies (and hence not caught during my
+  earlier testing).
   
-  This causes problems with the build of pycurl.
-
-- [Dave Reisner brought this change]
-
-  docs/libcurl: fix formatting in manpage
+  Fixes #1855
+  Closes #1871
   
-  Commit c3ea3eb6 introduced some minor cosmetic errors in
-  curl_mutli_socket_action(3).
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Paul Howarth brought this change]
+- [Johannes Schindelin brought this change]
 
-  Add extra libs for lib1900 and lib2033 test programs
+  OpenSSL: fix erroneous SSL backend encapsulation
   
-  These are needed in cases where clock_gettime is used, from librt.
-
-Dan Fandrich (15 Apr 2013)
-- FAQ: mention that the network connection can be monitored
+  In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+  data, 2017-06-21), this developer prepared for a separation of the
+  private data of the SSL backends from the general connection data.
+  
+  This conversion was partially automated (search-and-replace) and
+  partially manual (e.g. proxy_ssl's backend data).
+  
+  Sadly, there was a crucial error in the manual part, where the wrong
+  handle was used: rather than connecting ssl[sockindex]' BIO to the
+  proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+  was an incorrect location to paste "BACKEND->"... d'oh.
+  
+  Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
   
-  Also note the prohibition on sharing handles across threads.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Steve Holme (15 Apr 2013)
-- pop3: Added missing comment for pop3_state_apop_resp()
+- [Jay Satiro brought this change]
 
-- smtp: Updated the coding style of smtp_state_servergreet_resp()
+  vtls: fix memory corruption
   
-  Updated the coding style, in this function, to be consistant with other
-  response functions rather then performing a hard return on failure.
-
-- pop3: Updated the coding style of pop3_state_servergreet_resp()
+  Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+  2017-07-28), the code handling HTTPS proxies was broken because the
+  pointer to the SSL backend data was not swapped between
+  conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+  instead set to NULL (causing segmentation faults).
   
-  Updated the coding style, in this function, to be consistent with other
-  response functions rather then performing a hard return on failure.
-
-- pop3: Re-factored all perform based functions
+  [jes: provided the commit message, tested and verified the patch]
   
-  Standardised the naming of all perform based functions to be in the form
-  pop3_perform_something() following the changes made to IMAP.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- pop3: Added description comments to all perform based functions
-
-- pop3: Moved pop3_quit() to be with the other perform functions
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
+  
+  ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+  enum with that name that causes build failures for us.
+  
+  Fixes #1865
+  Closes #1867
+  Reported-by: Gisle Vanem
 
-- pop3: Moved pop3_command() to be with the other perform functions
+- travis: add c-ares enabled builds linux + osx
   
-  Started to apply the same tidy up to the POP3 code as applied to the
-  IMAP code in the 7.30.0 release.
+  Closes #1868
 
-- RELEASE-NOTES: Removed erroneous spaces
+- HISTORY: added some recent items
 
-- RELEASE-NOTES: synced with 8723cade21fb
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
 
-- smtp: Added support for ;auth=<mech> in the URL
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
   
-  Added support for specifying the preferred authentication mechanism in
-  the URL as per Internet-Draft 'draft-earhart-url-smtp-00'.
+  - The part kind MIMEKIND_FILE and associated code are suppressed.
+  - Seek data origin offset not used anymore: suppressed.
+  - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+    renamed accordingly.
+  - Curl_getformdata() processes stdin via a callback.
 
-- pop3: Reworked authentication type constants
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
   
-  ... to use left-shifted values, like those defined in curl.h, rather
-  than 16-bit hexadecimal values.
-
-- pop3: Small consistency tidy up
-
-- pop3: Added support for ;auth=<mech> in the URL
+  Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+  determine the native type for `curl_off_t`. To really make sure we
+  didn't break ABI without bumping SONAME, we introduced logic that
+  attempted to detect that it would use a different size and thus not be
+  compatible. We also provided a manual switch that allowed users to tell
+  configure to bump SONAME by force.
   
-  Added support for specifying the preferred authentication type and SASL
-  mechanism in the URL as per RFC-2384.
-
-- imap: Added support for ;auth=<mech> in the URL
+  Today, we know of no one who ever got a SONAME bump auto-detected and we
+  don't know of anyone who's using the manual bump feature. The auto-
+  detection is also no longer working since we introduced defining
+  curl_off_t in system.h (7.55.0).
   
-  Added support for specifying the preferred authentication mechanism in
-  the URL as per RFC-5092.
-
-- sasl: Reworked SASL mechanism constants
+  Finally, this bumping logic is not present in the cmake build.
   
-  ... to use left-shifted values, like those defined in curl.h, rather
-  than 16-bit hexadecimal values.
+  Closes #1861
 
-- sasl: Added predefined preferred mechanism values
-  
-  In preparation for the upcoming changes to IMAP, POP3 and SMTP added
-  preferred mechanism values.
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
 
-- url: Added support for parsing login options from the URL
+  vtls: select ssl backend case-insensitive (follow-up)
   
-  As well as parsing the username and password from the URL, added support
-  for parsing the optional options part from the login details, to allow
-  the following supported URL format:
+  - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
   
-  schema://username:password;options@example.com/path?q=foobar
+  - Change Curl_strcasecompare calls to strcasecompare
+    (maps to the former but shorter).
   
-  This will only be used by IMAP, POP3 and SMTP at present but any
-  protocol that may be given login options in the URL will be able to
-  add support for them.
-
-- smtp: Fix compiler warning
+  Follow-up to c290b8f.
   
-  warning: unused variable 'smtp' introduced in commit 73cbd21b5ee6.
-
-- smtp: Moved parsing of url path into separate function
+  Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
+  
+  Co-authored-by: Jay Satiro
 
-Daniel Stenberg (12 Apr 2013)
-- FTP: handle a 230 welcome response
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
   
-  ...instead of the 220 we otherwise expect.
+  This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
   
-  Made the ftpserver.pl support sending a custom "welcome" and then
-  created test 1219 to verify this fix with such a 230 welcome.
+  The first one, written for old OpenSSL versions:
+  https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
   
-  Bug: http://curl.haxx.se/mail/lib-2013-02/0102.html
-  Reported by: Anders Havn
-
-- configure: try pthread_create without -lpthread
+  The second one, written for BoringSSL and new OpenSSL versions:
+  https://github.com/curl/curl/pull/1346
   
-  For libc variants without a spearate pthread lib (like bionic), try
-  using pthreads without the pthreads lib first and only if that fails try
-  the -lpthread linker flag.
+  Note the first one is GPL licensed but the author gave permission to
+  waive that license for libcurl.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1216
-  Reported by: Duncan
-
-- FTP: access files in root dir correctly
+  As of right now this feature is disabled by default, and does not have
+  a configure option to enable it. To enable this feature define
+  ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+  variable SSLKEYLOGFILE to a pathname that will receive the keys.
   
-  Accessing a file with an absolute path in the root dir but with no
-  directory specified was not handled correctly. This fix comes with four
-  new test cases that verify it.
+  And in Wireshark change your preferences to point to that key file:
+  Edit > Preferences > Protocols > SSL > Master-Secret
   
-  Bug: http://curl.haxx.se/mail/lib-2013-04/0142.html
-  Reported by: Sam Deane
-
-Steve Holme (12 Apr 2013)
-- pop3: Reworked the function description for Curl_pop3_write()
-
-- pop3: Added function description to pop3_parse_custom_request()
-
-- pop3: Moved utility functions to end of pop3.c
-
-Nick Zitzmann (12 Apr 2013)
-- darwinssl: add TLS session resumption
+  Co-authored-by: Peter Wu
   
-  This ought to speed up additional TLS handshakes, at least in theory.
+  Ref: https://github.com/curl/curl/pull/1030
+  Ref: https://github.com/curl/curl/pull/1346
+  
+  Closes https://github.com/curl/curl/pull/1866
 
-Steve Holme (12 Apr 2013)
-- imap: Added function description to imap_parse_custom_request()
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
 
-- imap: Moved utility functions to end of imap.c (Part 3/3)
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
   
-  Moved imap_is_bchar() be with the other utility based functions.
+  mime_state is now a typedef.
 
-- imap: Moved utility functions to end of imap.c (Part 2/3)
+- mime: implement encoders.
   
-  Moved imap_parse_url_path() and imap_parse_custom_request() to the end of the
-  file allowing all utility functions to be grouped together.
+  curl_mime_encoder() is operational and documented.
+  curl tool -F option is extended with ";encoder=".
+  curl tool --libcurl option generates calls to curl_mime_encoder().
+  New encoder tests 648 & 649.
+  Test 1404 extended with an encoder specification.
 
-- imap: Moved utility functions to end of imap.c (Part 1/3)
-  
-  Moved imap_atom() and imap_sendf() to the end of the file allowing all
-  utility functions to be grouped together.
+- runtests.pl: support attribute "nonewline" in part verify/upload.
 
-- imap: Corrected function description for imap_connect()
+- [Daniel Stenberg brought this change]
 
-Kamil Dudka (12 Apr 2013)
-- tests: prevent test206, test1060, and test1061 from failing
-  
-  ... in case runtests.pl is invoked with non-default -b option
-  
-  Fixes a regression caused by 1e29d275c643ef6aab7948f0f55a7a9397e56b42.
+  fixup data/test1135
 
-Daniel Stenberg (12 Apr 2013)
-- [David Strauss brought this change]
+- [Daniel Stenberg brought this change]
 
-  libcurl-share.3: update what it does and does not share.
+  mime: unified to use the typedef'd mime structs everywhere
   
-  Update sharing interface documentation to provide exhaustive list of
-  what it does and does not share.
+  ... and slightly edited to follow our code style better.
 
-- THANKS: remove duplicated names
-
-- bump: start working towards next release
+- [Daniel Stenberg brought this change]
 
-- THANKS: added people from the 7.30.0 RELEASE-NOTES
+  curl.h: use lower case curl_mime* as for all public symbols
 
-Version 7.30.0 (12 Apr 2013)
+- [Daniel Stenberg brought this change]
 
-Daniel Stenberg (12 Apr 2013)
-- RELEASE-NOTES: cleaned up for 7.30 (synced with 5c5e1a1cd20)
-  
-  Most notable the security advisory:
-  http://curl.haxx.se/docs/adv_20130412.html
+  docs/curl_mime_*.3: use correct variable types in examples
 
-- test1218: another cookie tailmatch test
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
   
-  ... and make 1216 also verify it with a file input
+  Up2date versions of OpenSSL maintain the default reasonably secure
+  without breaking compatibility, so it is better not to override the
+  default by curl.  Suggested at https://bugzilla.redhat.com/1483972
   
-  These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie
-  domain tailmatch" vulnerability. See
-  http://curl.haxx.se/docs/adv_20130412.html
+  Closes #1846
 
-- [YAMADA Yasuharu brought this change]
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
 
-  cookie: fix tailmatching to prevent cross-domain leakage
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
+
+- configure: add MultiSSL to FEATURES when enabled
   
-  Cookies set for 'example.com' could accidentaly also be sent by libcurl
-  to the 'bexample.com' (ie with a prefix to the first domain name).
+  ...for curl-config and its corresponding test 1014
+
+- http-proxy: treat all 2xx as CONNECT success
   
-  This is a security vulnerabilty, CVE-2013-1944.
+  Added test 1904 to verify.
   
-  Bug: http://curl.haxx.se/docs/adv_20130412.html
+  Reported-by: Lawrence Wagerfield
+  Fixes #1859
+  Closes #1860
 
-Guenter Knauf (11 Apr 2013)
-- Enabled MinGW sync resolver builds.
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
 
-Yang Tse (10 Apr 2013)
-- if2ip.c: fix compiler warning
+- curl.h: fix "unused checksrc ignore", remove dangling reference
+  
+  ... to a README file that doesn't exist anymore
+
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
 
-Guenter Knauf (10 Apr 2013)
-- Fixed lost OpenSSL output with "-t" - followup.
+- mime: use CURL_ZERO_TERMINATED in examples
   
-  The previously applied patch didnt work on Windows; we cant rely
-  on shell commands like 'echo' since they act diffently on each
-  platform and each shell.
-  In order to keep this script platform-independent the code must
-  only use pure Perl.
+  and some minor whitespace fixes
 
-Daniel Stenberg (9 Apr 2013)
-- test1217: verify parsing 257 responses with "rubbish" before path
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
   
-  Test 1217 verifies commit e0fb2d86c9f78, and without that change this
-  test fails.
+  ... not *CACERT_BADFILE as it isn't really because of a bad file.
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+  Closes #1858
 
-- [Bill Middlecamp brought this change]
+- test1135: fixed after bd8070085f9
 
-  FTP: handle "rubbish" in front of directory name in 257 responses
-  
-  When doing PWD, there's a 257 response which apparently some servers
-  prefix with a comment before the path instead of after it as is
-  otherwise the norm.
+- examples/post-callback: stop returning one byte at a time
   
-  Failing to parse this, several otherwise legitimate use cases break.
+  ... since people copy and paste code from this example and thus they get
+  an inefficient POST operation without a good reason and sometimes
+  without understanding why.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html
+  Instead this now returns as much data as possible.
 
-Guenter Knauf (9 Apr 2013)
-- Fixed ares-enabled builds with static makefiles.
+- RELEASE-NOTES: fixed the function counter script
 
-- Fixed lost OpenSSL output with "-t".
+- curl.h: make the curl_strequal() protos use the same style
   
-  The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM
-  output wrote to a temporary file.  Consequently, the OpenSSL output was
-  lost when the temp file was renamed to the final file at script finish
-  (overwriting the final file written earlier by openssl).
-  Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
+  ... as the other functions. Makes it easier to machine-parse!
 
-Daniel Stenberg (9 Apr 2013)
-- test1216: test tailmatching cookie domains
-  
-  This test is an attempt to repeat the problem YAMADA Yasuharu reported
-  at http://curl.haxx.se/mail/lib-2013-04/0108.html
+- docs: curl_mime_*.3 man page formatting edits
+
+- RELEASE-NOTES: synced with 1ab9e9b50
 
-- RELEASe-NOTES: synced with 29fdb2700f797
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
+
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
   
-  added "tcpkeepalive on Mac OS X"
+  As it was added to multi.h simply to not break test 1135, which now has
+  been disabled due to the mime API addition anyway and su we can now move
+  the sslset stuff to where the other curl_global_* prototypes are.
 
-Nick Zitzmann (8 Apr 2013)
-- darwinssl: disable insecure ciphers by default
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
   
-  I noticed that aria2's SecureTransport code disables insecure ciphers such
-  as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later.
-  That's a good idea, and now we do the same thing in order to prevent curl
-  from accessing a "secure" site that only negotiates insecure ciphersuites.
+  Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
 
-Daniel Stenberg (8 Apr 2013)
-- [Robert Wruck brought this change]
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
 
-  tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSX
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
   
-  MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single
-  TCP_KEEPALIVE (see
-  http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html).
-  Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms.
-
-- configure: remove CURL_CHECK_FUNC_RECVFROM
+  To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+  has been introduced.
   
-  1 - We don't use the results from the test and we never did. recvfrom()
-  is only used by the TFTP code and it has not caused any problems.
+  Documentation updated accordingly.
   
-  2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow
+  symbols in versions updated. Added form API symbols deprecation info.
 
-Steve Holme (8 Apr 2013)
-- RELEASE-NOTES: Corrected duplicate NTLM memory leaks
-
-- RELEASE-NOTES: Removed trailing full stop
-
-Daniel Stenberg (8 Apr 2013)
-- [Fabian Keil brought this change]
-
-  proxy: make ConnectionExists() check credential of proxyconnections too
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
   
-  Previously it only compared credentials if the requested needle
-  connection wasn't using a proxy. This caused NTLM authentication
-  failures when using proxies as the authentication code wasn't send on
-  the connection where the challenge arrived.
+  This feature is badly supported in Windows: as a replacement, a caller has
+  to use curl_mime_data_cb() with fread, fseek and possibly fclose
+  callbacks to process opened files.
   
-  Added test 1215 to verify: NTLM server authentication through a proxy
-  (This is a modified copy of test 67)
-
-- RELEASE-NOTES: sync with 704a5dfca9
+  The cli tool and documentation are updated accordingly.
+  
+  The feature is however kept internally for form API compatibility, with
+  the known caveats it always had.
+  
+  As a side effect, stdin size is not determined by the cli tool even if
+  possible and this results in a chunked transfer encoding. Test 173 is
+  updated accordingly.
 
-- TODO-RELEASE: cleaned up, not really maintained lately
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
 
-Marc Hoersken (7 Apr 2013)
-- if2ip.c: Fixed another warning: unused parameter 'remote_scope'
+- mime: tests and examples.
+  
+  Additional mime-specific tests.
+  Existing tests updated to reflect small differences (Expect: 100-continue,
+  data size change due to empty lines, etc).
+  Option -F headers= keyword added to tests.
+  test1135 disabled until the entry point order change is resolved.
+  New example smtp-mime.
+  Examples postit2 and multi-post converted from form API to mime API.
 
-Daniel Stenberg (7 Apr 2013)
-- [Marc Hoersken brought this change]
+- mime: use in curl cli tool instead of form API.
+  
+  Extended -F option syntax to support multipart mail messages.
+  -F keyword headers= added to include custom headers in parts.
+  Documentation upgraded.
 
-  cookie.c: Made cookie sort function more deterministic
+- mime: new MIME API.
   
-  Since qsort implementations vary with regards to handling the order
-  of similiar elements, this change makes the internal sort function
-  more deterministic by comparing path length first, then domain length
-  and finally the cookie name. Spotted with testcase 62 on Windows.
+  Available in HTTP, SMTP and IMAP.
+  Deprecates the FORM API.
+  See CURLOPT_MIMEPOST.
+  Lib code and associated documentation.
 
-Marc Hoersken (7 Apr 2013)
-- curl_schannel.c: Follow up on memory leak fix ae4558d
+- test564: Add a warning comment about shell profile output.
+  
+  Shell profile output makes the SSH server failing and this problem reason
+  is not easy to find when no hint is given.
 
-- Revert "getpart.pm: Strip carriage returns to fix Windows support"
+- checksrc: disable SPACEBEFOREPAREN for case statement.
   
-  This reverts commit e51b23c925a2721cf7c29b2b376d3d8903cfb067.
-  As discussed on the mailinglist, this was not the correct approach.
+  The case keyword may be followed by a constant expression and thus should
+  allow it to start with an open parenthesis.
 
-- http_negotiate.c: Fixed passing argument from incompatible pointer type
+- runtests.pl: allow <file[1-4]> tags in client section.
+  
+  This enables tests to create more than one file on the client side.
 
-- ftp.c: Added missing brackets around ABOR command logic
+- runtests.pl: Apply strippart to upload too.
+  
+  This will allow substitution of boundaries in mail messages.
 
-- sockfilt.c: Fixed detection of client-side connection close
+- Curl_base64_encode: always call with a real data handle.
   
-  WINSOCK only:
-  Since FD_CLOSE is only signaled once, it may trigger at the same
-  time as FD_READ. Data actually being available makes it impossible
-  to detect that the connection was closed by checking that recv returns
-  zero. Another recv attempt could block the connection if it was
-  not closed. This workaround abuses exceptfds in conjunction with
-  readfds to signal that the connection has actually closed.
+  Some calls in different modules were setting the data handle to NULL, causing
+  segmentation faults when using builds that enable character code conversions.
 
-- curl_schannel.c: Fixed memory leak if connection was not successful
+- non-ascii: allow conversion functions to be called with a NULL data handle.
 
-- if2ip.c: Fixed warning: unused parameter 'remote_scope'
+- http: fix a memory leakage in checkrtspprefix().
 
-- runtests.pl: Fixed --verbose parameter passed to http_pipe.py
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
 
-- sockfilt.c: Reduce CPU load while running under a Windows PIPE
+  ossfuzz: Move to C++ for curl_fuzzer.
+  
+  Automake gets confused if you want to use C++ static libraries with C
+  code - basically we need to involve the clang++ linker. The easiest way
+  of achieving this is to rename the C code as C++ code. This gets us a
+  bit further along the path and ought to be compatible with Google's
+  version of clang.
 
-- tftpd.c: Apply sread timeout to the whole data transfer session
+- curl_global_sslset: select backend by name case insensitively
+  
+  Closes #1849
 
-- getpart.pm: Strip carriage returns to fix Windows support
+- [Max Dymond brought this change]
 
-Daniel Stenberg (6 Apr 2013)
-- ftp tests: libcurl returns CURLE_FTP_ACCEPT_FAILED better now
-  
-  Since commit 57aeabcc1a20f, it handles errors on the control connection
-  while waiting for the data connection better.
+  ossfuzz: additional seed corpora
   
-  Test 591 and 592 are updated accordingly.
-
-- FTP: wait on both connections during active STOR state
+  Create simple seed corpora for:
+  - FTP
+  - telnet
+  - dict
+  - tftp
+  - imap
+  - pop3
   
-  When doing PORT and upload (STOR), this function needs to extract the
-  file descriptor for both connections so that it will respond immediately
-  when the server eventually connects back.
+  based off the tests of the same number.
   
-  This flaw caused active connections to become unnecessary slow but they
-  would still often work due to the normal polling on a timeout. The bug
-  also would not occur if the server connected back very fast, like when
-  testing on local networks.
+  Closes #1842
+
+- [Max Dymond brought this change]
+
+  ossfuzz: moving towards the ideal integration
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1183
-  Reported by: Daniel Theron
+  - Start with the basic code from the ossfuzz project.
+  - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+    data, and write a glue layer in the fuzzing function to convert
+    corpora into CURL options.
+  - Have supporting functions to generate corpora from existing tests
+  - Integrate with Makefile.am
 
-Marc Hoersken (6 Apr 2013)
-- tftpd.c: Follow up cleanup and restore of previous sockopt
+- strcase: corrected comment header for Curl_strcasecompare()
 
-Daniel Stenberg (6 Apr 2013)
-- [Kim Vandry brought this change]
+- unit1301: fix error message on first test
 
-  connect: treat an interface bindlocal() problem as a non-fatal error
+- curl_global_sslset.3: show the struct and enum too
   
-  I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force
-  transfers to use a particular interface but the transfer fails with
-  CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the
-  interface I specify has no IPv6 address. The cause is as follows:
+  ... so that users can actually write code based on the man page alone,
+  not having to read the header file.
+
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
   
-  The remote hostname resolves successfully and has an IPv6 address and an
-  IPv4 address.
+  - Fix handling certificate subjects that are already UTF-8 encoded.
   
-  cURL attempts to connect to the IPv6 address first.
+  Follow-up to b3b75d1 from two days ago. Since then a copy would be
+  skipped if the subject was already UTF-8, possibly resulting in a NULL
+  deref later on.
   
-  bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an
-  IPv6 address on the interface.
+  Ref: https://github.com/curl/curl/issues/1823
+  Ref: https://github.com/curl/curl/pull/1831
   
-  This is a fatal error in singleipconnect()
+  Closes https://github.com/curl/curl/pull/1836
+
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
   
-  This change will make cURL try the next IP address in the list.
+  ... instead of cyassl, as this is the current name for it.
   
-  Also included are two changes related to IPv6 address scope:
+  Closes #1844
+
+- polarssl: fix multissl breakage
   
-  - Filter the choice of address in Curl_if2ip to only consider addresses
-  with the same scope ID as the connection address (mismatched scope for
-  local and remote address does not result in a working connection).
+  Reported-by: Dan Fandrich
+  Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+  Closes #1843
+
+- configure: remove the leading comma from the backends list
   
-  - bindlocal was ignoring the scope ID of addresses returned by
-  Curl_if2ip . Now it uses them.
+  ... when darwinssl is used.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1189
-
-Marc Hoersken (6 Apr 2013)
-- tftpd.c: Fixed sread timeout on Windows by setting it manually
-
-- ftp.pm: Added tskill to support Windows XP Home
-
-- runtests.pl: Modularization of MinGW/Msys compatibility functions
-
-- ftp.pm: Made Perl testsuite able to handle Windows processes
-
-- util.c: Revert workaround eeefcdf, 6eb56e7 and e3787e8
-
-- ftp.pm: Made Perl testsuite able to kill Windows processes
-
-- util.c: Follow up cleanup on eeefcdf
-
-Daniel Stenberg (6 Apr 2013)
-- cpp: use #ifdef __MINGW32__ to avoid compiler complaints
+  Reported-by: Viktor Szakats
+  Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
   
-  ... instead of just #if
+  Closes #1845
 
-Marc Hoersken (6 Apr 2013)
-- util.c: Made write_pidfile write the correct PID on MinGW/Msys
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
   
-  This workaround fixes an issue on MinGW/Msys regarding the Perl
-  testsuite scripts not being able to signal or control the server
-  processes. The MinGW Perl runtime only sees the Msys processes and
-  their corresponding PIDs, but sockfilt (and other servers) wrote the
-  Windows PID into their PID-files. Since this PID is useless to the
-  testsuite, the write_pidfile function was changed to search for the
-  Msys PID and write that into the PID-file.
+  ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+     } else if(isdigit(*name)) {
+     ^
+  ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+     } else
+     ^
 
-Daniel Stenberg (5 Apr 2013)
-- RELEASE-NOTES: synced with 5e722b2d09087
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
   
-  3 more bug fixes, 6 more contributors
-
-Marc Hoersken (5 Apr 2013)
-- sockfilt.c: Fixed handling of multiple fds being signaled
+  Closes https://github.com/curl/curl/pull/1840
 
-Kamil Dudka (5 Apr 2013)
-- curl_global_init.3: improve description of CURL_GLOBAL_ALL
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
+  
+  The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+  CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+  for a similar mistake, define the backend aliases to use the enum values
+  instead.
   
-  Reported by: Tomas Mlcoch
+  Reported-by: Gisle Vanem
+  Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
 
-- examples/multi-single.c: fix the order of destructions
+- curl_global_sslset.3: clarify
   
-  ... so that it adheres to the API documentation.
+  it is a one time *set*, not necessarily a one time use... it can be
+  called again if the first call failed or just listed the alternatives.
   
-  Reported by: Tomas Mlcoch
-
-Daniel Stenberg (5 Apr 2013)
-- Curl_open: restore default MAXCONNECTS to 5
+  clarify that the available backends are the ones this build supports
+  
+  plus add some formatting
   
-  At some point recently we lost the default value for the easy handle's
-  connection cache, and this change puts it back to 5 - which is the
-  former default value and it is documented in the curl_easy_setopt.3 man
-  page.
+  Reported-by: Rich Gray
+  Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
 
-Marc Hoersken (4 Apr 2013)
-- sockfilt.c: Added wrapper functions to fix Windows console issues
+- curl/multi.h: remove duplicated closing c++ brace
   
-  The new read and write wrapper functions support reading from stdin
-  and writing to stdout/stderr on Windows by using the appropriate
-  Windows API functions and data types.
+  Regression since 1328f69d53f2f2e93
+  
+  Fixes #1841
+  Reported-by: Andrei Karas
 
-Yang Tse (4 Apr 2013)
-- lib1509.c: fix compiler warnings
+- RELEASE-NOTES: synced with 8c33c963a
 
-- easy.c: fix compiler warning
+- HELP-US.md: spelling
 
-Daniel Stenberg (4 Apr 2013)
-- --engine: spellfix the help message
+- HELP-US.md: "How to get started helping out in the curl project"
   
-  Reported by: Fredrik Thulin
-
-Yang Tse (4 Apr 2013)
-- http_negotiate.c: follow-up for commit 3dcc1a9c
+  Closes #1837
 
-Linus Nielsen Feltzing (4 Apr 2013)
-- easy: Fix the broken CURLOPT_MAXCONNECTS option
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
   
-  Copy the CURLOPT_MAXCONNECTS option to CURLMOPT_MAXCONNECTS in
-  curl_easy_perform().
-  
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1212
-  Reported-by: Steven Gu
-
-Guenter Knauf (4 Apr 2013)
-- Updated copyright date.
-
-- Another small output fix for --help and --version.
-
-Yang Tse (4 Apr 2013)
-- http_negotiate.c: fix several SPNEGO memory handling issues
+  destroy_async_data() assumes that if the flag "done" is not set yet, the
+  thread itself will clean up once the request is complete.  But if an
+  error (generally OOM) occurs before the thread even has a chance to
+  start, it will never get a chance to clean up and memory will be leaked.
+  By clearing "done" only just before starting the thread, the correct
+  cleanup sequence will happen in all cases.
 
-Guenter Knauf (4 Apr 2013)
-- Added a cont to specify base64 line wrap.
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
 
-- Fixed version output.
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
 
-- Added support for --help and --version options.
+- asyn-thread: Improved cleanup after OOM situations
 
-- Added option to specify length of base64 output.
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
   
-  Based on a patch posted to the list by Richard Michael.
+  This used to be set in some configurations to EAI_MEMORY which is not a
+  valid value for errno and caused Curl_strerror to fail an assertion.
 
-Daniel Stenberg (3 Apr 2013)
-- curl_easy_setopt.3: CURLOPT_HTTPGET disables CURLOPT_UPLOAD
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
 
-- [Yasuharu Yamada brought this change]
-
-  Curl_cookie_add: only increase numcookies for new cookies
+  configure: Handle "MultiSSL" specially When versioning symbols
+  
+  There is a mode in which libcurl is compiled with versioned symbols,
+  depending on the active SSL backend.
   
-  Count up numcookies in Curl_cookie_add() only when cookie is new one
+  When multiple SSL backends are active, it does not make sense to favor
+  one over the others, so let's not: introduce a new prefix for the case
+  where multiple SSL backends are compiled into cURL.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
 
-- SO_SNDBUF: don't set SNDBUF for win32 versions vista or later
+  configure: allow setting the default SSL backend
   
-  The Microsoft knowledge-base article
-  http://support.microsoft.com/kb/823764 describes how to use SNDBUF to
-  overcome a performance shortcoming in winsock, but it doesn't apply to
-  Windows Vista and later versions. If the described SNDBUF magic is
-  applied when running on those more recent Windows versions, it seems to
-  instead have the reversed effect in many cases and thus make libcurl
-  perform less good on those systems.
+  Previously, we used as default SSL backend whatever was first in the
+  `available_backends` array.
   
-  This fix thus adds a run-time version-check that does the SNDBUF magic
-  conditionally depending if it is deemed necessary or not.
+  However, some users may want to override that default without patching
+  the source code.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1188
-  Reported by: Andrew Kurushin
-  Tested by: Christian Hägele
-
-Nick Zitzmann (1 Apr 2013)
-- darwinssl: additional descriptive messages of SSL handshake errors
+  Now they can: with the --with-default-ssl-backend=<backend> option of
+  the ./configure script.
   
-  (This doesn't need to appear in the release notes.)
-
-Guenter Knauf (1 Apr 2013)
-- Added dns and connect time to output.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Daniel Stenberg (1 Apr 2013)
-- RELEASE-NOTES: synced with 0614b902136
+- [Johannes Schindelin brought this change]
 
-- code-policed
-
-- tcpkeepalive: support TCP_KEEPIDLE/TCP_KEEPINTVL on win32
+  vtls: use Curl_ssl_multi pseudo backend only when needed
+  
+  When only one SSL backend is configured, it is totally unnecessary to
+  let multissl_init() configure the backend at runtime, we can select the
+  correct backend at build time already.
   
-  Patch by: Robert Wruck
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1209
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- BINDINGS: BBHTTP is a cocoa binding, Julia has a binding
+- [Johannes Schindelin brought this change]
 
-- ftp_sendquote: use PPSENDF, not FTPSENDF
+  version: if built with more than one SSL backend, report all of them
   
-  The last remaining code piece that still used FTPSENDF now uses PPSENDF.
-  In the problematic case, a PREQUOTE series was done on a re-used
-  connection when Curl_pp_init() hadn't been called so it had messed up
-  pointers. The init call is done properly from Curl_pp_sendf() so this
-  change fixes this particular crash.
+  To discern the active one from the inactive ones, put the latter into
+  parentheses.
   
-  Bug: http://curl.haxx.se/mail/lib-2013-03/0319.html
-  Reported by: Sam Deane
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Steve Holme (27 Mar 2013)
-- RELEASE-NOTES: Corrected typo
+- [Johannes Schindelin brought this change]
 
-Daniel Stenberg (27 Mar 2013)
-- [Clemens Gruber brought this change]
-
-  multi-uv.c: remove unused variable
+  version: add the CURL_VERSION_MULTI_SSL feature flag
+  
+  This new feature flag reports When cURL was built with multiple SSL
+  backends.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- RELEASE-NOTES: add two references
+- [Johannes Schindelin brought this change]
 
-- test1509: verify proxy header response headers count
+  metalink: allow compiling with multiple SSL backends
   
-  Modified sws to support and use custom CONNECT responses instead of the
-  previously naive hard-coded version. Made the HTTP test server able to
-  extract test case number from the host name in a CONNECT request by
-  finding the number after the last dot. It makes 'machine.moo.123' use
-  test case 123.
+  Previously, the code assumed that at most one of the SSL backends would
+  be compiled in, emulating OpenSSL's functions if the configured backend
+  was not OpenSSL itself.
   
-  Adapted a larger amount of tests to the new <connect> style.
+  However, now we allow building with multiple SSL backends and choosing
+  one at runtime. Therefore, metalink needs to be adjusted to handle this
+  scenario, too.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1204
-  Reported by: Martin Jansen
-
-- [Clemens Gruber brought this change]
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-  Added libuv example multi-uv.c
+- [Johannes Schindelin brought this change]
 
-Yang Tse (25 Mar 2013)
-- NTLM: fix several NTLM code paths memory leaks
-
-- WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage
-  
-  As of 25-mar-2013 wcsdup() _wcsdup() and _tcsdup() are only used in
-  WIN32 specific code, so tracking of these has not been extended for
-  other build targets. Without this fix, memory tracking system on
-  WIN32 builds, when using these functions, would provide misleading
-  results.
+  docs/examples: demonstrate how to select SSL backends
   
-  In order to properly extend this support for all targets curl.h
-  would have to define curl_wcsdup_callback prototype and consequently
-  wchar_t should be visible before that in curl.h.  IOW curl_wchar_t
-  defined in curlbuild.h and this pulling whatever system header is
-  required to get wchar_t definition.
+  The newly-introduced curl_global_sslset() function deserves to be
+  show-cased.
   
-  Additionally a new curl_global_init_mem() function that also receives
-  user defined wcsdup() callback would be required.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- curl_ntlm_msgs.c: revert commit 463082bea4
-  
-  reverts unreleased invalid memory leak fix
+- [Johannes Schindelin brought this change]
 
-Daniel Stenberg (23 Mar 2013)
-- RELEASE-NOTES: synced with bc6037ed3ec02
+  Add a man page for curl_global_sslset()
   
-  More changes, bugfixes and contributors!
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Martin Jansen brought this change]
+- [Johannes Schindelin brought this change]
 
-  Curl_proxyCONNECT: count received headers
+  vtls: introduce curl_global_sslset()
   
-  Proxy servers tend to add their own headers at the beginning of
-  responses. The size of these headers was not taken into account by
-  CURLINFO_HEADER_SIZE before this change.
+  Let's add a compile time safe API to select an SSL backend. This
+  function needs to be called *before* curl_global_init(), and can be
+  called only once.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1204
-
-Steve Holme (21 Mar 2013)
-- sasl: Corrected a few violations of the curl coding standards
+  Side note: we do not explicitly test that it is called before
+  curl_global_init(), but we do verify that it is not called multiple times
+  (even implicitly).
   
-  Corrected some incorrectly positioned pointer variable declarations to
-  be "char *" rather than "char* ".
-
-- multi.c: Corrected a couple of violations of the curl coding standards
+  If SSL is used before the function was called, it will use whatever the
+  CURL_SSL_BACKEND environment variable says (or default to the first
+  available SSL backend), and if a subsequent call to
+  curl_global_sslset() disagrees with the previous choice, it will fail
+  with CURLSSLSET_TOO_LATE.
   
-  Corrected some incorrectly positioned pointer variable declarations to
-  be "type *" rather than "type* ".
-
-- imap-tests: Added CRLF to reply data to be compliant with RFC-822
+  The function also accepts an "avail" parameter to point to a (read-only)
+  NULL-terminated list of available backends. This comes in real handy if
+  an application wants to let the user choose between whatever SSL backends
+  the currently available libcurl has to offer: simply call
   
-  Updated the reply data in tests: 800, 801, 802, 804 and 1321 to possess
-  the CRLF as per RFC-822.
-
-- multi.c: Fix compilation warning
+          curl_global_sslset(-1, NULL, &avail);
   
-  warning: an enumerated type is mixed with another type
-
-- multi.c: fix compilation error
+  which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+  variable to point to the relevant information to present to the user.
   
-  warning: conversion from enumeration type to different enumeration type
-
-- lib1900.c: fix compilation warning
+  Just like with the HTTP/2 push functions, we have to add the function
+  declaration of curl_global_sslset() function to the header file
+  *multi.h* because VMS and OS/400 require a stable order of functions
+  declared in include/curl/*.h (where the header files are sorted
+  alphabetically). This looks a bit funny, but it cannot be helped.
   
-  warning: declaration of 'time' shadows a global declaration
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Yang Tse (20 Mar 2013)
-- [John E. Malmberg brought this change]
+- [Johannes Schindelin brought this change]
 
-  build_vms.com: use existing curlbuild.h and parsing fix
-  
-  This patch removes building curlbuild.h from the build_vms.com procedure
-  and uses the one in the daily or release tarball instead.
+  vtls: refactor out essential information about the SSL backends
   
-  packages/vms/build_curlbuild_h.com is obsolete with this change.
+  There is information about the compiled-in SSL backends that is really
+  no concern of any code other than the SSL backend itself, such as which
+  function (if any) implements SHA-256 summing.
   
-  Accessing the library module name "tool_main" needs different handling
-  when the optional extended parsing is enabled.
+  And there is information that is really interesting to the user, such as
+  the name, or the curl_sslbackend value.
   
-  Tested on IA64/VMS 8.4 and VAX/VMS 7.3
-
-Nick Zitzmann (19 Mar 2013)
-- darwinssl: disable ECC ciphers under Mountain Lion by default
+  Let's factor out the latter into a publicly visible struct. This
+  information will be used in the upcoming API to set the SSL backend
+  globally.
   
-  I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are
-  turned off until the next point release of OS X.
-
-Steve Holme (18 Mar 2013)
-- FEATURES: Small tidy up for constancy and grammar
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Daniel Stenberg (18 Mar 2013)
-- [Oliver Schindler brought this change]
+- [Johannes Schindelin brought this change]
 
-  Curl_proxyCONNECT: clear 'rewindaftersend' on success
+  vtls: allow selecting which SSL backend to use at runtime
   
-  After having done a POST over a CONNECT request, the 'rewindaftersend'
-  boolean could be holding the previous value which could lead to badness.
+  When building software for the masses, it is sometimes not possible to
+  decide for all users which SSL backend is appropriate.
   
-  This should be tested for in a new test case!
+  Git for Windows, for example,  uses cURL to perform clones, fetches and
+  pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+  users really need to use Secure Channel because it offers
+  enterprise-ready tools to manage credentials via Windows' Credential
+  Store.
   
-  Bug: https://groups.google.com/d/msg/msysgit/B31LNftR4BI/KhRTz0iuGmUJ
-
-Steve Holme (18 Mar 2013)
-- TODO: Reordered the protocol and security sections
+  The current Git for Windows versions use the ugly work-around of
+  building libcurl once with OpenSSL support and once with Secure Channel
+  support, and switching out the binaries in the installer depending on
+  the user's choice.
   
-  Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the
-  other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and
-  GnuTLS as these are all security related.
+  Needless to say, this is a super ugly workaround that actually only
+  works in some cases: Git for Windows also comes in a portable form, and
+  in a form intended for third-party applications requiring Git
+  functionality, in which cases this "swap out libcurl-4.dll" simply is
+  not an option.
   
-  Additionally fixed numbering of the SSL and GnuTLS sections as they
-  weren't consecutive.
-
-Yang Tse (18 Mar 2013)
-- tests: specify 'text' mode for some output files in verify section
-
-Steve Holme (17 Mar 2013)
-- imap: Fixed incorrect initial response generation for SASL AUTHENTICATE
+  Therefore, the Git for Windows project has a vested interest in teaching
+  cURL to make the SSL backend a *runtime* option.
   
-  Fixed incorrect initial response generation for the NTLM and LOGIN SASL
-  authentication mechanisms when the SASL-IR was detected.
+  This patch makes that possible.
   
-  Introduced in commit: 6da7dc026c14.
-
-- FEATURES: Expanded the supported enhanced IMAP command list
-
-- TODO: Corrected typo in TOC
-
-- TODO: Added IMAP section and removed unused Other protocols section
-
-- TODO: Added graceful base64 decoding failure to SMTP and POP3
-
-- TODO: Corrected typo on section 10.2 heading
-
-Yang Tse (16 Mar 2013)
-- tests: 96, 558, 1330: strip build subdirectory dependent leading path
+  By running ./configure with multiple --with-<backend> options, cURL will
+  be built with multiple backends.
+  
+  For the moment, the backend can be configured using the environment
+  variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+  "schannel").
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Steve Holme (15 Mar 2013)
-- TODO: Added section 10.2 Initial response to POP3 to do list
+- [Johannes Schindelin brought this change]
 
-- imap-tests: Corrected copy/paste error in test808 reply data
+  vtls: fold the backend ID into the Curl_ssl structure
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Yang Tse (15 Mar 2013)
-- unit1330.c: fix date
+- [Johannes Schindelin brought this change]
 
-- tests: add #96 #558 and #1330
+  curl_ntlm_core: don't complain but #include OpenSSL header if needed
   
-  These verfy that the 'memory tracking' subsystem is actually doing its
-  job when using curl tool (#96), a test in libtest (#558) and also a unit
-  test (#1330), in order to prevent regressions in this functionallity.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Steve Holme (15 Mar 2013)
-- imap-tests: Added test808 for custom EXAMINE command
+- [Johannes Schindelin brought this change]
 
-Daniel Stenberg (15 Mar 2013)
-- HTTP proxy: insert slash in URL if missing
+  vtls: encapsulate SSL backend-specific data
   
-  curl has been accepting URLs using slightly wrong syntax for a long
-  time, such as when completely missing as slash "http://example.org" or
-  missing a slash when a query part is given
-  "http://example.org?q=foobar".
+  So far, all of the SSL backends' private data has been declared as
+  part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+  block.
   
-  curl would translate these into a legitimate HTTP request to servers,
-  although as was shown in bug #1206 it was not adjusted properly in the
-  cases where a HTTP proxy was used.
+  This can only work as long as the SSL backend is a compile-time option,
+  something we want to change in the next commits.
   
-  Test 1213 and 1214 were added to the test suite to verify this fix.
+  Therefore, let's encapsulate the exact data needed by each SSL backend
+  into a private struct, and let's avoid bleeding any SSL backend-specific
+  information into urldata.h. This is also necessary to allow multiple SSL
+  backends to be compiled in at the same time, as e.g. OpenSSL's and
+  CyaSSL's headers cannot be included in the same .c file.
   
-  The test HTTP server was adjusted to allow us to specify test number in
-  the host name only without using any slashes in a given URL.
+  To avoid too many malloc() calls, we simply append the private structs
+  to the connectdata struct in allocate_conn().
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1206
-  Reported by: ScottJi
-
-Steve Holme (14 Mar 2013)
-- ftpserver.pl: Added EXAMINE_imap() for IMAP EXAMINE commands
+  This requires us to take extra care of alignment issues: struct fields
+  often need to be aligned on certain boundaries e.g. 32-bit values need to
+  be stored at addresses that divide evenly by 4 (= 32 bit / 8
+  bit-per-byte).
   
-  Used hard coded data from RFC-3501 section 6.3.2.
-
-Yang Tse (14 Mar 2013)
-- curl_memory.h: introduce CURLX_NO_MEMORY_CALLBACKS usage possibility
+  We do that by assuming that no SSL backend's private data contains any
+  fields that need to be aligned on boundaries larger than `long long`
+  (typically 64-bit) would need. Under this assumption, we simply add a
+  dummy field of type `long long` to the `struct connectdata` struct. This
+  field will never be accessed but acts as a placeholder for the four
+  instances of ssl_backend_data instead. the size of each ssl_backend_data
+  struct is stored in the SSL backend-specific metadata, to allow
+  allocate_conn() to know how much extra space to allocate, and how to
+  initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+  pointers.
   
-  This commit alone does not fix anything nor modifies existing
-  interfaces or behaviors, although it is a prerequisite for other
-  fixes.
-
-- Makefile.vc6: add missing files
+  This would appear to be a little complicated at first, but is really
+  necessary to encapsulate the private data of each SSL backend correctly.
+  And we need to encapsulate thusly if we ever want to allow selecting
+  CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+  the same .c file (there are just too many conflicting definitions and
+  declarations for that).
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Linus Nielsen Feltzing (14 Mar 2013)
-- pipelining: Remove dead code.
+- [Johannes Schindelin brought this change]
 
-- Multiple pipelines and limiting the number of connections.
+  vtls: prepare the SSL backends for encapsulated private data
   
-  Introducing a number of options to the multi interface that
-  allows for multiple pipelines to the same host, in order to
-  optimize the balance between the penalty for opening new
-  connections and the potential pipelining latency.
+  At the moment, cURL's SSL backend needs to be configured at build time.
+  As such, it is totally okay for them to hard-code their backend-specific
+  data in the ssl_connect_data struct.
   
-  Two new options for limiting the number of connections:
+  In preparation for making the SSL backend a runtime option, let's make
+  the access of said private data a bit more abstract so that it can be
+  adjusted later in an easy manner.
   
-  CURLMOPT_MAX_HOST_CONNECTIONS - Limits the number of running connections
-  to the same host. When adding a handle that exceeds this limit,
-  that handle will be put in a pending state until another handle is
-  finished, so we can reuse the connection.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+  urldata.h: move SSPI-specific #include to correct location
   
-  CURLMOPT_MAX_TOTAL_CONNECTIONS - Limits the number of connections in total.
-  When adding a handle that exceeds this limit,
-  that handle will be put in a pending state until another handle is
-  finished. The free connection will then be reused, if possible, or
-  closed if the pending handle can't reuse it.
+  In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+  2014-12-03), an SSPI-specific field was added to the kerberos5data
+  struct without moving the #include "curl_sspi.h" later in the same file.
   
-  Several new options for pipelining:
+  This broke the build when SSPI was enabled, unless Secure Channel was
+  used as SSL backend, because it just so happens that Secure Channel also
+  requires "curl_sspi.h" to be #included.
   
-  CURLMOPT_MAX_PIPELINE_LENGTH - Limits the pipeling length. If a
-  pipeline is "full" when a connection is to be reused, a new connection
-  will be opened if the CURLMOPT_MAX_xxx_CONNECTIONS limits allow it.
-  If not, the handle will be put in a pending state until a connection is
-  ready (either free or a pipe got shorter).
+  In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+  2017-02-21), this bug was fixed incorrectly: Instead of moving the
+  appropriate conditional #include, the Secure Channel-conditional part
+  was now also SSPI-conditional.
   
-  CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE - A pipelined connection will not
-  be reused if it is currently processing a transfer with a content
-  length that is larger than this.
+  Fix this problem by moving the correct #include instead.
   
-  CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE - A pipelined connection will not
-  be reused if it is currently processing a chunk larger than this.
+  This is also required for an upcoming patch that moves all the Secure
+  Channel-specific stuff out of urldata.h and encapsulates it properly in
+  vtls/schannel.c instead.
   
-  CURLMOPT_PIPELINING_SITE_BL - A blacklist of hosts that don't allow
-  pipelining.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+  urldata.h: remove support for obsolete PolarSSL version
   
-  CURLMOPT_PIPELINING_SERVER_BL - A blacklist of server types that don't allow
-  pipelining.
+  Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+  a newer PolarSSL version. No need to keep code trying to support any
+  older version.
   
-  See the curl_multi_setopt() man page for details.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Yang Tse (13 Mar 2013)
-- tool_main.c: remove redundant vms_show storage-class specifier
+- [Johannes Schindelin brought this change]
+
+  getinfo: access SSL internals via Curl_ssl
   
-  vms_show 'extern' storage-class specifier removed from tool_main.c due to...
+  In the ongoing endeavor to abstract out all SSL backend-specific
+  functionality, this is the next step: Instead of hard-coding how the
+  different SSL backends access their internal data in getinfo.c, let's
+  implement backend-specific functions to do that task.
   
-  - Advice from Tor Arntsen: http://curl.haxx.se/mail/lib-2013-03/0164.html
+  This will also allow for switching SSL backends as a runtime option.
   
-  - HP OpenVMS docs stating that 'Extern is the default storage class for
-    variables declared outside a function.'
-    http://h71000.www7.hp.com/commercial/c/docs/dec_c_help_5.html
-    (Storage_Classes section)
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- test509: libcurl initialization with memory callbacks and actual usage
+- [Johannes Schindelin brought this change]
 
-Steve Holme (13 Mar 2013)
-- pop3: Removed unnecessary transfer cancellation
+  vtls: move SSL backends' private constants out of their header files
   
-  Following commit e450f66a02d8 and the changes in the multi interface
-  being used internally, from 7.29.0, the transfer cancellation in
-  pop3_dophase_done() is no longer required.
-
-Yang Tse (13 Mar 2013)
-- Makefile.am: add VMS files not being included in tarball
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Tom Grace brought this change]
+- [Johannes Schindelin brought this change]
 
-  build_vms.com: VMS build fixes
+  axtls: use Curl_none_* versions of init() and cleanup()
   
-  Added missing slash in cc_full_list.
-  Removed unwanted extra quotes inside symbol tool_main
-  for non-VAX architectures that triggered link failure.
-  Replaced curl_sys_inc with sys_inc.
+  There are convenient no-op versions of the init/cleanup functions now,
+  no need to define private ones for axTLS.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Tom Grace brought this change]
+- [Johannes Schindelin brought this change]
 
-  tool_main.c: fix VMS global variable storage-class specifier
+  vtls: remove obsolete declarations of SSL backend functionality
   
-  An extern submits a psect and a global reference to the linker to point
-  to it. Using "extern int vms_show = 0" also creates a globaldef.
+  These functions are all available via the Curl_ssl struct now, no need
+  to declare them separately anymore.
   
-  The use of the extern by itself does declare a psect but does not declare
-  a globalsymbol. It does declare a globalref. But the linker needs one and
-  only one globaldef or there is an error.
-
-Patrick Monnerat (12 Mar 2013)
-- OS400: synchronize RPG binding
-
-Steve Holme (12 Mar 2013)
-- pop3: Fixed continuous wait when using --ftp-list
+  As the global declarations are removed, the corresponding function
+  definitions are marked as file-local. The only two exceptions here are
+  Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+  declarations were removed, there are no function definitions to mark
+  file-local.
+  
+  Please note that Curl_nss_force_init() is *still* declared globally, as
+  the only SSL backend-specific function, because it was introduced
+  specifically for the use case where cURL was compiled with
+  `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+  support for NSS, 2010-06-27).
   
-  Don't initiate a transfer when using --ftp-list.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Kamil Dudka (12 Mar 2013)
-- [Zdenek Pavlas brought this change]
+- [Johannes Schindelin brought this change]
 
-  curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag
+  schannel: reorder functions topologically
   
-  The flag can be used in pycurl-based applications where using the multi
-  interface would not be acceptable because of the performance lost caused
-  by implementing the select() loop in python.
+  The _shutdown() function calls the _session_free() function; While this
+  is not a problem now (because schannel.h declares both functions), a
+  patch looming in the immediate future with make all of these functions
+  file-local.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1168
-  Downstream Bug: https://bugzilla.redhat.com/919127
+  So let's just move the _session_free() function's definition before it
+  is called.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- easy: do not ignore poll() failures other than EINTR
+- [Johannes Schindelin brought this change]
 
-Yang Tse (12 Mar 2013)
-- curl.h: stricter CURL_EXTERN linkage decorations logic
+  axtls: reorder functions topologically
   
-  No API change involved.
+  The connect_finish() function (like many other functions after it) calls
+  the Curl_axtls_close() function; While this is not a problem now
+  (because axtls.h declares the latter function), a patch looming in the
+  immediate future with make all of these functions file-local.
   
-  Info: http://curl.haxx.se/mail/lib-2013-02/0234.html
-
-Daniel Stenberg (11 Mar 2013)
-- THANKS: Latin-1'ified Jiri's name
+  So let's just move the Curl_axtls_close() function's definition before
+  it is called.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Steve Holme (11 Mar 2013)
-- test806: Added CRLF to reply data to be compliant with RFC-822
+- [Johannes Schindelin brought this change]
 
-Daniel Stenberg (11 Mar 2013)
-- test805: added crlf newlines to make data size match
+  vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
   
-  since mails sent are supposed to have CRLF line endings I added them and
-  now the data size after (\Seen) matches again properly
-
-- test: fix newline for the data check of 807
+  That will allow us to choose the SSL backend at runtime.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-Yang Tse (11 Mar 2013)
-- test801 to test807: fix protocol section line endings
+- [Johannes Schindelin brought this change]
 
-Steve Holme (10 Mar 2013)
-- Makefile.am: Corrected a couple of spurious tab characters
+  vtls: convert the have_curlssl_* constants to runtime flags
+  
+  The entire idea of introducing the Curl_ssl struct to describe SSL
+  backends is to prepare for choosing the SSL backend at runtime.
   
-  Corrected a couple of tab characters between test702 and test703, and
-  between test900 and test901 which should be spaces.
+  To that end, convert all the #ifdef have_curlssl_* style conditionals
+  to use bit flags instead.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added test807 for custom request functionality (STORE)
+  vtls: move sha256sum into the Curl_ssl struct
+  
+  The SHA-256 checksumming is also an SSL backend-specific function.
+  Let's include it in the struct declaring the functionality of SSL
+  backends.
+  
+  In contrast to MD5, there is no fall-back code. To indicate this, the
+  respective entries are NULL for those backends that offer no support for
+  SHA-256 checksumming.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added test806 for IMAP (folder) LIST command
+  vtls: move md5sum into the Curl_ssl struct
+  
+  The MD5 summing is also an SSL backend-specific function. So let's
+  include it, offering the previous fall-back code as a separate function
+  now: Curl_none_md5sum(). To allow for that, the signature had to be
+  changed so that an error could be returned from the implementation
+  (Curl_none_md5sum() can run out of memory).
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added test805 for APPEND functionality
+  vtls: use the Curl_ssl struct to access all SSL backends' functionality
+  
+  This is the first step to unify the SSL backend handling. Now all the
+  SSL backend-specific functionality is accessed via a global instance of
+  the Curl_ssl struct.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added test804 for skipping SELECT if in the same mailbox
+  vtls: declare Curl_ssl structs for every SSL backend
+  
+  The idea of introducing the Curl_ssl struct was to unify how the SSL
+  backends are declared and called. To this end, we now provide an
+  instance of the Curl_ssl struct for each and every SSL backend.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added test802 and test803 for UIDVALIDITY verification
+  vtls: introduce a new struct for SSL backends
   
-  Added one test for a request with matching UIDVALIDITY and one which is
-  a mismatched request that will fail.
+  This new struct is similar in nature to Curl_handler: it will define the
+  functions and capabilities of all the SSL backends (where Curl_handler
+  defines the functions and capabilities of protocol handlers).
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added test801 for UID and SECTION URL parameters
+  vtls: make sure every _sha256sum()'s first arg is const
+  
+  This patch makes the signature of the _sha256sum() functions consistent
+  among the SSL backends, in preparation for unifying the way all SSL
+  backends are accessed.
+  
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap-tests: Accept quoted parameters in ftpserver.pl
+  vtls: make sure all _data_pending() functions return bool
+  
+  This patch makes the signature of the _data_pending() functions
+  consistent among the SSL backends, in preparation for unifying the way
+  all SSL backends are accessed.
   
-  Any IMAP parameter can come in escaped and in double quotes. Added a
-  simple function to unquote the command parameters and applied it to
-  the IMAP command handlers.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  tests: Fix ftpserver.pl indentation
+  vtls: make sure all _cleanup() functions return void
   
-  The whole of FETCH_imap() had one extra space of indentation, whilst
-  APPEND_imap() used indentation of 2 instead of 4 in places.
-
-- Makefile.am: Corrected end of line filler character
+  This patch makes the signature of the _cleanup() functions consistent
+  among the SSL backends, in preparation for unifying the way all SSL
+  backends are accessed.
   
-  The majority of lines, that specify a test file for inclusion, end with
-  a tab character before the slash whilst some end with a space. Corrected
-  those that end with a space to end with a tab character as well.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- email-tests: Updated the test data that corresponds to the test number
-  
-  Finished segregating the email protocol tests, into their own protocol
-  based ranges, in preparation of adding more e-mail related tests to the
-  test suite.
+- [Johannes Schindelin brought this change]
 
-- email-tests: Renamed the IMAP test to be 800
+  vtls: use consistent signature for _random() implementations
   
-  Continued segregating the email protocol tests, into their own protocol
-  based ranges, in preparation of adding more e-mail related tests to the
-  test suite.
-
-- email-tests: Renamed the SMTP tests to be in the range 900-906
+  This will make the upcoming multissl backend much easier to implement.
   
-  Continued segregating the email protocol tests, into their own protocol
-  based ranges, in preparation of adding more e-mail related tests to the
-  test suite.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- email-tests: Renamed the POP3 tests to be in the range 850-857
+- strtooff: fix build for systems with long long but no strtoll option
   
-  Started segregating the email protocol tests, into their own protocol
-  based ranges, in preparation of adding more e-mail related tests to the
-  test suite.
-
-Daniel Stenberg (10 Mar 2013)
-- hiperfifo: updated to use current libevent API
+  Closes #1829
   
-  Patch by: Myk Taylor
-
-Steve Holme (10 Mar 2013)
-- imap: Reworked some function descriptions
-
-- imap: Added some missing comments to imap_sendf()
+  Reported-by: Dan Fandrich
+  Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
 
-- email: Removed hard returns from init functions
-
-Daniel Stenberg (9 Mar 2013)
-- curl_multi_wait: avoid second loop if nothing to do
+- darwinssl: handle long strings in TLS certs
   
-  ... hopefully this will also make clang-analyzer stop warning on
-  potentional NULL dereferences (which were false positives anyway).
-
-- multi_runsingle: avoid NULL dereference
+  ... as the previous fixed length 128 bytes buffer was sometimes too
+  small.
   
-  When Curl_do() returns failure, the connection pointer could be NULL so
-  the code path following needs to that that into account.
+  Fixes #1823
+  Closes #1831
   
-  Bug: http://curl.haxx.se/mail/lib-2013-03/0062.html
-  Reported by: Eric Hu
+  Reported-by: Benjamin Sergeant
+  Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
 
-Steve Holme (9 Mar 2013)
-- imap: Re-factored all perform based functions
+- system.h: include sys/poll.h for AIX
   
-  Standardised the naming of all perform based functions to be in the form
-  imap_perform_something().
-
-Daniel Stenberg (9 Mar 2013)
-- [Cédric Deltheil brought this change]
-
-  examples/getinmemory.c: abort the transfer if not enough memory
+  ... to get the event/revent defines that might be used for the poll
+  struct.
   
-  No more use exit(3) but instead tell libcurl that no byte has been
-  written to let it return a `CURLE_WRITE_ERROR`. In addition, check
-  curl easy handle return code.
+  Reported-by: Michael Smith
+  Fixes #1828
+  Closes #1833
 
-- RELEASE-NOTES: synced with ca3c0ed3a9c
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
   
-  8 more bugfixes, one change and a bunch of contributors
+  These were missed in commit c468c27b.
 
-Yang Tse (9 Mar 2013)
-- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
 
-Steve Holme (9 Mar 2013)
-- imap: Added description comments to all perform based functions
-
-- imap: Removed the need for separate custom request functions
+  winbuild: fix embedded manifest option
   
-  Moved the custom request processing into the LIST command as the logic
-  is the same.
-
-- imap: Corrected typo in comment
-
-Yang Tse (9 Mar 2013)
-- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility
+  Embedded manifest option didn't work due to incorrect path.
+  
+  Fixes https://github.com/curl/curl/issues/1832
 
-Steve Holme (9 Mar 2013)
-- imap: Moved imap_logout() to be grouped with the other perform functions
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
 
-- email: Updated the function descriptions for the logout / quit functions
-  
-  Updated the function description comments following commit 4838d196fdbf.
+- examples/threaded-ssl: mention that this is for openssl before 1.1
 
-- email: Simplified the logout / quit functions
-  
-  Moved the blocking state machine to the disconnect functions so that the
-  logout / quit functions are only responsible for sending the actual
-  command needed to logout or quit.
+- imap: use defined names for response codes
   
-  Additionally removed the hard return on failure.
-
-- email: Tidied up the *_regular_transfer() functions
+  When working on this code I found the previous setup a bit weird while
+  using proper defines increases readability.
   
-  Added comments and simplified convoluted dophase_done comparison.
-
-- email: Simplified nesting of if statements in *_doing() functions
+  Closes #1824
 
-Daniel Stenberg (8 Mar 2013)
-- RELEASE-NOTES: mention that krb4 is up for consideration
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
 
-Steve Holme (8 Mar 2013)
-- imap: Fixed handling of untagged responses for the STORE custom command
+- imap: support PREAUTH
   
-  Added an exception, for the STORE command, to the untagged response
-  processor in imap_endofresp() as servers will back respones containing
-  the FETCH keyword instead.
-
-Yang Tse (8 Mar 2013)
-- curlbuild.h.dist: enhance non-configure GCC ABI detection logic
+  It is a defined possible greeting at server startup that means the
+  connection is already authenticated. See
+  https://tools.ietf.org/html/rfc3501#section-7.1.4
   
-  GCC specific adjustments:
+  Test 846 added to verify.
   
-  - check __ILP32__ before 32 and 64bit processor architectures in
-    order to detect ILP32 programming model on 64 bit processors
-    which, of course, also support LP64 programming model, when using
-    gcc 4.7 or newer.
+  Fixes #1818
+  Closes #1820
+
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
   
-  - keep 32bit processor architecture checks in order to support gcc
-    versions older than 4.7 which don't define __ILP32__
+  Recent changes that replaced CURL_SIZEOF_LONG in the source with
+  SIZEOF_LONG broke builds that use the premade configuration files and
+  don't have SIZEOF_LONG defined.
   
-  - check __LP64__ for gcc 3.3 and newer, while keeping 64bit processor
-    architecture checks for older versions which don't define __LP64__
+  Bug: https://github.com/curl/curl/issues/1816
 
-- curlbuild.h.dist: fix GCC build on ARM systems without configure script
-  
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1205
-  Reported by: technion
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
 
+Daniel Stenberg (22 Aug 2017)
 - [Gisle Vanem brought this change]
 
-  polarssl.c: fix header filename typo
-
-- configure: use XC_LIBTOOL for portability across libtool versions
-
-- xc-lt-iface.m4: provide XC_LIBTOOL macro
-
-Steve Holme (7 Mar 2013)
-- imap: Fixed SELECT not being performed for custom requests
-
-- email: Minor code tidy up following recent changes
+  config-dos: add missing defines, SIZEOF_* and two others
   
-  Removed unwanted braces and added variable initialisation.
-
-- DOCS: Corrected the IMAP URL grammar of the UIDVALIDITY parameter
+  Bug: #1816
 
-- FEATURES: Provided a little clarity in some IMAP features
-
-- email: Optimised block_statemach() functions
+- curl: shorten and clean up CA cert verification error message
   
-  Optimised the result test in each of the block_statemach() functions.
-
-- DOCS: Added the list command to the IMAP URL section
+  The previous message was just too long for ordinary people and it was
+  encouraging users to use `--insecure` a little too easy.
   
-  Added examples of the list command and clarified existing example URLs
-  following recent changes.
-
-- FEATURES: Updated for recent imap additions
+  Based-on-work-by: Frank Denis
   
-  Updated the imap features list, corrected a typo in the smtp features
-  and clarified a pop3 feature.
+  Closes #1810
+  Closes #1817
 
-Daniel Stenberg (7 Mar 2013)
-- version bump: the next release will be 7.30.0
+- request-target.d: mention added in 7.55.0
 
-- checksrc: ban unsafe functions
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
   
-  The list of unsafe functions currently consists of sprintf, vsprintf,
-  strcat, strncat and gets.
+  By default, the MinGW CRT globs command-line arguments. This prevents
+  getting a single asterisk into an argument as test 1299 does. Turn off
+  globbing by setting the global variable _CRT_glob to 0 for MinGW.
   
-  Subsequently, some existing code needed updating to avoid warnings on
-  this.
+  Fixes https://github.com/curl/curl/issues/1751
+  Closes https://github.com/curl/curl/pull/1813
 
-Steve Holme (7 Mar 2013)
-- RELEASE-NOTES: Added missing imap fixes and additions
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
   
-  With all the recent imap changes it wasn't clear what new features and
-  fixes should be included in the release notes.
-
-Nick Zitzmann (6 Mar 2013)
-- RELEASE-NOTES: brought this up-to-date with the latest changes
-
-Steve Holme (6 Mar 2013)
-- [Jiri Hruska brought this change]
-
-  imap: Fixed test801 and test1321 to specify a message UID
+  libidn was replaced with libidn2 last year in configure.
+  Caveat: libidn2 may depend on a list of further libs.
+  These can be manually specified via CURL_LDFLAG_EXTRAS.
   
-  Just a folder list would be retrieved if UID was not specified now.
+  Closes https://github.com/curl/curl/pull/1815
 
-- [Jiri Hruska brought this change]
-
-  imap: Fixed ftpserver.pl to allow verification even through LIST command
-  
-  Commit 198012ee inadvertently broke LIST_imap().
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
 
-- imap: Tidied up the APPEND and final APPEND response functions
+  config-win32: define SIZEOF_LONG
   
-  Removed unnecessary state changes on failure and setting of result codes
-  on success.
-
-- imap: Tidied up the final FETCH response function
+  Recent changes that replaced CURL_SIZEOF_LONG in the source with
+  SIZEOF_LONG broke builds that use the premade configuration files and
+  don't have SIZEOF_LONG defined.
   
-  Removed unnecessary state change on failure and setting of result code on
-  success.
+  Closes https://github.com/curl/curl/pull/1814
 
-- imap: Tidied up the LIST response function
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
   
-  Reworked comments as they referenced custom commands, removed
-  unnecessary state change on failure and setting of result code on
-  success.
+  closes #1799
 
-- imap: Removed the custom request response function
+- curl/system.h: fix build for hppa
   
-  Removed imap_state_custom_resp() as imap_state_list_resp() provides the
-  same functionality.
-
-- [Jiri Hruska brought this change]
+  Reported-by: John David Anglin
+  Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
 
-  imap: Updated ftpserver.pl to be more compliant, added new commands
-  
-  Enriched IMAP capabilities of ftpserver.pl in order to be able to
-  add tests for the new IMAP features.
-  
-  * Added support for APPEND - Saves uploaded data to log/upload.$testno
-  * Added support for LIST - Returns the contents of <reply/> section in
-    the current test, like e.g FETCH.
-  * Added support for STORE - Returns hardcoded updated flags
-  * Changed handling of SELECT - Returns much more information in the
-    usual set of untagged responses; uses hardcoded data from an example
-    in the IMAP RFC
-  * Changed handling of FETCH - Fixed response format
+- [Even Rouault brought this change]
 
-- imap: Added check for empty UID in FETCH command
+  tftp: fix memory leak on too long filename
   
-  As the UID has to be specified by the user for the FETCH command to work
-  correctly, added a check to imap_fetch(), although strictly speaking it
-  is protected by the call from imap_perform().
-
-Kamil Dudka (6 Mar 2013)
-- nss: fix misplaced code enabling non-blocking socket mode
+  Fixes
   
-  The option needs to be set on the SSL socket.  Setting it on the model
-  takes no effect.  Note that the non-blocking mode is still not enabled
-  for the handshake because the code is not yet ready for that.
-
-Daniel Stenberg (6 Mar 2013)
-- imap: fix compiler warning
+  $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
   
-  imap.c:694:21: error: unused variable 'imapc' [-Werror=unused-variable]
-
-Steve Holme (5 Mar 2013)
-- imap: Added support for list command
-
-- imap: Added list perform and response handler functions
-
-- imap: Introduced IMAP_LIST state
-
-- imap: Small tidy up of imap_select() to match imap_append()
+  ==9752== Memcheck, a memory error detector
+  ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+  ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+  ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+  ==9752==
+  curl: (71) TFTP file name too long
   
-  Updated the style of imap_select() before adding the LIST command.
-
-- imap: Moved mailbox check from the imap_do() function
+  ==9752==
+  ==9752== HEAP SUMMARY:
+  ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+  ==9752==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+  ==9752==    by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+  ==9752==    by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+  ==9752==    by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+  ==9752==    by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+  ==9752==    by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+  ==9752==    by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+  ==9752==    by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+  ==9752==    by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+  ==9752==    by 0x402693: main (in /home/even/install-curl-git/bin/curl)
   
-  In preparation for the addition of the LIST command, moved the mailbox
-  check from imap_do() to imap_select() and imap_append().
-
-- curl_setup.h: Added S_IRDIR() macro for compilers that don't support it
+  Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+  Credit to OSS Fuzz
   
-  Commit 26eaa8383001 introduces the use of S_ISDIR() yet some compilers,
-  such as MSVC don't support it, so we must define a substitute using
-  file flags and mask.
+  Closes #1808
 
-Daniel Stenberg (4 Mar 2013)
-- AddFormData: prevent only directories from being posted
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
   
-  Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a
-  bug fix that introduced a regression in that while trying to avoid
-  allowing directory names, it also forbade "special" files like character
-  devices and more. like "/dev/null" as was used by Oliver who reported
-  this regression.
-  
-  Reported by: Oliver Gondža
-  Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html
+  Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+  the command-line.
 
-Nick Zitzmann (3 Mar 2013)
-- darwinssl: fix infinite loop if server disconnected abruptly
-  
-  If the server hung up the connection without sending a closure alert,
-  then we'd keep probing the socket for data even though it's dead. Now
-  we're ready for this situation.
+- tests: Make sure libtests call curl_global_cleanup()
   
-  Bug: http://curl.haxx.se/mail/lib-2013-03/0014.html
-  Reported by: Aki Koskinen
+  This ensures that global data allocations are freed so Valgrind stays
+  happy. This was a problem with at least PolarSSL and mbedTLS.
 
-Steve Holme (3 Mar 2013)
-- imap: Added comments to imap_append()
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
 
-- [Jiri Hruska brought this change]
+- scripts/contri*sh: use "git log --use-mailmap"
 
-  imap: Added required mailbox check for FETCH and APPEND commands
+- mailmap: de-duplify some git authors
 
-- pingpong.c: Fix enumerated type mixed with another type
-
-- smtp: Updated the coding style for state changes after a send operation
+- http2_recv: return error better on fatal h2 errors
   
-  Some state changes would be performed after a failure test that
-  performed a hard return, whilst others would be performed within a test
-  for success. Updated the code, for consistency, so all instances are
-  performed within a success test.
+  Ref #1012
+  Figured-out-by: Tatsuhiro Tsujikawa
 
-- pop3: Updated the coding style for state changes after a send operation
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
   
-  Some state changes would be performed after a failure test that
-  performed a hard return, whilst others would be performed within a test
-  for success. Updated the code, for consistency, so all instances are
-  performed within a success test.
-
-- imap: Fixed typo in variable assignment
+  Closes #868
 
-- [Jiri Hruska brought this change]
-
-  imap: Fixed custom request handling in imap_done()
+- curl/system.h: check for __ppc__ as well
   
-  Fixed imap_done() so that neither the FINAL states are not entered when
-  a custom command has been performed.
-
-- [Jiri Hruska brought this change]
-
-  imap: Enabled custom requests in imap_select_resp()
+  ... regression since issue #1774 (commit 10b3df10596a) since obviously
+  some older gcc doesn't know __powerpc__ while some newer doesn't know
+  __ppc__ ...
   
-  Changed imap_select_resp() to invoke imap_custom() instead of
-  imap_fetch() after the mailbox has been selected if a custom
-  command has been set.
+  Fixes #1797
+  Closes #1798
+  Reported-by: Ryan Schmidt
 
-- [Jiri Hruska brought this change]
+- [Jan Alexander Steffens (heftig) brought this change]
 
-  imap: Enabled custom requests in imap_perform()
+  http: Don't wait on CONNECT when there is no proxy
   
-  Modified imap_perform() to start with the custom command instead of
-  SELECT when a custom command is to be performed and no mailbox has
-  been given.
-
-- [Jiri Hruska brought this change]
-
-  imap: Added custom request perform and response handler functions
+  Since curl 7.55.0, NetworkManager almost always failed its connectivity
+  check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+  CONNECT process entirely non-blocking).
   
-  Added imap_custom(), which initiates the custom command processing,
-  and an associated response handler imap_state_custom_resp(), which
-  handles any responses by sending them to the client as body data.
+  This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+  which returns false if the CONNECT state was left uninitialized and lets
+  the connection continue.
   
-  All untagged responses with the same name as the first word of the
-  custom request string are accepted, with the exception of SELECT and
-  EXAMINE which have responses that cannot be easily identified. An
-  extra check has been provided for them so that any untagged responses
-  are accepted for them.
-
-- pop3: Fixed unnecessary parent structure reference
+  Closes #1803
+  Fixes #1804
   
-  Updated pop3 code following recent imap changes.
+  Also-fixed-by: Gergely Nagy
 
-- [Jiri Hruska brought this change]
+- [Johannes Schindelin brought this change]
 
-  imap: Added custom request parsing
+  metalink: adjust source code style
   
-  Added imap_parse_custom_request() for parsing the CURLOPT_CUSTOMREQUEST
-  parameter which URL decodes the value and separates the request from
-  any parameters - This makes it easier to filter untagged responses
-  by the request command.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 
-- [Jiri Hruska brought this change]
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
 
-  imap: Introduced custom request parameters
-  
-  Added custom request parameters to the per-request structure.
+- lib557: no longer use CURL_SIZEOF_* defines
 
-- [Jiri Hruska brought this change]
+- config-win32: define SIZEOF_CURL_OFF_T
 
-  imap: Introduced IMAP_CUSTOM state
+- cmake: sizeof curl_off_t, remove unused detections
 
-- imap: Minor code tidy up
+- system.h: remove all CURL_SIZEOF_* defines
   
-  Minor tidy up of code layout and comments following recent changes.
-
-- imap: Simplified the imap_state_append_resp() function
+  ... as they're not used externally and internally we check for the sizes
+  already in configure etc.
   
-  Introduced the result code variable to simplify the state changes and
-  remove the hard returns.
+  Closes #1767
 
-- imap: Changed successful response logic in imap_state_append_resp()
+- ftp: fix CWD when doing multicwd then nocwd on same connection
   
-  For consistency changed the logic of the imap_state_append_resp()
-  function to test for an unsucessful continuation response rather than a
-  succesful one.
+  Fixes #1782
+  Closes #1787
+  Reported-by: Peter Lamare
 
-- imap: Standardised imapcode condition tests
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
   
-  For consistency changed two if(constant != imapcode) tests to be
-  if(imapcode != constant).
+  (leaves other values reserved for the future)
 
-- imap: Moved imap_append() to be with the other perform functions
+- compressed-ssh.d: "Added: 7.56.0"
 
-- [Jiri Hruska brought this change]
+- curl/system.h: checksrc compliance
 
-  imap: Enabled APPEND support in imap_perform()
-  
-  Added logic in imap_perform() to perform an APPEND rather than SELECT
-  and FETCH if an upload has been specified.
-
-- [Jiri Hruska brought this change]
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
 
-  imap: Implemented APPEND final processing
+  ssh: add the ability to enable compression (for SCP/SFTP)
   
-  The APPEND operation needs to be performed in several steps:
-    1) We send "<tag> APPEND <mailbox> <flags> {<size>}\r\n"
-    2) Server responds with continuation respose "+ ...\r\n"
-    3) We start the transfer and send <size> bytes of data
-    4) Only now we end the request command line by sending "\r\n"
-    5) Server responds with "<tag> OK ...\r\n"
+  The required low-level logic was already available as part of
+  `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+  option.)
   
-  This commit performs steps 4 and 5, in the DONE phase, as more
-  processing is required after the transfer.
-
-- [Jiri Hruska brought this change]
-
-  imap: Added APPEND perform and response handler functions
+  This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+  (boolean) and the new `curl` command-line option `--compressed-ssh`
+  to request this `libssh2` feature. To have compression enabled, it
+  is required that the SSH server supports a (zlib) compatible
+  compression method and that `libssh2` was built with `zlib` support
+  enabled.
   
-  Added imap_append() function to initiate upload and imap_append_resp()
-  to handle the continuation response and start the transfer.
-
-- [Jiri Hruska brought this change]
-
-  imap: Introduced IMAP_APPEND and IMAP_APPEND_FINAL states
-
-- [Jiri Hruska brought this change]
-
-  imap: Updated setting of transfer variables in imap_state_fetch_resp()
+  [1] https://www.libssh2.org/libssh2_session_flag.html
   
-  Add number of bytes retrieved from the PP cache to req.bytecount and set
-  req.maxdownload only when starting a proper download.
+  Ref: https://github.com/curl/curl/issues/1732
+  Closes https://github.com/curl/curl/pull/1735
 
-- [Jiri Hruska brought this change]
+- examples/ftpuploadresume: checksrc compliance
 
-  imap: Improved FETCH response parsing
-  
-  Added safer parsing of the untagged FETCH response line and the size of
-  continuation data.
+- [Maksim Stsepanenka brought this change]
 
-- imap: Fixed accidentally lossing the result code
+  http_proxy: fix build error for CURL_DOES_CONVERSIONS
   
-  Accidentally lost the result code in imap_state_capability() and
-  imap_state_login() with commit b06a78622609.
+  Closes https://github.com/curl/curl/pull/1793
 
-- imap: Another minor comment addition / tidy up
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
 
-- imap: Updated the coding style for state changes after a send operation
+  configure: check for __builtin_available() availability (#1788)
   
-  Some state changes would be performed after a failure test that
-  performed a hard return, whilst others would be performed within a test
-  for success. Updated the code, for consistency, so all instances are
-  performed within a success test.
+  This change does two things:
+  1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+     failing trying to compile connectx() in lib/connect.c.)
+  2. It finally weak-links the connectx() function, and falls back on
+     connect() when run on older operating systems.
 
-- pop3 / smtp: Small comment tidy up
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
   
-  Small tidy up to keep some comments consistant across each of the email
-  protocols.
+  Closes #1790
 
-- [Jiri Hruska brought this change]
+- [Max Dymond brought this change]
 
-  imap: FETCH response handler cleanup before further changes
+  coverage: Use two coveralls commands to get lib/vtls results
   
-  Removed superfluous NULL assignment after Curl_safefree() and rewrote
-  some comments and logging messages.
-
-- pop3: Small tidy up of function arguments
-
-- imap: Small tidy up of function arguments
+  closes #1747
 
-- smtp: Corrected debug message for POP3_AUTH_FINAL constant
-  
-  Following commit ad3177da24b8 corrected the debug message in state()
-  from AUTH to AUTH_FINAL.
+- darwinssi: fix error: variable length array used
 
-- pop3: Corrected debug message for POP3_AUTH_FINAL constant
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
   
-  Following commit afad1ce753a1 corrected the debug message in state()
-  from AUTH to AUTH_FINAL.
-
-- imap: Corrected debug message for IMAP_AUTHENTICATE_FINAL constant
+  ... when setting clang version to assume 3.7
   
-  Following commit 13006f3de9ec corrected the debug message in state()
-  from AUTHENTICATE to AUTHENTICATE_FINAL.
+  Caused a lot of "integer expression expected" warnings by configure.
 
-- [Jiri Hruska brought this change]
+- [Benbuck Nason brought this change]
 
-  imap: Fixed error code returned for invalid FETCH response
+  cmake: remove dead code for DISABLED_THREADSAFE
   
-  If the FETCH command does not result in an untagged response the the
-  UID is probably invalid. As such do not return CURLE_OK.
+  Closes #1786
 
-- [Jiri Hruska brought this change]
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
 
-  imap: Added processing of the final FETCH responses
+  curl-confopts.m4: fix --disable-threaded-resolver
   
-  Not processing the final FETCH responses was not optimal, not only
-  because the response code would be ignored but it would also leave data
-  unread on the socket which would prohibit connection reuse.
+  Closes https://github.com/curl/curl/issues/1784
 
-- [Jiri Hruska brought this change]
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
 
-  imap: Introduced FETCH_FINAL state for processing final fetch responses
+  progress: Track total times following redirects
   
-  A typical FETCH response can be broken down into four parts:
+  Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+  `t_pretransfer`, and `t_starttransfer` to track the total times for
+  these activities when a redirect is followed. Previously, only the times
+  for the most recent request would be tracked.
   
-    1) "* <uid> FETCH (<what> {<size>}\r\n", using continuation syntax
-    2) <size> bytes of the actual message
-    3) ")\r\n", finishing the untagged response
-    4) "<tag> OK ...", finishing the command
+  Related changes:
   
-  Part 1 is read in imap_fetch_resp(), part 2 is consumed in the PERFORM
-  phase by the transfer subsystem, parts 3 and 4 are currently ignored.
-
-- imap: fix autobuild warning
+    - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+      now that the function only resets transfer sizes and no longer
+      modifies any of the progress timers.
   
-  Removed whitespace from imap_perform()
-
-- imap: fix compiler warning
+    - Add a bool to the `Progress` struct that is used to prevent
+      double-counting `t_starttransfer` times.
   
-  error: declaration of 'imap' shadows a previous local
-
-- smtp: Re-factored the final SMTP_AUTH constant
+  Added test case 1399.
   
-  Changed the final SMTP_AUTH constant to SMTP_AUTH_FINAL for consistency
-  with the response function.
+  Fixes #522 and Known Bug 1.8
+  Closes #1602
+  Reported-by: joshhe on github
 
-- pop3: Re-factored the final POP3_AUTH constant
-  
-  Changed the final POP3_AUTH constant to POP3_AUTH_FINAL for consistency
-  with the response function.
+- [Benbuck Nason brought this change]
 
-- imap: Re-factored final IMAP_AUTHENTICATE constant
+  cmake: remove dead code for CURL_DISABLE_RTMP
   
-  Changed the final IMAP_AUTHENTICATE constant to IMAP_AUTHENTICATE_FINAL
-  for consistency with the response function.
+  Closes #1785
 
-- imap: Updated the coding style of imap_state_servergreet_resp()
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
   
-  Updated the coding style, in this function, to be consistant with other
-  response functions rather then performing a hard return on failure.
-
-- imap: Reversed the logic of the (un)successful tagged SELECT response
+  Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+  to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+  produce a broken completion script:
   
-  Reversed the logic of the unsuccessful vs successful tagged SELECT
-  response in imap_state_select_resp() to be more logical to read.
-
-- imap: Reversed the logic of the (un)successful tagged CAPABILITY response
+  % curl --<TAB>
+  _curl:10: no such file or directory: seconds
   
-  Reversed the logic of the unsuccessful vs successful tagged CAPABILITY
-  response in imap_state_capability_resp() to be more logical to read.
+  Closes #1779
 
-- imap: Corrected char* references with char *
-  
-  Corrected char* references made in commit: 709b3506cd9b.
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
 
-- [Jiri Hruska brought this change]
+- RELEASE-NOTES: synced with 91c46dc44
 
-  imap: Added processing of more than one response when sent in same packet
-  
-  Added a loop to imap_statemach_act() in which Curl_pp_readresp() is
-  called until the cache is drained. Without this multiple responses
-  received in a single packet could result in a hang or delay.
+- test1449: FTP download range with an too large size
 
-- [Jiri Hruska brought this change]
+- strtoofft: reduce integer overflow risks globally
+  
+  ... make sure we bail out on overflows.
+  
+  Reported-by: Brian Carpenter
+  Closes #1758
 
-  imap: Added skipping of SELECT command if already in the same mailbox
+- travis: build the examples too
   
-  Added storage and checking of the last mailbox userd to prevent
-  unnecessary switching.
+  to make sure they keep building warning-free
+  
+  Closes #1777
 
-- [Jiri Hruska brought this change]
+- runtests: match keywords case insensitively
 
-  imap: Introduced the mailbox variable
+- examples/ftpuploadresume.c: use portable code
   
-  Added the mailbox variable to the per-connection structure in
-  preparation for checking for an already selected mailbox.
+  ... converted from the MS specific _snscanf()
 
-- email: Slight reordering of connection based variables
-  
-  Reordered the state and ssl_done variables in order to provide more
-  consistency between the email protocols as well as for for an upcoming
-  change.
+Version 7.55.1 (13 Aug 2017)
 
-- imap: Tidied up comments for connection based variables
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
 
-- DOCS: Added the IMAP UIDVALIDITY property to the CURLOPT_URL section
+- gitignore: ignore .xz now instead of .lzma
 
-- [Jiri Hruska brought this change]
+- [Sergei Nikulov brought this change]
 
-  imap: Added verification of UIDVALIDITY mailbox attribute
+  cmake: Threads detection update. ref: #1702
   
-  Added support for checking the UIDVALIDITY, and aborting the request, if
-  it has been specified in the URL and the server response is different.
-
-- [Jiri Hruska brought this change]
+  Closes #1719
 
-  imap: Added support for parsing the UIDVALIDITY property
+- ipv6_scope: support unique local addresses
   
-  Added support for parsing the UIDVALIDITY property from the SELECT
-  response and storing it in the per-connection structure.
+  Fixes #1764
+  Closes #1773
+  Reported-by: James Slaughter
 
-- [Jiri Hruska brought this change]
+- [Alex Potapenko brought this change]
 
-  imap: Introduced the mailbox_uidvalidity variable
+  curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
   
-  Added the mailbox_uidvalidity variable to the per-connection structure
-  in preparation for checking the UIDVALIDITY mailbox attribute.
+  Closes #1774
 
-- imap: Corrected comment in imap_endofresp()
-
-- imap: Corrected whitespace
+- test1448: verify redirect to IDN using URL
+  
+  Closes #1772
 
-- [Jiri Hruska brought this change]
+- [Salah-Eddin Shaban brought this change]
 
-  imap: Added filtering of CAPABILITY and FETCH untagged responses
+  redirect: skip URL encoding for host names
   
-  Only responses that contain "CAPABILITY" and "FETCH", respectively,
-  will be sent to their response handler.
+  This fixes redirects to IDN URLs
+  
+  Fixes #1441
+  Closes #1762
+  Reported by: David Lord
 
-- [Jiri Hruska brought this change]
+- test2032: mark as flaky (again)
 
-  imap: Added a helper function for upcoming untagged response filtering
-  
-  RFC 3501 states that "the client MUST be prepared to accept any response
-  at all times" yet we assume anything received with "* " at the beginning
-  is the untagged response we want.
+- travis: test cmake build on tarball too
   
-  Introduced a helper function that checks whether the input looks like a
-  response to specified command, so that we may filter the ones we are
-  interested in according to the current state.
+  Could've prevented #1755
 
-- [Jiri Hruska brought this change]
+- [Simon Warta brought this change]
 
-  imap: Moved CAPABILITY response handling to imap_state_capability_resp()
+  cmake: allow user to override CMAKE_DEBUG_POSTFIX
   
-  Introduced similar handling to the FETCH responses, where even the
-  untagged data responses are handled by the response handler of the
-  individual state.
+  Closes #1763
 
-Linus Nielsen Feltzing (26 Feb 2013)
-- Remove unused variable in smtp_state_data_resp()
+- connect-to.d: better language
 
-Steve Holme (25 Feb 2013)
-- email: Small tidy up following recent changes
+- connect-to.d: clarified
 
-- smtp: Removed bytecountp from the per-request structure
+- bagder/Curl_tvdiff_us: fix the math
   
-  Removed this pointer to a downloaded bytes counter because it was set in
-  smtp_init() to point to the same variable the transfer functions keep
-  the count in (k->bytecount), effectively making the code in transfer.c
-  "*k->bytecountp = k->bytecount" a no-op.
-
-- pop3: Removed bytecountp from the per-request structure
+  Regression since adef394ac5 (released in 7.55.0)
   
-  Removed this pointer to a downloaded bytes counter because it was set in
-  pop3_init() to point to the same variable the transfer functions keep
-  the count in (k->bytecount), effectively making the code in transfer.c
-  "*k->bytecountp = k->bytecount" a no-op.
-
-- [Jiri Hruska brought this change]
+  Reported-by: Han Qiao
+  Fixes #1769
+  Closes #1771
 
-  imap: Removed bytecountp from the per-request structure
+- curl/system.h: add Oracle Solaris Studio
   
-  Removed this pointer to a downloaded bytes counter because it was set in
-  imap_init() to point to the same variable the transfer functions keep
-  the count in (k->bytecount), effectively making the code in transfer.c
-  "*k->bytecountp = k->bytecount" a no-op.
+  Fixes #1752
 
-- [Jiri Hruska brought this change]
+- [Alessandro Ghedini brought this change]
 
-  imap: Adjusted SELECT and FETCH function order
+  docs: fix typo funtion -> function
   
-  Moved imap_select() and imap_fetch() to be grouped with the other
-  perform functions.
+  Closes #1770
 
-- [Jiri Hruska brought this change]
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
 
-  imap: Adjusted SELECT and FETCH state order in imap_statemach_act()
-  
-  Exchanged the position of these states in the switch statements to
-  match the state enum, execution and function order.
+- docs: fix typo stuct -> struct
 
-- imap: Minor tidy up of comments in imap_parse_url_path()
-  
-  Tidy up of comments before next round of imap changes.
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
 
-- imap: Fixed incorrect comparison for STARTTLS in imap_endofresp()
-  
-  Corrected the comparison type in addition to commit 1dac29fa83a9.
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
 
-- DOCS: Corrected IMAP URL examples according to RFC5092
+  curl/system.h: support more architectures
   
-  URL examples that included the UID weren't technically correct although
-  would pass the curl parser.
-
-Nick Zitzmann (24 Feb 2013)
-- darwinssl: fix undefined $ssllib warning in runtests.pl
+  The long list of architectures in include/curl/system.h is annoying to
+  maintain, and needs to be extended for each and every architecture to
+  support.
   
-  I also added --with-darwinssl to the list of SSL options in configure.
-
-Steve Holme (24 Feb 2013)
-- imap: Added check for new internal imap response code
-
-- imap: Changed the order of the response types in imap_endofresp()
+  Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+  (we are in the GNUC condition anyway), which tells us if long is 4
+  bytes or 8 bytes.
   
-  From a maintenance point of view the code reads better to view tagged
-  responses, then untagged followed by continuation responses.
+  This fixes the build of libcurl 7.55.0 on architectures such as
+  OpenRISC or ARC.
   
-  Additionally, this matches the order of responses in POP3.
-
-- [Jiri Hruska brought this change]
-
-  imap: Added stricter parsing of continuation responses
+  Closes #1766
   
-  Enhanced the parsing to only allow continuation responses in some
-  states.
-
-- imap: Simplified memcmp() in tagged response parsing
+  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 
-- [Jiri Hruska brought this change]
-
-  imap: Reworked the logic of untagged command responses
-
-- imap: Corrected spacing of trailing brace
-
-- [Jiri Hruska brought this change]
-
-  imap: Added stricter parsing of tagged command responses
+- test2033: this went flaky again
   
-  Enhanced the parsing of tagged responses which must start with "OK",
-  "NO" or "BAD"
+  Suspicion: when we enabled the threaded resolver by default.
 
-- [Jiri Hruska brought this change]
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
 
-  imap: Simplified command response test in imap_endofresp()
+- [Even Rouault brought this change]
 
-- [Jiri Hruska brought this change]
-
-  imap: Corrected comment in imap_endofresp()
-
-- DOCS: Corrected layout of POP3 and IMAP URL examples
+  parse_proxy(): fix memory leak in case of invalid proxy server name
   
-  Corrected layout issues with the POP3 and IMAP URL examples introduced
-  in commit cb3ae6894fb2.
-
-- DOCS: Updated CURLOPT_URL section following recent POP3 and IMAP changes
+  Fixes the below leak:
   
-  Updated the POP3 sub-section to refer to message ID rather than mailbox.
+  $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+  curl: (5) Couldn't resolve proxy name
+  ==5048==
+  ==5048== HEAP SUMMARY:
+  ==5048==     in use at exit: 532 bytes in 12 blocks
+  ==5048==   total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+  ==5048==
+  ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+  ==5048==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+  ==5048==    by 0x4E6CB79: parse_login_details (url.c:5614)
+  ==5048==    by 0x4E6BA82: parse_proxy (url.c:5091)
+  ==5048==    by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+  ==5048==    by 0x4E6EA18: create_conn (url.c:6498)
+  ==5048==    by 0x4E6F9B4: Curl_connect (url.c:6967)
+  ==5048==    by 0x4E86D05: multi_runsingle (multi.c:1436)
+  ==5048==    by 0x4E88432: curl_multi_perform (multi.c:2160)
+  ==5048==    by 0x4E7C515: easy_transfer (easy.c:708)
+  ==5048==    by 0x4E7C74A: easy_perform (easy.c:794)
+  ==5048==    by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+  ==5048==    by 0x414025: operate_do (tool_operate.c:1563)
+  ==5048==
+  ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+  ==5048==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+  ==5048==    by 0x4E6CBB6: parse_login_details (url.c:5621)
+  ==5048==    by 0x4E6BA82: parse_proxy (url.c:5091)
+  ==5048==    by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+  ==5048==    by 0x4E6EA18: create_conn (url.c:6498)
+  ==5048==    by 0x4E6F9B4: Curl_connect (url.c:6967)
+  ==5048==    by 0x4E86D05: multi_runsingle (multi.c:1436)
+  ==5048==    by 0x4E88432: curl_multi_perform (multi.c:2160)
+  ==5048==    by 0x4E7C515: easy_transfer (easy.c:708)
+  ==5048==    by 0x4E7C74A: easy_perform (easy.c:794)
+  ==5048==    by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+  ==5048==    by 0x414025: operate_do (tool_operate.c:1563)
   
-  Added an IMAP sub-section with example URLs depicting the specification
-  of mailbox, uid and section.
-
-- pop3: Refactored the mailbox variable as it didn't reflect it's purpose
+  Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+  Credit to OSS Fuzz for discovery
   
-  Updated the mailbox variable to correctly reflect it's purpose. The
-  name mailbox was a leftover from when IMAP and POP3 support was
-  initially added to curl.
+  Closes #1761
 
-- FEATURES: Updated following recent IMAP changes
+- RELEASE-NOTES: synced with 37f2195a9
 
-- [Jiri Hruska brought this change]
+- curlver: bump to 7.55.1
 
-  imap: Added the ability to FETCH a specific UID and SECTION
+- openssl: fix "error: this statement may fall through"
   
-  Updated the FETCH command to send the UID and SECTION parsed from the
-  URL. By default the BODY specifier doesn't include a section, BODY[] is
-  now sent whereas BODY[TEXT] was previously sent. In my opinion
-  retrieving just the message text is rarely useful when dealing with
-  emails, as the headers are required for example, so that functionality
-  is not retained. In can however be simulated by adding SECTION=TEXT to
-  the URL.
-  
-  Also updated test801 and test1321 due to the BODY change.
+  A gcc7 warning.
 
-- email: Additional tidy up of comments following recent changes
+- [David Benjamin brought this change]
 
-- smtp: Removed some FTP heritage leftovers
+  openssl: remove CONST_ASN1_BIT_STRING.
   
-  Removed user and passwd from the SMTP struct as these cannot be set on
-  a per-request basis and are leftover from legacy FTP code.
+  Just making the pointer as const works for the pre-1.1.0 path too.
   
-  Changed some comments still using FTP terminology.
+  Closes #1759
 
-- smtp: Moved the per-request variables to the per-request data structure
+- maketgz: remove old *.dist files before making the tarball
   
-  Moved the rcpt variable from the per-connection struct smtp_conn to the
-  new per-request struct and fixed references accordingly.
-
-- pop3: Introduced a custom SMTP structure for per-request data
+  To avoid "old crap" unintentionally getting shipped.
   
-  Created a new SMTP structure and changed the type of the smtp proto
-  variable in connectdata from FTP* to SMTP*.
-
-unknown (23 Feb 2013)
-- [Steve Holme brought this change]
-
-  imap: Minor correction of comments for max line length
-
-Daniel Stenberg (23 Feb 2013)
-- strcasestr: remove check for this unused function
+  Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+  Reported-by: Christian Weisgerber
 
-- pop3: fix compiler warning
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
   
-  error: declaration of 'pop3' shadows a previous local
-
-Steve Holme (23 Feb 2013)
-- [Jiri Hruska brought this change]
-
-  imap: Added URL parsing of new variables
+  - Enable execute permission (chmod +x)
   
-  Updated the imap_parse_url_path() function to parse uidvalidity, uid and
-  section parameters based on RFC-5092.
+  - Change interpreter to /usr/bin/env perl
+  
+  Ref: https://github.com/curl/curl/issues/1743
 
-- [Jiri Hruska brought this change]
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
+  
+  Closes #1647
 
-  imap: Introduced imap_is_bchar() function
+- cmake: move cmake_uninstall.cmake to CMake/
   
-  Added imap_is_bchar() for testing if a given character is a valid bchar
-  or not.
+  Closes #1756
 
-- [Jiri Hruska brought this change]
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
 
-  imap: Introduced new per-request veriables
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
   
-  Added uidvalidity, uid and section variables to the per-request IMAP
-  structure in preparation for upcoming URL parsing.
+  Fixes #1755
 
-- pingpong: Renamed curl_ftptransfer to curl_pp_transfer
+- travis: verify "make install"
+  
+  Help-by: Jay Satiro
+  Closes #1753
 
-- pop3: Removed some FTP heritage leftovers
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
   
-  Removed user and passwd from the POP3 struct as these cannot be set on
-  a per-request basis and are leftover from legacy FTP code.
+  Visual Studio doesn't like LF line endings in solution files and always
+  converts them to CRLF when doing changes to the solution. Notably, this
+  affects the solutions in the release archive.
   
-  Changed some comments still using FTP terminology.
+  Closes https://github.com/curl/curl/pull/1746
 
-- pop3: Moved the per-request variables to the per-request data structure
+- gitignore: ignore top-level .vs folder
   
-  Moved the mailbox and custom request variables from the per-connection
-  struct pop3_conn to the new per-request struct and fixed references
-  accordingly.
-
-- pop3: Introduced a custom POP3 structure for per-request data
+  This folder is generated when using the CMake build system from within
+  Visual Studio.
   
-  Created a new POP3 structure and changed the type of the pop3 proto
-  variable in connectdata from FTP* to POP*.
+  Closes https://github.com/curl/curl/pull/1746
 
-- [Jiri Hruska brought this change]
-
-  imap: Fixed escaping of mailbox names
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
   
-  Used imap_atom() to escape mailbox names in imap_select().
-
-- pingpong: Moved curl_ftptransfer definition to pingpong.h
+  Bug: https://github.com/curl/curl/issues/1685
+  Reported-by: paulharris@users.noreply.github.com
   
-  Moved the ftp transfer structure into pingpong.h so other protocols that
-  require it don't have to include ftp.h.
-
-- urldata.h: Fixed comment for opt_no_body variable
+  Assisted-by: Isaac Boukris
   
-  Corrected comment for opt_no_body variable to CURLOPT_NOBODY.
-
-- email: Minor tidy up following IMAP changes
+  Closes https://github.com/curl/curl/pull/1742
 
-- [Jiri Hruska brought this change]
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
 
-  imap: Removed more FTP leftovers
+  dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
   
-  Changed some variables and comments still using FTP terminology.
-
-- [Jiri Hruska brought this change]
-
-  imap: Removed some FTP heritage leftovers
+  These weren't included in the 7.55.0 release, but are required in order
+  to run the full test suite.
   
-  Removed user and passwd from the IMAP struct as these cannot be set on
-  a per-request basis and are leftover from legacy FTP code.
+  Closes #1744
 
-- [Jiri Hruska brought this change]
+- [Adam Sampson brought this change]
 
-  imap: Introduced a custom IMAP structure for per-request data
+  curl: do bounds check using a double comparison
   
-  Created a new IMAP structure and changed the type of the imap proto
-  variable in connectdata from FTP* to the new IMAP*.
-  
-  Moved the mailbox variable from the per-connection struct imap_conn to
-  the new per-request struct and fixed references accordingly.
-
-- pop3: Updated do phrase clean-up comment
+  The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+  complete: if the parsed number in num is larger than will fit in a long,
+  the conversion is undefined behaviour (causing test1427 to fail for me
+  on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7).  Getting
+  rid of the cast means the comparison will be done using doubles.
   
-  Following commit 65644b833532 for the IMAP module updated the clean-up
-  comment in POP3.
-
-- imap: Fixed memory leak when performing multiple selects
+  It might make more sense for the max argument to also be a double...
   
-  Moved the clean-up of the mailbox variable from imap_disconnect() to
-  imap_done() as this variable is allocated in the do phase, yet would
-  have only been freed only once if multiple selects where preformed
-  on a single connection.
+  Fixes #1750
+  Closes #1749
 
-Daniel Stenberg (22 Feb 2013)
-- [Alexander Klauer brought this change]
+- make install: add 8 missing man pages to the installation
 
-  Documentation: Typo in docs/CONTRIBUTE
+- build: fix 'make install' with configure, install docs/libcurl/* too
   
-  Fixes a typo get → git in docs/CONTRIBUTE.
-
-- [Alexander Klauer brought this change]
-
-  repository: ignore patch files generated by git
+  Broken since d24838d4da9faa
   
-  Ignores the patch files generated by the 'git format-patch' command.
+  Reported-by: Bernard Spil
 
-- [Alexander Klauer brought this change]
+Version 7.55.0 (9 Aug 2017)
 
-  libcurl documentation: clarifications and typos
-  
-  * Elaborates on default values of some curl_easy_setopt() options.
-  * Reminds the user to cast variadic arguments to curl_easy_setopt() to
-    'void *' where curl internally interprets them as such.
-  * Clarifies the working of the CURLOPT_SEEKFUNCTION option for
-    curl_easy_setopt().
-  * Fixes typo 'forth' → 'fourth'.
-  * Elaborates on CURL_SOCKET_TIMEOUT.
-  * Adds some missing periods.
-  * Notes that the return value of curl_version() must not be passed to
-    free().
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
 
-- [Alexander Klauer brought this change]
+- THANKS: 20 new contributors in 7.55.0
 
-  lib/url.c: Generic read/write data pointers
-  
-  Always interprets the pointer passed with the CURLOPT_WRITEDATA or
-  CURLOPT_READDATA options of curl_easy_setopt() as a void pointer in
-  order to avoid problems in environments where FILE and void pointers
-  have non-trivial conversion.
+- [Viktor Szakats brought this change]
 
-- [Alexander Klauer brought this change]
+  docs/comments: Update to secure URL versions
+  
+  Closes #1741
 
-  libcurl documentation: updates HTML index
+- configure: fix recv/send/select detection on Android
+  
+  ... since they now provide several functions as
+  __attribute__((overloadable)), the argument detection logic need
+  updates.
+  
+  Patched-by: destman at github
   
-  * Adds several links to documentation of library functions which were
-    missing.
-  * Marks documentation of deprecated library functions "(deprecated)".
-  * Removes spurious .html suffixes.
+  Fixes #1738
+  Closes #1739
 
-- ossl_seed: avoid recursive seeding!
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
+  
+  This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+  from August 01, 2017. Notably, this removes the lconv version whitelist.
+  
+  Closes https://github.com/curl/curl/pull/1716
 
-Steve Holme (22 Feb 2013)
-- [Jiri Hruska brought this change]
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
 
-  Fixed checking the socket if there is data waiting in the cache
+- curl: detect and bail out early on parameter integer overflows
   
-  Use Curl_pp_moredata() in Curl_pp_multi_statemach() to check if there is
-  more data to be received, rather than the socket state, as a task could
-  hang waiting for more data from the socket itself.
-
-- imap.c: Fixed an incorrect variable reference
+  Make the number parser aware of the maximum limit curl accepts for a
+  value and return an error immediately if larger, instead of running an
+  integer overflow later.
   
-  Fixed an incorrect variable reference which was introduced in commit
-  a1701eea289f as a result of a copy and paste from SMTP/POP3.
-
-- [Jiri Hruska brought this change]
+  Fixes #1730
+  Closes #1736
 
-  pingpong: Introduce Curl_pp_moredata()
+- glob: do not continue parsing after a strtoul() overflow range
   
-  A simple function to test whether the PP is not sending and there are
-  still more data in its receiver cache. This will be later utilized to:
+  Added test 1289 to verify.
   
-  1) Change Curl_pp_multi_statemach() and Curl_pp_easy_statemach() to
-     not test socket state and just call user's statemach_act() function
-     when there are more data to process, because otherwise the task would
-     just hang, waiting for more data from the socket.
+  CVE-2017-1000101
   
-  2) Allow PP users to read multiple responses by looping as long as there
-     are more data available and current phase is not finished.
-     (Currently needed for correct processing of IMAP SELECT responses.)
+  Bug: https://curl.haxx.se/docs/adv_20170809A.html
+  Reported-by: Brian Carpenter
 
-Nick Zitzmann (19 Feb 2013)
-- FEATURES: why yes, we do support metalink
+- tftp: reject file name lengths that don't fit
   
-  I just noticed Metalink support wasn't listed as a feature of the tool.
-
-- metalink: fix improbable crash parsing metalink filename
+  ... and thereby avoid telling send() to send off more bytes than the
+  size of the buffer!
   
-  The this_url pointer wasn't being initialized, so if strdup() would return
-  null when copying the filename in a metalink file, then hilarity would
-  ensue during the cleanup phase. This change was brought to you by clang,
-  which noticed this and raised a warning.
-
-Yang Tse (19 Feb 2013)
-- smtp.c: fix enumerated type mixed with another type
-
-- polarssl threadlock cleanup
-
-Nick Zitzmann (18 Feb 2013)
-- docs: schannel and darwinssl documentation improvements
+  CVE-2017-1000100
   
-  Schannel and darwinssl use the certificates built into the
-  OS to do vert verification instead of bundles. darwinssl
-  is thread-safe. Corrected typos in the NSS docs.
-
-Daniel Stenberg (18 Feb 2013)
-- resolver_error: remove wrong error message output
+  Bug: https://curl.haxx.se/docs/adv_20170809B.html
+  Reported-by: Even Rouault
   
-  The attempt to use gai_strerror() or alternative function didn't work as
-  the 'sock_error' field didn't contain the proper error code. But since
-  this hasn't been reported and thus isn't really a big deal I decided to
-  just scrap the whole attempt to output the detailed resolver error and
-  instead remain with just stating that the resolving of the name failed.
-
-- [Kim Vandry brought this change]
+  Credit to OSS-Fuzz for the discovery
 
-  Curl_resolver_is_resolved: show proper host name on failed resolve
+- [Even Rouault brought this change]
 
-- Curl_resolver_is_resolved: fix compiler warning
+  file: output the correct buffer to the user
   
-  conversion to 'int' from 'long int' may alter its value
-
-- compiler warning fix
+  Regression brought by 7c312f84ea930d8 (April 2017)
   
-  follow-up to commit ed7174c6f66, rename 'wait' to 'block'
-
-- compiler warning fix: declaration of 'wait' shadows a global declaration
+  CVE-2017-1000099
   
-  It seems older gcc installations (at least) will cause warnings if we
-  name a variable 'wait'. Now changed to 'block' instead.
+  Bug: https://curl.haxx.se/docs/adv_20170809C.html
   
-  Reported by: Jiří Hruška
-  Bug: http://curl.haxx.se/mail/lib-2013-02/0247.html
+  Credit to OSS-Fuzz for the discovery
 
-Nick Zitzmann (17 Feb 2013)
-- MacOSX-Framework: Make script work in Xcode 4.0 and later
+- easy_events: make event data static
   
-  Apple made a number of changes to Xcode 4. The SDKs were moved, the entire
-  Developer folder was moved, and PowerPC support was removed. The script
-  will now adapt to those changes and should be future-proofed against
-  additional changes in case Apple moves the Developer folder ever again.
-  Also, the minimum OS X version compiler option was removed, so that the
-  framework can be built against the latest SDK but still run in older cats.
-
-Daniel Stenberg (17 Feb 2013)
-- docs: refer to CURLOPT_ACCEPT_ENCODING instead of the old name
-
-Steve Holme (16 Feb 2013)
-- email: Tidied up result code variables
+  First: this function is only used in debug-builds and not in
+  release/real builds. It is used to drive tests using the event-based
+  API.
   
-  Tidied up result variables to be consistent in name, declaration order
-  and default values.
+  A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+  CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+  funtion returns, namely when curl_multi_remove_handle() is called.
+  
+  Reported-by: Brian Carpenter
 
-Nick Zitzmann (16 Feb 2013)
-- ntlm_core: fix compiler warning when building with clang
+- getparameter: avoid returning uninitialized 'usedarg'
   
-  Fixed a 64-to-32 compiler warning raised when building with
-  clang and the --with-darwinssl option.
+  Fixes #1728
 
-Daniel Stenberg (16 Feb 2013)
-- Guile-curl: a new libcurl binding
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
 
-- polarsslthreadlock: #include the proper memory and debug includes
+  gssapi: fix memory leak of output token in multi round context
+  
+  When multiple rounds are needed to establish a security context
+  (usually ntlm), we overwrite old token with a new one without free.
+  Found by proposed gss tests using stub a gss implementation (by
+  valgrind error), though I have confirmed the leak with a real
+  gssapi implementation as well.
   
-  Pointed out by Steve Holme
+  Closes https://github.com/curl/curl/pull/1733
 
-Steve Holme (16 Feb 2013)
-- email: Removed unnecessary forward declaration
+- darwinssl: fix compiler warning
   
-  Due to the reordering of functions in commit 586f5d361474 the forward
-  declaration to state_upgrade_tls() are no longer required.
+  clang complains:
+  vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+  [-Werror,-Wextra-tokens]
+  
+  This breaks the darwinssl build on Travis. Fix it by making this token
+  a comment.
+  
+  Closes https://github.com/curl/curl/pull/1734
 
-- pop3.c: Added reference to RFC-5034
+- CMake: fix CURL_WERROR for MSVC
+  
+  When using CURL_WERROR in MSVC builds, the debug flags were overridden
+  by the release flags and /WX got added twice in debug mode.
+  
+  Closes https://github.com/curl/curl/pull/1715
 
-Daniel Stenberg (15 Feb 2013)
-- [Willem Sparreboom brought this change]
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
 
-  PolarSSL: Change to cURL coding style
+- test1010: verify that #1718 is fixed
   
-  Repaired all curl/lib/checksrc.pl warnings in the previous four patches
+  ... by doing two transfers in nocwd mode and check that there's no
+  superfluous CWD command.
 
-- [Willem Sparreboom brought this change]
-
-  PolarSSL: WIN32 threading support for entropy
+- FTP: skip unnecessary CWD when in nocwd mode
+  
+  ... when reusing a connection. If it didn't do any CWD previously.
   
-  Added WIN32 threading support for PolarSSL entropy if
-  --enable-threaded-resolver config flag is set and process.h can be found.
+  Fixes #1718
 
-- [Willem Sparreboom brought this change]
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
+  
+  This makes the builds more reproducible as travis is currently rolling
+  out trusty as default dist [1]. Specifically, this avoids coverage
+  check failures when trusty is used as seen in [2] until we figure out
+  what's wrong.
+  
+  [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+  [2] https://github.com/curl/curl/pull/1692
+  
+  Closes https://github.com/curl/curl/pull/1725
 
-  PolarSSL: pthread support for entropy
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
   
-  Added pthread support for polarssl entropy if --enable-threaded-resolver
-  config flag is set and pthread.h can be found.
+  (to make the full line appear nicer on travis web UI)
 
-- [Willem Sparreboom brought this change]
+- travis: add osx build with darwinssl
+  
+  Closes #1706
 
-  PolarSSL: changes to entropy/ctr_drbg/HAVEGE_RANDOM
+- darwin: silence compiler warnings
   
-  Add non-threaded entropy and ctr_drbg and removed HAVEGE_RANDOM define
+  With a clang pragma and three type fixes
+  
+  Fixes #1722
 
-- [Willem Sparreboom brought this change]
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
 
-  PolarSSL: added human readable error strings
-  
-  Print out human readable error strings for PolarSSL related errors
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
 
-Steve Holme (15 Feb 2013)
-- pop3: Removed unnecessary state changes on failure
+- test130: verify comments in .netrc
 
-- imap: Removed unnecessary state change on failure
+- [Gisle Vanem brought this change]
 
-Daniel Stenberg (15 Feb 2013)
-- metalink_cleanup: yet another follow-up fix
+  netrc: skip lines starting with '#'
+  
+  Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
 
-- metalink_cleanup: define it without argument
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
   
-  Since the function takes no argument, the macro shouldn't take one as
-  some compilers will error out on that.
+  The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+  consistent with the Visual Studio and NMake builds. Disable level 4
+  warning C4127 for the library and additionally C4306 for the test
+  servers to get a clean CURL_WERROR build as that warning is raised in
+  some macros in older Visual Studio versions.
+  
+  Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+  Closes https://github.com/curl/curl/pull/1711
 
-- rename "easy" statemachines: call them block instead
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
   
-  ... since they're not used by the easy interface really, I wanted to
-  remove the association. Also, I unified the pingpong statemachine driver
-  into a single function with a 'wait' argument: Curl_pp_statemach.
+  Reported-by: Viktor Szakats
 
-Yang Tse (15 Feb 2013)
-- [Gisle Vanem brought this change]
+- CURLOPT_NETRC.3: mention the file name on windows
+  
+  ... and CURLOPT_NETRC_FILE(3).
 
-  curl_setup_once.h: definition of HAVE_CLOSE_S defines sclose() to close_s()
+- travis: build osx with libressl too
 
-- [Gisle Vanem brought this change]
+- travis: build osx with openssl too
 
-  config-dos.h: define HAVE_CLOSE_S for MSDOS/Watt-32
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
 
-- [Gisle Vanem brought this change]
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
+  
+  Use LongToHandle to convert from long to HANDLE in the Win32
+  implementation.
+  This should fix the following warning when compiling with
+  MSVC 11 (2012) in 64-bit mode:
+  lib\curl_threads.c(113): warning C4306:
+  'type cast' : conversion from 'long' to 'HANDLE' of greater size
+  
+  Closes https://github.com/curl/curl/pull/1717
 
-  config-dos.h: define strerror() to strerror_s_() for High-C
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
+  
+  Reported-by: Max Dymond
 
-- [Gisle Vanem brought this change]
+- BUGS: clarify how to report security related bugs
 
-  config-dos.h: define HAVE_TERMIOS_H only for djgpp
+- [Brad Spencer brought this change]
 
-Steve Holme (14 Feb 2013)
-- smtp.c: Fixed a trailing whitespace
+  multi: fix request timer management
   
-  Remove tailing whitespace introduced in commit 7ed689d24a4e.
-
-- pop3: Fixed blocking SSL connect when connecting via POP3S
+  There are some bugs in how timers are managed for a single easy handle
+  that causes the wrong "next timeout" value to be reported to the
+  application when a new minimum needs to be recomputed and that new
+  minimum should be an existing timer that isn't currently set for the
+  easy handle.  When the application drives a set of easy handles via the
+  `curl_multi_socket_action()` API (for example), it gets told to wait the
+  wrong amount of time before the next call, which causes requests to
+  linger for a long time (or, it is my guess, possibly forever).
   
-  A call to Curl_ssl_connect() was accidentally left in when the SSL/TLS
-  connection layer was reworked in 7.29. Not only would this cause the
-  connection to block but had the additional overhead of calling the
-  non-blocking connect a little bit later.
+  Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
 
-- smtp: Refactored the smtp_state_auth_resp() function
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
   
-  Renamed smtp_state_auth_resp() function to match the implementations in
-  IMAP and POP3.
-
-Daniel Stenberg (14 Feb 2013)
-- remove ifdefs
+  .. to catch accidental use of deprecated error codes.
   
-  Clarify the code by reducing ifdefs
+  Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
 
-- strlcat: remove function
-  
-  This function was only used twice, both in places where performance
-  isn't crucial (socks + if2ip). Removing the use of this function removes
-  the need to have our private version for systems without it == reduced
-  amount of code.
-  
-  Also, in the SOCKS case it is clearly better to fail gracefully rather
-  than to truncate the results.
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
+
+  configure: fix the check for IdnToUnicode
   
-  This work was triggered by a bug report on the strcal prototype in
-  strequal.h.
+  Fixes #1669
+  Closes #1713
+
+- http: fix response code parser to avoid integer overflow
   
-  strlcat was added in commit db70cd28 in February 2001!
+  test 1429 and 1433 were updated to work with the stricter HTTP status line
+  parser.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1192
-  Reported by: Jeremy Huddleston
+  Closes #1714
+  Reported-by: Brian Carpenter
 
-- Curl_FormBoundary: made static
-  
-  As Curl_FormBoundary() is no longer used outside of this file (since
-  commit ad7291c1a9d), it is now renamed to formboundary() and is made
-  static.
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
 
-- ossl_seed: fix the last resort PRNG seeding
+  libcurl: Stop using error codes defined under CURL_NO_OLDIES
   
-  Instead of just abusing the pseudo-randomizer from Curl_FormBoundary(),
-  this now uses Curl_ossl_random() to get entropy.
+  Fixes https://github.com/curl/curl/issues/1688
+  Closes https://github.com/curl/curl/pull/1712
 
-Steve Holme (13 Feb 2013)
-- email: Tidy up before additional IMAP work
+- include.d: clarify --include is only for response headers
   
-  Replaced two explicit comparisons of CURLE_OK with boolean alternatives.
+  Follow-up to 171f8de and de6de94.
   
-  General tidy up of comments.
+  Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+  Reported-by: Daniel Stenberg
 
-- smtp: Removed duplicate pingpong structure initialisation
-  
-  The smtp_connect() function was setting the member variables of the
-  pingpong structure twice, once before calling Curl_pp_init() and once
-  after!
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
 
-Yang Tse (13 Feb 2013)
-- move msvc IDE related files to 'vs' directory tree
+  cmake: support make uninstall
   
-  Use 'vs' directory tree given that 'vc' intended one clashes
-  with an already existing build target in file Makefile.dist.
+  Closes #1674
+
+- RELEASE-NOTES: synced with 001701c47
 
-Daniel Stenberg (13 Feb 2013)
-- install-sh: updated to support multiple source files as arguments
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
   
-  Version 7.29.0 uses Makefiles generated with a newer version of the
-  autotools than the previous 7.28.1. These Makefiles try to install
-  e.g. header files by calling install-sh with multiple source files as
-  arguments. The bundled install-sh is to old and does not support this.
+  It was misspelled as CURL_ERROR in commit
+  2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
   
-  The problem only occurs, if install-sh is actually being used, ie. the
-  platform install executable is to old or not usable. Example: Solaris
-  10.
+  Closes https://github.com/curl/curl/pull/1686
+
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
   
-  The files install-sh and mkinstalldirs are now updated with the automake
-  1.11.3 versions. A better fix might be to completely remove them from
-  git and force the files to be added/created during buildconf.
+  Follow-up to 171f8de.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1195
-  Reported by: Rainer Jung
-
-Yang Tse (13 Feb 2013)
-- move msvc IDE related files to 'vc' directory tree
+  Ref: https://github.com/curl/curl/issues/1704
 
-- msvc IDE 'vc' directory tree preparation
+- splay: fix signed/unsigned mismatch warning
+  
+  Follow-up to 4dee50b.
+  
+  Ref: https://github.com/curl/curl/pull/1693
 
-Steve Holme (12 Feb 2013)
-- imap: Corrected a whitespace issue from previous commit
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
   
-  Fixed a small whitespace issue that crept in there in commit
-  508cdf4da4d7.
+  Reported-by: olesteban at github
+  Fixes #1704
 
-- email: Another post optimisation of endofresp() tidy up
+- [Johannes Schindelin brought this change]
 
-- sasl: Fixed null pointer reference when decoding empty digest challenge
+  curl_rtmp: fix a compiler warning
   
-  Fixed a null pointer reference when an empty challenge is passed to the
-  Curl_sasl_create_digest_md5_message() function.
+  The headers of librtmp declare the socket as `int`, and on Windows, that
+  disagrees with curl_socket_t.
   
-  Bug: http://sourceforge.net/p/curl/bugs/1193/
-  Reported by: Saran Neti
-
-- email: Post optimisation of endofresp() tidy up
+  Bug: #1652
   
-  Removed unnecessary end of line check and return.
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- test1323: verify curlx_tvdiff
 
-Nick Zitzmann (12 Feb 2013)
-- darwinssl: Fix send glitchiness with data > 32 or so KB
+- timeval: struct curltime is a struct timeval replacement
   
-  An ambiguity in the SSLWrite() documentation lead to a bad inference in the
-  code where we assumed SSLWrite() returned the amount of bytes written to
-  the socket, when that is not actually true; it returns the amount of data
-  that is buffered for writing to the socket if it returns errSSLWouldBlock.
-  Now darwinssl_send() returns CURLE_AGAIN if data is buffered but not written.
+  ... to make all libcurl internals able to use the same data types for
+  the struct members. The timeval struct differs subtly on several
+  platforms so it makes it cumbersome to use everywhere.
   
-  Reference URL: http://curl.haxx.se/mail/lib-2013-02/0145.html
+  Ref: #1652
+  Closes #1693
 
-Steve Holme (12 Feb 2013)
-- pingpong.h: Fixed line length over 78 characters from b56c9eb48e3c
-
-- pingpong: Optimised the endofresp() function
+- darwinssl: fix variable type mistake (regression)
   
-  Reworked the pp->endofresp() function so that the conndata, line and
-  line length are passed down to it just as with Curl_client_write()
-  rather than each implementation of the function having to query
-  these values.
+  ... which made --tlsv1.2 not work because it would blank the max tls
+  version variable.
   
-  Additionally changed the int return type to bool as this is more
-  representative of the function's usage.
+  Reported-by: Nick Miyake
+  Bug: #1703
 
-- email: Post STARTLS capability code tidy up (Part Three)
+- multi: mention integer overflow risk if using > 500 million sockets
   
-  Corrected the order of the upgrade_tls() functions and moved the handler
-  upgrade and getsock() functions out from the middle of the state related
-  functions.
-
-- email: Post STARTLS capability code tidy up (Part Two)
+  Reported-by: ovidiu-benea@users.noreply.github.com
   
-  Corrected the order of the pop3_state_capa() / imap_state_capability()
-  and the pop3_state_capa_resp() / imap_state_capability_resp() functions
-  to match the execution order.
+  Closes #1675
+  Closes #1683
 
-Daniel Stenberg (11 Feb 2013)
-- [ulion brought this change]
+- checksrc: escape open brace in regex
+  
+  ... to silence warning.
 
-  SOCKS: fix socks proxy when noproxy matched
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
   
-  Test 1212 added to verify
+  ... causing a SIGSEGV in showit() in case the handle used to initiate
+  the connection has already been freed.
   
-  Bug: http://curl.haxx.se/bug/view.cgi?id=1190
-
-Steve Holme (11 Feb 2013)
-- ntlm: Updated comments for the addition of SASL support to IMAP in v7.29
-
-- RELEASE-NOTES: Updated following the recent imap/pop3/smtp changes
-
-Linus Nielsen Feltzing (10 Feb 2013)
-- Fix NULL pointer reference when closing an unused multi handle.
-
-Steve Holme (10 Feb 2013)
-- email: Post STARTLS capability code tidy up (Part One)
+  This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
   
-  Corrected the order of the CAPA / CAPABILITY state machine constants to
-  match the execution order.
-
-- imap: Fixed memory leak following commit f6010d9a0359
+  Reported-by: Rob Sanders
+  Bug: https://bugzilla.redhat.com/1436158
 
-- smtp: Added support for the STARTTLS capability (Part Two)
+- nss: unify the coding style of nss_send() and nss_recv()
   
-  Added honoring of the tls_supported flag when starting a TLS upgrade
-  rather than unconditionally attempting it. If the use_ssl flag is set
-  to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
-  connection will continue to authenticate. If this flag is set to
-  CURLUSESSL_ALL then the connection will complete with a failure as it
-  did previously.
+  No changes in behavior intended by this commit.
 
-- pop3: Added support for the STLS capability (Part Three)
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
   
-  Added honoring of the tls_supported flag when starting a TLS upgrade
-  rather than unconditionally attempting it. If the use_ssl flag is set
-  to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
-  connection will continue to authenticate. If this flag is set to
-  CURLUSESSL_ALL then the connection will complete with a failure as it
-  did previously.
-
-- imap: Added support for the STARTTLS capability (Part Three)
+  MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+  instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+  is also consistent with what libcurl does.
   
-  Added honoring of the tls_supported flag when starting a TLS upgrade
-  rather than unconditionally attempting it. If the use_ssl flag is set
-  to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
-  connection will continue to authenticate. If this flag is set to
-  CURLUSESSL_ALL then the connection will complete with a failure as it
-  did previously.
-
-Daniel Stenberg (10 Feb 2013)
-- [Alessandro Ghedini brought this change]
-
-  htmltitle: fix suggested build command
+  Closes https://github.com/curl/curl/pull/1682
 
-Steve Holme (10 Feb 2013)
-- pop3: Added support for the STLS capability (Part Two)
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
   
-  Added sending of initial CAPA command before STLS is sent. This allows
-  for the detection of the capability before trying to upgrade the
-  connection.
+  - s/SessionHandle/Curl_easy/
+  
+  Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+  Reported-by: Gisle Vanem
 
-- imap: Added support for the STARTTLS capability (Part Two)
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
+  
+  Older GCC warns:
+  /tests/server/rtspd.c:1194:10: warning: missing braces around
+  initializer [-Wmissing-braces]
   
-  Added sending of initial CAPABILITY command before STARTTLS is sent.
-  This allows for the detection of the capability before trying to
-  upgrade the connection.
+  Fix this by using memset instead of an initializer.
 
-- smtp: Added support for the STLS capability (Part One)
+- libtest: fix MSVC warning C4706
   
-  Introduced detection of the STARTTLS capability, in order to add support
-  for TLS upgrades without unconditionally sending the STARTTLS command.
+  With warning level 4, MSVC warns about assignments within conditional
+  expressions. Change the while loop to a do-while loop to fix this. This
+  change is also consistent with CODE_STYLE.md.
 
-- pop3: Added support for the STLS capability (Part One)
+- sockfilt: suppress conversion warning with explicit cast
   
-  Introduced detection of the STLS capability, in order to add support
-  for TLS upgrades without unconditionally sending the STLS command.
+  MSVC warns when implicitly casting -1 to unsigned long.
 
-- imap: Added support for the STARTTLS capability (Part One)
+- rtspd: fix MSVC level 4 warning
   
-  Introduced detection of the STARTTLS capability, in order to add support
-  for TLS upgrades without unconditionally sending the STARTTLS command.
+  warning C4701: potentially uninitialized local variable 'req' used
diff --git a/libs/libcurl/docs/COPYING b/libs/libcurl/docs/COPYING
index 85d122ecf0..560a49dcee 100644
--- a/libs/libcurl/docs/COPYING
+++ b/libs/libcurl/docs/COPYING
@@ -1,6 +1,7 @@
 COPYRIGHT AND PERMISSION NOTICE
 
-Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>.
+Copyright (c) 1996 - 2018, Daniel Stenberg, <daniel@haxx.se>, and many
+contributors, see the THANKS file.
 
 All rights reserved.
 
diff --git a/libs/libcurl/docs/LICENSE-MIXING b/libs/libcurl/docs/LICENSE-MIXING
deleted file mode 100644
index f596546da5..0000000000
--- a/libs/libcurl/docs/LICENSE-MIXING
+++ /dev/null
@@ -1,130 +0,0 @@
-         License Mixing with apps, libcurl and Third Party Libraries
-         ===========================================================
-
-libcurl can be built to use a fair amount of various third party libraries,
-libraries that are written and provided by other parties that are distributed
-using their own licenses. Even libcurl itself contains code that may cause
-problems to some. This document attempts to describe what licenses libcurl and
-the other libraries use and what possible dilemmas linking and mixing them all
-can lead to for end users.
-
-I am not a lawyer and this is not legal advice!
-
-One common dilemma is that GPL[1]-licensed code is not allowed to be linked
-with code licensed under the Original BSD license (with the announcement
-clause). You may still build your own copies that use them all, but
-distributing them as binaries would be to violate the GPL license - unless you
-accompany your license with an exception[2]. This particular problem was
-addressed when the Modified BSD license was created, which does not have the
-announcement clause that collides with GPL.
-
-libcurl http://curl.haxx.se/docs/copyright.html
-
-        Uses an MIT (or Modified BSD)-style license that is as liberal as
-        possible.  Some of the source files that deal with KRB4 have Original
-        BSD-style announce-clause licenses. You may not distribute binaries
-        with krb4-enabled libcurl that also link with GPL-licensed code!
-
-OpenSSL http://www.openssl.org/source/license.html
-
-        (May be used for SSL/TLS support) Uses an Original BSD-style license
-        with an announcement clause that makes it "incompatible" with GPL. You
-        are not allowed to ship binaries that link with OpenSSL that includes
-        GPL code (unless that specific GPL code includes an exception for
-        OpenSSL - a habit that is growing more and more common). If OpenSSL's
-        licensing is a problem for you, consider using GnuTLS or yassl
-        instead.
-
-GnuTLS  http://www.gnutls.org/
-
-        (May be used for SSL/TLS support) Uses the LGPL[3] license. If this is
-        a problem for you, consider using OpenSSL instead. Also note that
-        GnuTLS itself depends on and uses other libs (libgcrypt and
-        libgpg-error) and they too are LGPL- or GPL-licensed.
-
-yassl   http://www.yassl.com/
-
-        (May be used for SSL/TLS support) Uses the GPL[1] license. If this is
-        a problem for you, consider using OpenSSL or GnuTLS instead.
-
-NSS     http://www.mozilla.org/projects/security/pki/nss/
-
-        (May be used for SSL/TLS support) Is covered by the MPL[4] license,
-        the GPL[1] license and the LGPL[3] license. You may choose to license
-        the code under MPL terms, GPL terms, or LGPL terms. These licenses
-        grant you different permissions and impose different obligations. You
-        should select the license that best meets your needs.
-
-axTLS   http://axtls.sourceforge.net/
-
-        (May be used for SSL/TLS support) Uses a Modified BSD-style license.
-
-c-ares  http://daniel.haxx.se/projects/c-ares/license.html
-
-        (Used for asynchronous name resolves) Uses an MIT license that is very
-        liberal and imposes no restrictions on any other library or part you
-        may link with.
-
-zlib    http://www.gzip.org/zlib/zlib_license.html
-
-        (Used for compressed Transfer-Encoding support) Uses an MIT-style
-        license that shouldn't collide with any other library.
-
-krb4
-
-        While nothing in particular says that a Kerberos4 library must use any
-        particular license, the one I've tried and used successfully so far
-        (kth-krb4) is partly Original BSD-licensed with the announcement
-        clause. Some of the code in libcurl that is written to deal with
-        Kerberos4 is Modified BSD-licensed.
-
-MIT Kerberos http://web.mit.edu/kerberos/www/dist/
-
-        (May be used for GSS support) MIT licensed, that shouldn't collide
-        with any other parts.
-
-Heimdal http://www.pdc.kth.se/heimdal/
-
-        (May be used for GSS support) Heimdal is Original BSD licensed with
-        the announcement clause.
-
-GNU GSS http://www.gnu.org/software/gss/
-
-        (May be used for GSS support) GNU GSS is GPL licensed. Note that you
-        may not distribute binary curl packages that uses this if you build
-        curl to also link and use any Original BSD licensed libraries!
-
-fbopenssl
-
-        (Used for SPNEGO support) Unclear license. Based on its name, I assume
-        that it uses the OpenSSL license and thus shares the same issues as
-        described for OpenSSL above.
-
-libidn  http://josefsson.org/libidn/
-
-        (Used for IDNA support) Uses the GNU Lesser General Public
-        License [3]. LGPL is a variation of GPL with slightly less aggressive
-        "copyleft". This license requires more requirements to be met when
-        distributing binaries, see the license for details. Also note that if
-        you distribute a binary that includes this library, you must also
-        include the full LGPL license text. Please properly point out what
-        parts of the distributed package that the license addresses.
-
-OpenLDAP http://www.openldap.org/software/release/license.html
-
-        (Used for LDAP support) Uses a Modified BSD-style license. Since
-        libcurl uses OpenLDAP as a shared library only, I have not heard of
-        anyone that ships OpenLDAP linked with libcurl in an app.
-
-libssh2 http://www.libssh2.org/
-
-        (Used for scp and sftp support) libssh2 uses a Modified BSD-style
-        license.
-
-[1] = GPL - GNU General Public License: http://www.gnu.org/licenses/gpl.html
-[2] = http://www.fsf.org/licenses/gpl-faq.html#GPLIncompatibleLibs details on
-      how to write such an exception to the GPL
-[3] = LGPL - GNU Lesser General Public License:
-      http://www.gnu.org/licenses/lgpl.html
-[4] = MPL - Mozilla Public License:
-      http://www.mozilla.org/MPL/
diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS
index 693139bf73..540a59fc49 100644
--- a/libs/libcurl/docs/THANKS
+++ b/libs/libcurl/docs/THANKS
@@ -4,53 +4,88 @@
 
  If you have contributed but are missing here, please let us know!
 
+"Captain Basil"
+"Spoon Man"
+Aaro Koskinen
 Aaron Oneal
 Aaron Orenstein
+Abram Pousada
+Adam Brown
 Adam D. Moss
+Adam Langley
 Adam Light
+Adam Marcionek
 Adam Piggott
+Adam Sampson
 Adam Tkac
 Adrian Schuur
 Adriano Meirelles
 Ajit Dhumale
+Akhil Kedia
 Aki Koskinen
 Akos Pasztory
+Akshay Vernekar
+Alain Danteny
+Alan Jenkins
 Alan Pinstein
 Albert Chin-A-Young
 Albert Choy
 Ale Vesely
-Alejandro Alvarez
+Alejandro Alvarez Ayllon
 Aleksandar Milivojevic
 Aleksey Tulinov
+Ales Mlakar
+Ales Novak
 Alessandro Ghedini
 Alessandro Vesely
+Alex Baines
 Alex Bligh
+Alex Chan
 Alex Fishman
 Alex Gruz
+Alex Malinovich
+Alex McLellan
 Alex Neblett
+Alex Nichols
+Alex Potapenko
+Alex Rousskov
 Alex Suykov
 Alex Vinnik
 Alex aka WindEagle
 Alexander Beedie
+Alexander Dyagilev
+Alexander Elgert
 Alexander Klauer
 Alexander Kourakos
 Alexander Krasnostavsky
 Alexander Lazic
+Alexander Pepper
+Alexander Peslyak
+Alexander Sinditskiy
+Alexander Traud
 Alexander Zhuravlev
 Alexey Borzov
+Alexey Melnichuk
 Alexey Pesternikov
 Alexey Simak
 Alexey Zakhlestin
 Alexis Carvalho
+Alexis La Goutte
+Alfonso Martone
 Alfred Gebert
 Allen Pulsifer
+Alona Rossen
 Amol Pattekar
 Amr Shahin
+Anatol Belski
 Anatoli Tubman
+Anders Bakken
 Anders Gustafsson
 Anders Havn
+Anders Roxell
 Andi Jahja
 Andre Guibert de Bruet
+Andre Heinecke
 Andreas Damm
 Andreas Faerber
 Andreas Farber
@@ -58,47 +93,74 @@ Andreas Malzahn
 Andreas Ntaflos
 Andreas Olsson
 Andreas Rieke
+Andreas Roth
+Andreas Schneider
 Andreas Schuldei
+Andreas Streichardt
 Andreas Wurf
 Andrei Benea
 Andrei Cipu
-Andres Garcia
+Andrei Karas
+Andrei Kurushin
+Andrei Sedoi
+Andrej E Baranov
 Andrew Benham
 Andrew Biggs
 Andrew Bushnell
 Andrew Francis
 Andrew Fuller
+Andrew Krieger
 Andrew Kurushin
+Andrew Lambert
 Andrew Moise
+Andrew Robbins
 Andrew Wansink
 Andrew de los Reyes
+Andrey Labunets
 Andrii Moiseiev
 Andrés García
 Andy Cedilnik
 Andy Serpa
 Andy Tsouladze
 Angus Mackay
+Anthon Pang
+Anthony Avina
 Anthony Bryan
 Anthony G. Basile
+Antoine Aubert
 Antoine Calando
 Anton Bychkov
 Anton Kalmykov
 Anton Malov
 Anton Yabchinskiy
+Antonio Larrosa
+Antony74 on github
+Antti Hätälä
 Arkadiusz Miskiewicz
 Armel Asselin
 Arnaud Compan
 Arnaud Ebalard
+Aron Bergman
+Artak Galoyan
 Arthur Murray
 Arve Knudsen
+Arvid Norberg
+Ashish Shukla
+Ask Bjørn Hansen
+Askar Safin
 Ates Goral
 Augustus Saunders
 Avery Fay
 Axel Tillequin
 Balaji Parasuram
+Balaji Salunke
 Balint Szilakszi
+Barry Abrahamson
 Bart Whiteley
 Bas Mevissen
+Bas van Schaik
+Basuke Suzuki
+Ben Boeckel
 Ben Darnell
 Ben Greear
 Ben Madsen
@@ -109,12 +171,23 @@ Benbuck Nason
 Benjamin Gerard
 Benjamin Gilbert
 Benjamin Johnson
+Benjamin Kircher
+Benjamin Sergeant
+Benoit Neil
+Benoit Sigoure
 Bernard Leak
+Bernard Spil
+Bernhard M. Wiedemann
 Bernhard Reutner-Fischer
+Bert Huijben
 Bertrand Demiddelaer
+Bertrand Simonnet
+Bill Doyle
 Bill Egert
 Bill Hoffman
 Bill Middlecamp
+Bill Nagel
+Bill Pyne
 Bjoern Sikora
 Bjorn Augustsson
 Bjorn Reese
@@ -125,48 +198,74 @@ Bob Richmond
 Bob Schader
 Bogdan Nicula
 Brad Burdick
+Brad Fitzpatrick
+Brad Harder
 Brad Hards
 Brad King
+Brad Spencer
 Bradford Bruce
+Brandon Casey
 Brandon Wang
 Brendan Jurd
 Brent Beardsley
 Brian Akins
+Brian Carpenter
+Brian Childs
+Brian Chrisman
 Brian Dessent
 Brian J. Murrell
+Brian Prodoehl
 Brian R Duffy
 Brian Ulm
 Brock Noland
+Bru Rom
 Bruce Mitchener
+Bruce Stephens
+Bruno Grasselli
+Bruno Thomsen
 Bruno de Carvalho
 Bryan Henderson
 Bryan Kemp
 Byrial Jensen
 Cameron Kaiser
+Cameron MacMinn
 Camille Moncelier
 Caolan McNamara
+Carlo Cannas
+Carlo Teubner
+Carlo Wood
 Carsten Lange
 Casey O'Donnell
-Cedric Deltheil
+Catalin Patulea
 Chad Monroe
 Chandrakant Bagul
 Charles Kerr
+Charles Romestant
+Chen Prog
+Chester Liu
 Chih-Chung Chang
 Chris "Bob Bob"
+Chris Araman
+Chris Carlmar
 Chris Combes
-Chris Conroy
+Chris Conlon
 Chris Deidun
+Chris Faherty
 Chris Flerackers
 Chris Gaukroger
 Chris Maltby
 Chris Mumford
 Chris Smowton
+Chris Young
+Christian Fillion
 Christian Grothoff
+Christian Heimes
 Christian Hägele
 Christian Krause
 Christian Kurz
 Christian Robottom Reis
 Christian Schmitz
+Christian Stewart
 Christian Vogt
 Christian Weisgerber
 Christophe Demory
@@ -175,153 +274,263 @@ Christopher Conroy
 Christopher Palow
 Christopher R. Palmer
 Christopher Stone
+Chungtsun Li
 Ciprian Badescu
 Claes Jakobsson
 Clarence Gardner
 Clemens Gruber
 Clifford Wolf
+Clint Clayton
 Cody Jones
+Cody Mack
+Colby Ranger
+Colin Blair
 Colin Hogben
 Colin Watson
 Colm Buckley
 Constantine Sapuntzakis
+Cory Benfield
 Cory Nelson
 Craig A West
 Craig Davison
 Craig Markwardt
+Craig de Stigter
 Cris Bailiff
 Cristian Rodríguez
 Curt Bogmine
+Cyril B
 Cyrill Osterwalder
+Cédric Connes
 Cédric Deltheil
+D. Flinkmann
+Da-Yoon Chung
 Dag Ekengren
 Dagobert Michelsen
+Dair Grant
+Dambaev Alexander
+Damian Dixon
 Damien Adant
+Damien Vielpeau
 Dan Becker
 Dan C
+Dan Cristian
+Dan Donahue
 Dan Fandrich
+Dan Jacobson
+Dan Johnson
 Dan Locks
+Dan McNulty
 Dan Nelson
 Dan Petitt
 Dan Torop
 Dan Zitter
+Daniel Bankhead
 Daniel Black
 Daniel Cater
 Daniel Egger
+Daniel Gustafsson
+Daniel Hwang
 Daniel Johnson
+Daniel Kahn Gillmor
+Daniel Krügler
+Daniel Lee Hwang
+Daniel Melani
 Daniel Mentz
+Daniel Romero
+Daniel Schauenberg
+Daniel Seither
+Daniel Shahaf
 Daniel Steinberg
 Daniel Stenberg
 Daniel Theron
 Daniel at touchtunes
+Daphne Luong
+Dario Weisser
 Darryl House
 Darshan Mody
+Darío Hereñú
 Dave Dribin
 Dave Halbakken
 Dave Hamilton
 Dave May
 Dave Reisner
+Dave Thompson
 Dave Vasilevsky
+Davey Shafik
 David Bau
+David Benjamin
 David Binderman
 David Blaikie
 David Byron
 David Cohen
+David E. Narváez
 David Eriksson
+David Garske
 David Houlder
 David Hull
 David J Meyer
 David James
+David Kalnischkies
 David Kierznowski
 David Kimdon
+David L.
 David Lang
 David LeBlanc
+David Lord
 David McCreedy
+David Meyer
 David Odin
 David Phillips
 David Rosenstrauch
+David Ryskalczyk
+David Schweikert
 David Shaw
 David Strauss
 David Tarendash
 David Thiel
+David Walser
+David Woodhouse
 David Wright
 David Yan
 Dengminwen
+Denis Feklushkin
+Denis Ollier
+Dennis Clarke
+Derek Higgins
+Desmond O. Chang
 Detlef Schmier
 Didier Brisebourg
+Diego Bes
 Diego Casorran
+Dilyan Palauzov
 Dima Barsky
+Dima Tisnek
+Dimitar Boevski
 Dimitre Dimitrov
+Dimitrios Apostolou
+Dimitrios Siganos
 Dimitris Sarris
 Dinar
 Dirk Eddelbuettel
+Dirk Feytons
 Dirk Manske
 Dmitri Shubin
+Dmitri Tikhonov
 Dmitriy Sergeyev
 Dmitry Bartsevich
+Dmitry Eremin-Solenikov
+Dmitry Falko
+Dmitry Kostjuchenko
 Dmitry Kurochkin
+Dmitry Mikhirev
 Dmitry Popov
 Dmitry Rechkin
+Dmitry S. Baikov
 Dolbneff A.V
 Domenico Andreoli
 Dominick Meglio
+Dominik Hölzl
 Dominique Leuenberger
+Don J Olmstead
+Dongliang Mu
 Doug Kaufman
 Doug Porter
+Douglas Creager
 Douglas E. Wegscheid
 Douglas Kilpatrick
+Douglas Mencken
 Douglas R. Horner
 Douglas Steinwand
 Dov Murik
+Drake Arconis
 Duane Cathey
-Duncan
 Duncan Mac-Vicar Prett
 Dustin Boswell
+Dusty Mabe
+Duy Phan Thanh
+Dwarakanath Yadavalli
 Dylan Ellicott
 Dylan Salisbury
+Dániel Bakai
 Early Ehlinger
+Earnestly on github
 Ebenezer Ikonne
+Ed Morley
 Edin Kadribasic
 Eduard Bloch
+Edward Kimmel
 Edward Rudd
 Edward Sheldrake
+Edward Thomson
 Eelco Dolstra
 Eetu Ojanen
+Egon Eckert
 Eldar Zaitov
+Elliot Saba
 Ellis Pritchard
+Elmira A Semenova
 Emanuele Bovisio
+Emil Lerner
 Emil Romanus
 Emiliano Ida
+Emmanuel Tychon
 Enrico Scholz
 Enrik Berkhan
+Eramoto Masaya
 Eric Cooper
+Eric Gallager
 Eric Hu
 Eric Landes
 Eric Lavigne
+Eric Lubin
 Eric Melville
 Eric Mertens
 Eric Rautman
+Eric Rescorla
+Eric Ridge
 Eric S. Raymond
 Eric Thelin
 Eric Vergnaud
 Eric Wong
 Eric Young
 Erick Nuwendam
+Erik Janssen
 Erik Johansson
+Ernest Beinrohr
+Ernst Sjöstrand
 Erwan Legrand
 Erwin Authried
+Ethan Glasser Camp
 Eugene Kotlyarov
 Evan Jordan
+Even Rouault
+Evert Pot
+Evgeny Grin
 Evgeny Turnaev
 Eygene Ryabinkin
+Fabian Frank
 Fabian Hiernaux
 Fabian Keil
+Fabian Ruff
 Fabrizio Ammollo
+Fahim Chandurwala
 Fedor Karpelevitch
+Feist Josselin
+Felix Kaiser
+Felix Yan
 Felix von Leitner
 Feng Tu
+Fernando Muñoz
+Flavio Medeiros
 Florian Schoppmann
+Florian Weimer
+Florin Petriuc
 Forrest Cahoon
+Francisco Moraes
+Francisco Sedano
+Francois Petitjean
+Frank Denis
+Frank Gevaerts
 Frank Hempel
 Frank Keeney
 Frank McGeough
@@ -329,24 +538,32 @@ Frank Meier
 Frank Ticheler
 Frank Van Uffelen
 František Kučera
+François Charlier
 Fred Machado
 Fred New
 Fred Noz
+Fred Stluka
 Frederic Lepied
+Frederik B
 Fredrik Thulin
 Gabriel Kuri
 Gabriel Sjoberg
 Garrett Holmstrom
 Gary Maxwell
+Gaurav Malhotra
 Gautam Kachroo
 Gautam Mani
 Gavrie Philipson
 Gaz Iqbal
+Gaël Portay
+Geeknik Labs
+Geoff Beier
 Georg Horn
 Georg Huettenegger
 Georg Lippitsch
 Georg Wicherski
 Gerd v. Egidy
+Gergely Nagy
 Gerhard Herre
 Gerrit Bruchhäuser
 Ghennadi Procopciuc
@@ -359,44 +576,71 @@ Gilles Blanc
 Gisle Vanem
 Giuseppe Attardi
 Giuseppe D'Ambrosio
+Giuseppe Persico
+Glen A Johnson Jr.
 Glen Nakamura
 Glen Scott
-Gokhan Sengun
+Glenn Sheridan
+Google Inc.
+Gordon Marler
+Gorilla Maguila
+Gou Lingfeng
 Grant Erickson
+Grant Pannell
 Greg Hewgill
 Greg Morse
 Greg Onufer
+Greg Pratt
+Greg Rowe
 Greg Zavertnik
+Gregory Szorc
 Grigory Entin
 Guenole Bescon
 Guenter Knauf
 Guido Berhoerster
 Guillaume Arluison
+Gunter Knauf
 Gustaf Hui
+Gustavo Grieco
+GwanYeong Kim
 Gwenole Beauchesne
+Gökhan Şengün
 Götz Babin-Ebell
 Hamish Mackenzie
+Han Qiao
 Hang Kin Lau
 Hang Su
+Hannes Magnusson
+Hanno Böck
 Hanno Kranzhoff
 Hans Steegers
 Hans-Jurgen May
 Hardeep Singh
+Haris Okanovic
+Harold Stuart
 Harshal Pradhan
 Hauke Duden
+He Qin
 Heikki Korpela
 Heinrich Ko
+Heinrich Schaefer
+Helmut K. C. Tessarek
+Helwing Lutz
 Hendrik Visage
+Henrik Gaßmann
 Henrik Storner
 Henry Ludemann
+Henry Roeland
 Herve Amblard
 Hidemoto Nakada
 Ho-chi Chen
 Hoi-Ho Chan
 Hongli Lai
 Howard Chu
+Hubert Kario
 Hzhijun
 Ian D Allen
+Ian Fette
 Ian Ford
 Ian Gulliver
 Ian Lynagh
@@ -406,144 +650,219 @@ Ignacio Vazquez-Abrams
 Igor Franchuk
 Igor Novoseltsev
 Igor Polyakov
+Iida Yosiaki
 Ilguiz Latypov
 Ilja van Sprundel
 Immanuel Gregoire
+Inca R
 Ingmar Runge
 Ingo Ralf Blum
 Ingo Wilken
+Irfan Adilovic
+Isaac Boukris
 Ishan SinghLevett
+Ivan Avdeev
+Ivo Bellin Salarin
 Jack Zhang
+Jackarain on github
 Jacky Lam
 Jacob Meuser
 Jacob Moshenko
+Jactry Zeng
 Jad Chamcham
+Jaime Fullaondo
+Jakub Wilk
+Jakub Zakrzewski
+James Atwill
 James Bursa
 James Cheng
 James Clancy
 James Cone
+James Dury
 James Gallagher
 James Griffiths
 James Housley
 James MacMillan
+James Slaughter
 Jamie Lokier
 Jamie Newton
 Jamie Wilkinson
+Jan Alexander Steffens
 Jan Ehrhardt
 Jan Koen Annot
 Jan Kunder
 Jan Schaumann
+Jan Schmidt
 Jan Van Boghout
 Jared Jennings
 Jared Lundell
+Jari Aalto
 Jari Sundell
 Jason Glasgow
+Jason Juang
 Jason Liu
 Jason McDonald
 Jason S. Priebe
+Javier Barroso
+Javier G. Sogo
+Javier Sixto
 Jay Austin
 Jayesh A Shah
 Jaz Fresh
+Jean Gressmann
 Jean Jacques Drouin
 Jean-Claude Chauve
 Jean-Francois Bertrand
+Jean-Francois Durand
 Jean-Louis Lemaire
 Jean-Marc Ranger
-Jean-Noel Rouvignac
+Jean-Noël Rouvignac
 Jean-Philippe Barrette-LaPierre
 Jeff Connelly
+Jeff Hodges
 Jeff Johnson
+Jeff King
 Jeff Lawson
 Jeff Phillips
 Jeff Pohlmeyer
 Jeff Weber
-Jeffrey Pohlmeyer
+Jeffrey Walton
+Jens Rantil
 Jeremy Friesner
 Jeremy Huddleston
+Jeremy Lin
+Jeremy Pearson
+Jeremy Tan
+Jeroen Koekkoek
+Jeroen Ooms
 Jerome Muffat-Meridol
+Jerome Robert
 Jerome Vouillon
+Jerry Krinock
 Jerry Wu
 Jes Badwal
 Jesper Jensen
+Jesse Chisholm
 Jesse Noller
+Jesse Tan
 Jie He
 Jim Drash
 Jim Freeman
 Jim Hollinger
 Jim Meyering
+Jiri Dvorak
 Jiri Hruska
 Jiri Jaburek
+Jiří Malák
 Jocelyn Jaubert
 Joe Halpin
 Joe Malicki
 Joe Mason
 Joel Chen
+Joel Depooter
 Jofell Gallardo
 Johan Anderson
+Johan Lantz
 Johan Nilsson
 Johan van Selst
 Johannes Bauer
+Johannes Ernst
+Johannes Schindelin
 John Bradshaw
+John Coffey
 John Crow
+John David Anglin
+John DeHelian
 John Dennis
+John Dunn
 John E. Malmberg
 John Gardiner Myers
+John Hascall
 John Janssen
 John Joseph Bachir
 John Kelly
+John Kohl
 John Lask
+John Levon
 John Lightsey
 John Marino
+John Marshall
 John McGowan
 John P. McCaskey
+John Starks
 John Suprock
+John Wanghui
 John Wilkinson
 John-Mark Bell
 Johnny Luong
+Jon DeVree
 Jon Grubbs
 Jon Nelson
 Jon Sargeant
+Jon Seymour
+Jon Spencer
+Jon Torrey
 Jon Travis
 Jon Turner
 Jonas Forsman
+Jonas Minnberg
 Jonas Schnelli
 Jonatan Lander
+Jonatan Vela
+Jonathan Cardoso Machado
+Jonathan Cardoso Machado Machado
 Jonathan Hseu
 Jonathan Nieder
 Jongki Suwandi
+Joonas Kuorilehto
+Jose Alf
 Jose Kahan
 Josef Wolf
 Josh Kapell
 Joshua Kwan
 Josue Andrade Gomes
+Jozef Kralik
 Juan Barreto
 Juan F. Codagnone
 Juan Ignacio Hervás
+Juan RP
 Judson Bishop
 Juergen Wilke
 Jukka Pihl
 Julian Noble
+Julian Ospald
 Julian Taylor
 Julien Chaffraix
+Julien Nabet
 Julien Royer
 Jun-ichiro itojun Hagino
 Jurij Smakov
+Juro Bystricky
+Justin Clift
+Justin Ehlert
 Justin Fletcher
 Justin Karneges
+Justin Maggard
+János Fekete
 Jörg Mueller-Tolk
 Jörn Hartroth
+K. R. Walker
 Kai Engert
+Kai Noda
 Kai Sommerfeld
 Kai-Uwe Rommel
 Kalle Vahlman
 Kamil Dudka
+Kang Lin
 Kang-Jin Lee
-Karl M
 Karl Moerder
 Karol Pietrzak
+Kartik Mahajan
 Kaspar Brand
 Katie Wang
+Kazuho Oku
 Kees Cook
+Kees Dekker
 Keith MacDonald
 Keith McGuigan
 Keith Mok
@@ -554,25 +873,38 @@ Kent Boortz
 Keshav Krity
 Kevin Baughman
 Kevin Fisk
+Kevin Ji
 Kevin Lussier
 Kevin Reed
 Kevin Roth
+Kevin Smith
+Kim Minjoong
 Kim Rinnewitz
 Kim Vandry
 Kimmo Kinnunen
 Kjell Ericson
 Kjetil Jacobsen
+Klaus Stein
 Klevtsov Vadim
+Kobi Gurkan
 Konstantin Isakov
 Kris Kennaway
 Krishnendu Majumdar
 Krister Johansen
 Kristian Gunstone
 Kristian Köhntopp
+Kristiyan Tsaklev
+Kurt Fankhauser
+Kyle J. McKay
+Kyle L. Huff
 Kyle Sallee
+Kyselgov E.N
 Lachlan O'Dea
 Larry Campbell
 Larry Fahnoe
+Larry Lin
+Larry Stefani
+Larry Stone
 Lars Buitinck
 Lars Gustafsson
 Lars J. Aas
@@ -581,46 +913,83 @@ Lars Nilsson
 Lars Torben Wilson
 Lau Hang Kin
 Laurent Rabret
+Lauri Kasanen
+Laurie Clark-Michalek
+Lawrence Matthews
+Lawrence Wagerfield
 Legoff Vincent
 Lehel Bernadt
+Leif W
+Leith Bade
 Len Krause
 Lenaic Lefever
 Lenny Rachitsky
+Leon Winter
+Leonardo Rosati
 Liam Healy
 Lijo Antony
 Linas Vepstas
+Lindley French
 Ling Thio
 Linus Nielsen Feltzing
+Linus Nordberg
+Lior Kaplan
 Lisa Xu
+Liviu Chircu
 Liza Alenchery
+Lloyd Fournier
 Lluís Batlle i Rossell
 Loic Dachary
 Loren Kirkby
+Luan Cestari
 Luca Altea
-Luca Alteas
+Luca Boccassi
 Lucas Adamski
+Lucas Pardue
+Ludek Finstrle
 Ludovico Cavedon
+Ludwig Nussel
+Lukas Ruzicka
 Lukasz Czekierda
 Luke Amery
 Luke Call
+Luke Dashjr
+Luo Jinghua
 Luong Dinh Dung
+Luz Paz
+Luật Nguyễn
+Lyndon Hill
 Maciej Karpiuk
+Maciej Puzio
 Maciej W. Rozycki
+Mahmoud Samir Fayed
+Maks Naumov
+Maksim Kuzevanov
+Maksim Stsepanenka
 Mamoru Tasaka
 Mandy Wu
 Manfred Schwarb
 Manuel Massing
+Marc Aldorasi
 Marc Boucher
+Marc Deslauriers
 Marc Doughty
-Marc Hoersken
+Marc Hesse
+Marc Hörsken
 Marc Kleine-Budde
+Marc Renault
+Marc-Antoine Perennou
 Marcel Raad
 Marcel Roelofs
+Marcelo Echeverria
 Marcelo Juchem
 Marcin Adamski
+Marcin Gryszkalis
 Marcin Konicki
+Marco Deckel
 Marco G. Salvagno
 Marco Maggi
+Marcus Hoffmann
 Marcus Sundberg
 Marcus Webster
 Mario Schroeder
@@ -628,25 +997,35 @@ Mark Brand
 Mark Butler
 Mark Davies
 Mark Eichin
+Mark Hamilton
 Mark Incley
 Mark Karpeles
 Mark Lentczner
+Mark Nottingham
 Mark Salisbury
 Mark Snelling
 Mark Tully
 Markus Duft
+Markus Elfring
 Markus Koetter
 Markus Moeller
 Markus Oberhumer
+Markus Westerlind
+Marquis de Muesli
 Martijn Koster
 Martin C. Martin
 Martin Drasar
+Martin Dreher
+Martin Frodl
+Martin Galvan
 Martin Hager
 Martin Hedenfalk
 Martin Jansen
+Martin Kepplinger
 Martin Lemke
 Martin Skinner
-Martin Storsjo
+Martin Storsjö
+Martin Vejnár
 Marty Kuhrt
 Maruko
 Massimiliano Ziccardi
@@ -655,150 +1034,241 @@ Mateusz Loskot
 Mathias Axelsson
 Mats Lidell
 Matt Arsenault
+Matt Ford
 Matt Kraai
 Matt Veenstra
 Matt Witherspoon
 Matt Wixson
+Matteo B.
 Matteo Rocco
 Matthew Blain
 Matthew Clarke
+Matthew Hall
+Matthew Kerwin
 Matthias Bolte
+Mattias Fornander
 Maurice Barnum
 Mauro Iorio
+Mauro Rappa
+Max Dymond
 Max Katsev
+Max Khon
 Maxim Ivanov
 Maxim Perenesenko
 Maxim Prohorov
 Maxime Larocque
 Mehmet Bozkurt
 Mekonikum
+Melissa Mears
 Mettgut Jamalla
 Michael Benedict
 Michael Calmer
 Michael Cronenworth
 Michael Curtis
 Michael Day
+Michael Felt
+Michael Gmelin
 Michael Goffioul
 Michael Jahn
 Michael Jerris
+Michael Kalinin
+Michael Kaufmann
+Michael Kilburn
+Michael König
+Michael Maltese
 Michael Mealling
 Michael Mueller
+Michael Osipov
 Michael Smith
+Michael Stapelberg
 Michael Stillwell
 Michael Wallner
 Michal Bonino
-Michal Gorny
-Michal Kowalczyk
 Michal Marek
+Michal Trybus
+Michał Fita
+Michał Górny
+Michał Janiszewski
+Michał Kowalczyk
+Michał Piechowski
+Michel Promonet
 Michele Bini
 Miguel Angel
+Miguel Diaz
 Mihai Ionescu
 Mikael Johansson
 Mikael Sennerholm
+Mikalai Ananenka
 Mike Bytnar
 Mike Crowe
 Mike Dobbs
 Mike Giancola
+Mike Hasselberg
+Mike Henshaw
 Mike Hommey
+Mike Mio
 Mike Power
 Mike Protts
 Mike Revi
 Miklos Nemeth
+Miloš Ljumović
+Mingliang Zhu
+Miroslav Franc
+Miroslav Spousta
 Mitz Wark
 Mohamed Lrhazi
+Mohammad AlSaleh
 Mohun Biswas
-Moonesamy
+Mostyn Bramley-Moore
+Moti Avrahami
+Muz Dima
 Myk Taylor
 Nach M. S.
+Nagai H
 Nathan Coulter
 Nathan O'Sullivan
 Nathanael Nerode
+Nathaniel Waisbrot
 Naveen Chandran
 Naveen Noel
+Neal Poole
+Nehal J Wani
 Neil Bowers
 Neil Dunbar
+Neil Kolban
 Neil Spring
 Nic Roets
 Nicholas Maniscalco
+Nick Draffen
 Nick Gimbrone
 Nick Humfrey
+Nick Miyake
 Nick Zitzmann
 Nico Baggus
 Nicolas Berloquin
 Nicolas Croiset
 Nicolas François
+Nicolas Morey-Chaisemartin
 Niels van Tongeren
 Nikita Schmidt
 Nikitinskit Dmitriy
 Niklas Angebrand
 Nikolai Kondrashov
 Nikos Mavrogiannopoulos
+Nikos Tsipinakis
 Ning Dong
 Nir Soffer
 Nis Jorgensen
+Nobuhiro Ban
 Nodak Sodak
 Norbert Frese
+Norbert Kett
 Norbert Novotny
+Octavio Schroeder
 Ofer
+Okhin Vasilij
+Ola Mork
 Olaf Flebbe
-Olaf Stueben
 Olaf Stüben
+Oleg Pudeyev
+Oli Kingshott
 Oliver Gondža
+Oliver Graute
+Oliver Kuckertz
+Oliver Schindler
 Olivier Berger
+Olivier Brunel
+Orange Tsai
+Oren Souroujon
 Oren Tirosh
+Orgad Shaneh
 Ori Avtalion
 Oscar Koeroo
 Oscar Norlander
+Oumph on github
 P R Schaffner
+Palo Markovic
 Paolo Piacentini
+Paras Sethia
+Pascal Gaudette
 Pascal Terjan
 Pasha Kuznetsov
+Pasi Karkkainen
 Pat Ray
 Patrice Guerin
 Patricia Muscalu
 Patrick Bihan-Faou
+Patrick Dawson
+Patrick McManus
 Patrick Monnerat
+Patrick Rapin
+Patrick Schlangen
 Patrick Scott
 Patrick Smith
+Patrick Watson
 Patrik Thunstrom
 Pau Garcia i Quiles
+Paul Donohue
 Paul Harrington
+Paul Harris
 Paul Howarth
+Paul Joyce
+Paul Marks
 Paul Marquis
 Paul Moore
 Paul Nolan
+Paul Oliver
 Paul Querna
+Paul Saab
 Pavel Cenek
+Pavel Gushchin
 Pavel Orehov
+Pavel Pavlov
 Pavel Raiskup
+Pavel Rochnyak
+Pavol Markovic
 Pawel A. Gajda
 Pawel Kierski
 Pedro Larroy
 Pedro Neves
-Pete Su
+Per Lundberg
+Per Malmberg
+Pete Lomax
 Peter Bray
 Peter Forret
+Peter Frühberger
 Peter Gal
 Peter Heuchert
 Peter Hjalmarsson
 Peter Korsgaard
+Peter Lamare
 Peter Lamberg
+Peter Laser
 Peter O'Gorman
 Peter Pentchev
+Peter Piekarski
 Peter Silva
 Peter Su
 Peter Sylvester
 Peter Todd
 Peter Verhas
+Peter Wang
+Peter Wu
 Peter Wullinger
 Peteris Krumins
+Petr Bahula
+Petr Novak
+Petr Pisar
+Petr Voytsik
 Phil Blundell
+Phil Crump
 Phil Karn
 Phil Lisiecki
 Phil Pellouchoud
 Philip Craig
 Philip Gladstone
 Philip Langdale
+Philip Prindeville
 Philippe Hameau
 Philippe Raoult
 Philippe Vaucher
@@ -807,51 +1277,85 @@ Pierre Brico
 Pierre Chapuis
 Pierre Joye
 Pierre Ynard
+Piotr Dobrogost
 Pooyan McSporran
 Pramod Sharma
+Prash Dush
+Praveen Pvs
+Priyanka Shah
 Puneet Pawaia
 Quagmire
 Quanah Gibson-Mount
 Quinn Slack
+R. Dennis Steed
+Radu Simionescu
 Rafa Muyo
+Rafael Antonio
 Rafael Sagula
+Rafayel Mkrtchyan
+Rafaël Carré
 Rainer Canavan
 Rainer Jung
 Rainer Koenig
+Rainer Müller
 Rajesh Naganathan
+Rajkumar Mandal
 Ralf S. Engelschall
 Ralph Beckmann
 Ralph Mitchell
 Ramana Mokkapati
+Randall S. Becker
+Randy Armstrong
 Randy McMurchy
 Ravi Pratap
 Ray Dassen
 Ray Pekowski
+Ray Satiro
+Razvan Cojocaru
+Reinhard Max
 Reinout van Schouwen
+Remi Gacogne
+Remo E
 Renato Botelho
 Renaud Chaillat
 Renaud Duhaut
 Renaud Guillard
+Renaud Lehoux
 Rene Bernhardt
 Rene Rebe
 Reuven Wachtfogel
 Reza Arbab
 Ricardo Cadime
+Rich Burridge
 Rich Gray
 Rich Rauenzahn
+Richard Alcock
 Richard Archer
 Richard Atterer
 Richard Bramante
 Richard Clayton
 Richard Cooper
 Richard Gorton
+Richard Gray
+Richard Hosking
+Richard Hsu
 Richard Michael
+Richard Moore
 Richard Prescott
 Richard Silverman
+Richard van den Berg
+Richy Kim
+Rick Deist
 Rick Jones
 Rick Richardson
+Ricki Hirner
+Rider Linden
+Rikard Falkeborn
+Rob Cotrone
 Rob Crittenden
+Rob Davies
 Rob Jones
+Rob Sanders
 Rob Stanzel
 Rob Ward
 Robert A. Monat
@@ -859,6 +1363,7 @@ Robert B. Harris
 Robert D. Young
 Robert Foreman
 Robert Iakobashvili
+Robert Kolcun
 Robert Olson
 Robert Schumann
 Robert Weaver
@@ -867,28 +1372,46 @@ Robin Cornelius
 Robin Johnson
 Robin Kay
 Robson Braga Araujo
+Rod Widdowson
 Rodney Simmons
+Rodric Glaser
 Rodrigo Silva
+Roger Leigh
 Roland Blom
 Roland Krikava
 Roland Zimmermann
 Rolland Dudemaine
+Romain Coltel
 Roman Koifman
 Roman Mamedov
+Romulo A. Ceccon
+Ron Eldor
+Ron Parker
 Ron Zapp
+Ronnie Mose
 Rosimildo da Silva
 Roy Shan
 Rune Kleveland
 Ruslan Gazizov
 Rutger Hofman
+Ruurd Beerstra
+Ryan Braud
 Ryan Chan
 Ryan Nelson
 Ryan Schmidt
+Ryan Scott
+Ryan Winograd
+Ryuichi KAWAMATA
+Rémy Léone
 S. Moonesamy
+SBKarr on github
+Salah-Eddin Shaban
 Salvador Dávila
 Salvatore Sorrentino
 Sam Deane
-Sam Listopad
+Sam Hurst
+Sam Roth
+Sam Schanken
 Sampo Kellomaki
 Samuel Díaz García
 Samuel Listopad
@@ -899,49 +1422,82 @@ Santhana Todatry
 Saqib Ali
 Sara Golemon
 Saran Neti
+Sascha Swiercy
 Saul good
+Saurav Babu
 Scott Bailey
 Scott Barrett
 Scott Cantor
 Scott Davis
 Scott McCreary
+Sean Boudreau
+Sean Burford
+Sean MacLennan
+Sebastian Mundry
+Sebastian Pohlschmidt
 Sebastian Rasmussen
-Sebastien Willemijns
 Senthil Raja Velu
+Sergei Kuzmin
 Sergei Nikulov
+Sergey Tatarincev
+Sergii Kavunenko
+Sergii Pylypenko
 Sergio Ballestrero
+Sergio Borghese
+Serj Kalichev
 Seshubabu Pasam
+Seth Mos
 Sh Diao
+Shachaf Ben-Kiki
+Shao Shuchao
 Sharad Gupta
 Shard
+Shawn Landden
 Shawn Poulson
+Shine Fan
 Shmulik Regev
 Siddhartha Prakash Jain
-Sidney San Martin
+Sidney San Martín
 Siegfried Gyuricsko
 Simon Dick
+Simon H.
 Simon Josefsson
 Simon Liu
+Simon Warta
+Somnath Kundu
 Song Ma
 Sonia Subramanian
 Spacen Jasset
 Spiridonoff A.V
+Spork Schivago
 Stadler Stephan
 Stan van de Burgt
 Stanislav Ivochkin
+Stanislav Zidek
+Stefan Agner
+Stefan Bühler
+Stefan Eissing
 Stefan Esser
+Stefan Kanthak
 Stefan Krause
 Stefan Neis
 Stefan Teleman
 Stefan Tomanek
 Stefan Ulrich
+Steinar H. Gunderson
+Stepan Broz
 Stephan Bergmann
+Stephan Mühlstrasser
+Stephen Brokenshire
 Stephen Collyer
 Stephen Kick
 Stephen More
+Stephen Toub
 Sterling Hughes
+Steve Brokenshire
 Steve Green
 Steve H Truong
+Steve Havelka
 Steve Holme
 Steve Lhomme
 Steve Little
@@ -954,22 +1510,42 @@ Steven Gu
 Steven M. Schweda
 Steven Parkes
 Stoned Elipot
+Stuart Henderson
+Sune Ahlgren
+Sunny Purushe
 Sven Anders
 Sven Neuhaus
 Sven Wegener
+Svyatoslav Mishyn
+Sylvestre Ledru
+Symeon Paraschoudis
 Sébastien Willemijns
 T. Bharath
 T. Yamada
-Taneli Vahakangas
+TJ Saunders
+Tae Hyoung Ahn
+Taneli Vähäkangas
 Tanguy Fautre
 Tatsuhiro Tsujikawa
 Temprimus
+Terri Oda
+Terry Wu
+TheAssassin on github
+Theodore Dubois
+Thomas Braun
+Thomas Glanzmann
 Thomas J. Moore
 Thomas Klausner
 Thomas L. Shinnick
 Thomas Lopatic
+Thomas Petazzoni
+Thomas Ruecker
 Thomas Schwinge
 Thomas Tonino
+Thomas van Hesteren
+Thorsten Schöning
+Tiit Pikma
+Till Maas
 Tim Ansell
 Tim Baker
 Tim Bartley
@@ -977,15 +1553,24 @@ Tim Chen
 Tim Costello
 Tim Harder
 Tim Heckman
+Tim Mcdonough
 Tim Newsome
+Tim Rühsen
 Tim Sneddon
+Tim Stack
+Tim Starling
 Timo Sirainen
+Timotej Lazar
+Timothe Litt
+Timothy Polich
 Tinus van den Berg
+Tobias Markus
 Tobias Rundström
+Tobias Stoeckmann
 Toby Peterson
 Todd A Ouska
 Todd Kulesza
-Todd Ouska
+Todd Short
 Todd Vierling
 Tom Benoist
 Tom Donovan
@@ -995,32 +1580,54 @@ Tom Mattison
 Tom Moers
 Tom Mueller
 Tom Regner
+Tom Seddon
+Tom Sparrow
 Tom Wright
 Tom Zerucha
+Tomas Hoger
+Tomas Jakobsson
 Tomas Mlcoch
+Tomas Mraz
 Tomas Pospisek
 Tomas Szepe
+Tomas Tomecek
+Tomasz Kojm
 Tomasz Lacki
 Tommie Gannert
 Tommy Tam
 Ton Voon
 Toni Moreno
+Tony Kelman
 Toon Verwaest
 Tor Arntsen
+Torben Dannhauer
 Torsten Foertsch
 Toshio Kuratomi
 Toshiyuki Maezawa
 Traian Nicolescu
+Travis Burtrum
+Travis Obenhaus
 Troels Walsted Hansen
 Troy Engel
 Tupone Alfredo
+Tyler Hall
+Török Edwin
 Ulf Härnhammar
+Ulf Samuelsson
 Ulrich Doehner
+Ulrich Telle
 Ulrich Zadow
+Valentin David
+Vasy Okhin
 Venkat Akella
+Venkataramana Mokkapati
 Victor Snezhko
+Vijay Panghal
 Vikram Saxena
+Viktor Szakats
+Ville Skyttä
 Vilmos Nebehaj
+Vincas Razma
 Vincent Bronner
 Vincent Le Normand
 Vincent Penquerc'h
@@ -1032,32 +1639,109 @@ Vladimir Grishchenko
 Vladimir Lazarenko
 Vojtech Janota
 Vojtech Minarik
+Vojtěch Král
 Vsevolod Novikov
+W. Mark Kubacki
+Waldek Kozba
 Walter J. Mack
 Ward Willats
+Warp Kawada
+Warren Menzer
 Wayne Haigh
 Werner Koch
 Wesley Laxton
 Wesley Miaw
 Wez Furlong
+Wham Bang
 Wilfredo Sanchez
+Will Dietz
 Willem Sparreboom
+William Ahern
 Wojciech Zwiefka
 Wouter Van Rooy
 Wu Yongzheng
+Wyatt O'Day
 Xavier Bouchoux
+XhstormR on github
+Xiangbin Li
+Yaakov Selkowitz
 Yamada Yasuharu
 Yang Tse
 Yarram Sunil
+Yasuharu Yamada
+Yehezkel Horowitz
 Yehoshua Hershberg
+Yi Huang
+Yingwei Liu
+Yonggang Luo
+Yousuke Kimoto
 Yukihiro Kawada
+Yun SangHo
 Yuriy Sosov
 Yves Arrouye
 Yves Lejeune
+Zachary Seguin
 Zdenek Pavlas
 Zekun Ni
+Zenju on github
+Zhouyihai Ding
 Zmey Petroff
 Zvi Har'El
+afrind on github
+ahodesuka on github
+anshnd on github
+arainchik on github
+asavah on github
+baumanj on github
+bsammon on github
+cbartl on github
+cmfrolick on github
+dasimx on github
+destman on github
+dkjjr89 on github
+dpull on github
+eXeC64 on github
+elelel on github
+guitared on github
+hsiao yi
+imilli on github
+iz8mbw on github
+jonrumsey on github
+joshhe on github
+jungle-boogie on github
+jveazey on github
+ka7 on github
+kreshano on github
+lijian996 on github
+lukaszgn on github
+madblobfish on github
+marc-groundctl on github
+mccormickt12 on github
+mkzero on github
+moohoorama on github
+neex on github
+neheb on github
 nk
+nopjmp on github
+olesteban on github
+omau on github
+ovidiu-benea on github
+patelvivekv1993 on github
+paulharris on github
+silveja1 on github
+steelman on github
+steini2000 on github
+stootill on github
 swalkaus at yahoo.com
+tarek112 on github
 tommink[at]post.pl
+vanillajonathan on github
+wmsch on github
+wncboy on github
+wyattoday on github
+youngchopin on github
+zelinchen on github
+İsmail Dönmez
+Łukasz Domeradzki
+Štefan Kremeň
+Никита Дорохин
-- 
cgit v1.2.3