intermediate changes

ref:cde9a383711a11544ce7e107a78147fb96cc4029

1 files changed, 7440 insertions, 0 deletions

diff --git a/contrib/libs/curl/CHANGES b/contrib/libs/curl/CHANGES
new file mode 100644
index 0000000000..56859b4993
--- /dev/null
+++ b/contrib/libs/curl/CHANGES
@@ -0,0 +1,7440 @@
+                                  _   _ ____  _
+                              ___| | | |  _ \| |
+                             / __| | | | |_) | |
+                            | (__| |_| |  _ <| |___
+                             \___|\___/|_| \_\_____|
+
+                                  Changelog
+
+Version 7.74.0 (9 Dec 2020)
+
+Daniel Stenberg (9 Dec 2020)
+- RELEASE-NOTES: synced
+  
+  for 7.74.0
+
+Jay Satiro (7 Dec 2020)
+- [Jacob Hoffman-Andrews brought this change]
+
+  urldata: restore comment on ssl_connect_data.use
+  
+  This comment was originally on the `use` field, but was separated from
+  its field in 62a2534.
+  
+  Closes https://github.com/curl/curl/pull/6287
+
+Daniel Stenberg (7 Dec 2020)
+- VERSIONS: refreshed
+  
+  We always use the patch number these days: all releases are
+  "major.minor.patch"
+
+- [Jakub Zakrzewski brought this change]
+
+  cmake: don't use reserved target name 'test'
+  
+  CMake up to 3.10 always reserves this name
+  
+  Fixes #6257
+  Closes #6258
+
+- openssl: make the OCSP verification verify the certificate id
+  
+  CVE-2020-8286
+  
+  Reported by anonymous
+  
+  Bug: https://curl.se/docs/CVE-2020-8286.html
+
+- ftp: make wc_statemach loop instead of recurse
+  
+  CVE-2020-8285
+  
+  Fixes #6255
+  Bug: https://curl.se/docs/CVE-2020-8285.html
+  Reported-by: xnynx on github
+
+- ftp: CURLOPT_FTP_SKIP_PASV_IP by default
+  
+  The command line tool also independently sets --ftp-skip-pasv-ip by
+  default.
+  
+  Ten test cases updated to adapt the modified --libcurl output.
+  
+  Bug: https://curl.se/docs/CVE-2020-8284.html
+  CVE-2020-8284
+  
+  Reported-by: Varnavas Papaioannou
+
+- urlapi: don't accept blank port number field without scheme
+  
+  ... as it makes the URL parser accept "very-long-hostname://" as a valid
+  host name and we don't want that. The parser now only accepts a blank
+  (no digits) after the colon if the URL starts with a scheme.
+  
+  Reported-by: d4d on hackerone
+  
+  Closes #6283
+
+- Revert "multi: implement wait using winsock events"
+  
+  This reverts commit d2a7d7c185f98df8f3e585e5620cbc0482e45fac.
+  
+  This commit also reverts the subsequent follow-ups to that commit, which
+  were all done within windows #ifdefs that are removed in this
+  change. Marc helped me verify this.
+  
+  Fixes #6146
+  Closes #6281
+
+- [Klaus Crusius brought this change]
+
+  ftp: retry getpeername for FTP with TCP_FASTOPEN
+  
+  In the case of TFO, the remote host name is not resolved at the
+  connetion time.
+  
+  For FTP that has lead to missing hostname for the secondary connection.
+  Therefore the name resolution is done at the time, when FTP requires it.
+  
+  Fixes #6252
+  Closes #6265
+  Closes #6282
+
+- [Thomas Danielsson brought this change]
+
+  scripts/completion.pl: parse all opts
+  
+  For tab-completion it may be preferable to include all the
+  available options.
+  
+  Closes #6280
+
+- RELEASE-NOTES: synced
+
+- openssl: use OPENSSL_init_ssl() with >= 1.1.0
+  
+  Reported-by: Kovalkov Dmitrii and Per Nilsson
+  Fixes #6254
+  Fixes #6256
+  Closes #6260
+
+- SECURITY-PROCESS: disclose on hackerone
+  
+  Once a vulnerability has been published, the hackerone issue should be
+  disclosed. For tranparency.
+  
+  Closes #6275
+
+Marc Hoersken (3 Dec 2020)
+- tests/util.py: fix compatibility with Python 2
+  
+  Backporting the Python 3 implementation of setStream
+  to ClosingFileHandler as a fallback within Python 2.
+  
+  Reported-by: Jay Satiro
+  
+  Fixes #6259
+  Closes #6270
+
+Daniel Gustafsson (3 Dec 2020)
+- docs: fix typos and markup in ETag manpage sections
+  
+  Reported-by: emanruse on github
+  Fixes #6273
+
+Daniel Stenberg (2 Dec 2020)
+- quiche: close the connection
+  
+  Reported-by: Junho Choi
+  Fixes #6213
+  Closes #6217
+
+Jay Satiro (2 Dec 2020)
+- ngtcp2: Fix build error due to symbol name change
+  
+  - NGTCP2_CRYPTO_LEVEL_APP -> NGTCP2_CRYPTO_LEVEL_APPLICATION
+  
+  ngtcp2/ngtcp2@76232e9 changed the name.
+  
+  ngtcp2 master is required to build curl with http3 support.
+  
+  Closes https://github.com/curl/curl/pull/6271
+
+Daniel Stenberg (1 Dec 2020)
+- [Klaus Crusius brought this change]
+
+  cmake: check for linux/tcp.h
+  
+  The HAVE_LINUX_TCP_H define was not set by cmake.
+  
+  Closes #6252
+
+- NEW-PROTOCOL: document what needs to be done to add one
+  
+  Closes #6263
+
+- splay: rename Curl_splayremovebyaddr to Curl_splayremove
+  
+  ... and remove the old unused proto for the old Curl_splayremove
+  version.
+  
+  Closes #6269
+
+- openssl: free mem_buf in error path
+  
+  To fix a memory-leak.
+  
+  Closes #6267
+
+- openssl: remove #if 0 leftover
+  
+  Follow-up to 4c9768565ec3a9 (from Sep 2008)
+  
+  Closes #6268
+
+- ntlm: avoid malloc(0) on zero length user and domain
+  
+  ... and simplify the too-long checks somewhat.
+  
+  Detected by OSS-Fuzz
+  
+  Closes #6264
+
+- RELEASE-NOTES: synced
+
+Marc Hoersken (28 Nov 2020)
+- tests/server/tftpd.c: close upload file in case of abort
+  
+  Commit c353207 removed the closing right after do_tftp
+  which covered the case of abort. This handles that case.
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #6209
+  Closes #6234
+
+Daniel Stenberg (26 Nov 2020)
+- [Daiki Ueno brought this change]
+
+  ngtcp2: use the minimal version of QUIC supported by ngtcp2
+  
+  Closes #6250
+
+- [Daiki Ueno brought this change]
+
+  ngtcp2: advertise h3 ALPN unconditionally
+  
+  Closes #6250
+
+- [Daiki Ueno brought this change]
+
+  vquic/ngtcp2.h: define local_addr as sockaddr_storage
+  
+  This field needs to be wide enough to hold sockaddr_in6 when
+  connecting via IPv6.  Otherwise, ngtcp2_conn_read_pkt will drop the
+  packets because of the address mismatch:
+    I00000022 [...] con ignore packet from unknown path
+  
+  We can safely assume that struct sockaddr_storage is available, as it
+  is used in the public interface of ngtcp2.
+  
+  Closes #6250
+
+- socks: check for DNS entries with the right port number
+  
+  The resolve call is done with the right port number, but the subsequent
+  check used the wrong one, which then could find a previous resolve which
+  would return and leave the fresh resolve "incomplete" and leaking
+  memory.
+  
+  Fixes #6247
+  Closes #6253
+
+- curl_setup: USE_RESOLVE_ON_IPS is for Apple native resolver use
+  
+  ... so don't define it when instructed to use c-ares!
+
+- test506: make it not run in c-ares builds
+  
+  As the asynch nature of it may trigger events in another order. A c-ares
+  upgrade made it break.
+  
+  Reported-by: Marc Hörsken
+  Fixes #6247
+
+- runtests: make 'c-ares' a "feature" to depend on
+  
+  ... also added to the docs.
+
+- tool_writeout: use off_t getinfo-types instead of doubles
+  
+  Commit 3b80d3ca46b12e52342 (June 2017) introduced getinfo replacement
+  variables that use curl_off_t instead of doubles. Switch the --write-out
+  function over to use them.
+  
+  Closes #6248
+
+- [Emil Engler brought this change]
+
+  file: avoid duplicated code sequence
+  
+  file_disconnect() is identical with file_do() except the function header
+  but as the arguments are unused anyway so why not just return file_do()
+  directly!
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #6249
+
+- [Rikard Falkeborn brought this change]
+
+  infof/failf calls: fix format specifiers
+  
+  Update a few format specifiers to match what is being printed.
+  
+  Closes #6241
+
+- docs/INTERNALS: remove reference to Curl_sendf()
+  
+  The function has been removed from common usage. Also removed comment in
+  gopher.c that still referenced it.
+  
+  Reported-by: Rikard Falkeborn
+  Fixes #6242
+  Closes #6243
+
+- [Rikard Falkeborn brought this change]
+
+  examples: update .gitignore
+  
+  Add files that are generated by 'make examples' and remove some that
+  have been renamed.
+  
+  The commits that renamed the programs are e9625c5bc6c046a (imap.c and
+  simplesmtp.c were renamed to imap-fetch.c and smtp-send.c) and
+  ad39e7ec01e7 (pop3slist.c and pop3s.c were renamed to pop3-list.c and
+  pop3-ssl.c).
+  
+  Closes #6240
+
+- asyn: use 'struct thread_data *' instead of 'void *'
+  
+  To reduce use of types that can't be checked at compile time. Also
+  removes several typecasts.
+  
+  ... and rename the struct field from 'os_specific' to 'tdata'.
+  
+  Closes #6239
+  Reviewed-by: Jay Satiro
+
+Viktor Szakats (23 Nov 2020)
+- Makefile.m32: add support for UNICODE builds
+  
+  It requires the linker to support the `-municode` option.
+  This is available in more recent mingw-w64 releases.
+  
+  Ref: https://gcc.gnu.org/onlinedocs/gcc/x86-Windows-Options.html
+  Ref: https://stackoverflow.com/questions/3571250/wwinmain-unicode-and-mingw/11706847#11706847
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Closes #6228
+
+Daniel Stenberg (23 Nov 2020)
+- urldata: remove 'void *protop' and create the union 'p'
+  
+  ... to avoid the use of 'void *' for the protocol specific structs done
+  per transfer.
+  
+  Closes #6238
+
+- winbuild: remove docs from Makefiles and refer to README.md
+  
+  Reduce risk for conflicting docs and makes it to a single place to fix
+  and polish.
+  
+  add these missing options to the readme:
+  
+  ENABLE_OPENSSL_AUTO_LOAD_CONFIG and ENABLE_UNICODE
+  
+  clarify ENABLE_SCHANNEL default varies
+  
+  Fixes #6216
+  Closes #6227
+  Co-Authored-by: Jay Satiro
+
+- [Daiki Ueno brought this change]
+
+  http3: use the master branch of GnuTLS for testing
+  
+  Closes #6235
+
+- KNOWN_BUGS: curl with wolfSSL lacks support for renegotiation
+  
+  Closes #5839
+
+- KNOWN_BUGS: wakeup socket disconnect causes havoc
+  
+  Closes #6132
+  Closes #6133
+
+- RELEASE-NOTES: synced
+
+- [Oliver Urbann brought this change]
+
+  curl: add compatibility for Amiga and GCC 6.5
+  
+  Changes are mainly reordering and adding of includes required
+  to compile with a more recent version of GCC.
+  
+  Closes #6220
+
+Marc Hoersken (20 Nov 2020)
+- tests/server/tftpd.c: close upload file right after transfer
+  
+  Make sure uploaded file is no longer locked after the
+  transfer while waiting for the final ACK to be handled.
+  
+  Assisted-by: Daniel Stenberg
+  
+  Bug: #6058
+  Closes #6209
+
+- CI/cirrus: simplify logic for disabled tests
+  
+  The OpenSSH server instance for the testsuite cannot
+  be started on FreeBSD, therefore the SFTP and SCP
+  tests are disabled right away from the beginning.
+  
+  The previous OS version specific logic for SKIP_TESTS
+  is no longer needed/used and can therefore be removed.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #6211
+  Closes #6229
+
+Daniel Gustafsson (20 Nov 2020)
+- mailmap: Daniel Hwang
+  
+  Add Daniel Hwang to the mailmap to cover the alternative spelling
+  Daniel Lee Hwang which was used in one commit.
+  
+  Closes #6230
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- openssl: guard against OOM on context creation
+  
+  EVP_MD_CTX_create will allocate memory for the context and returns
+  NULL in case the allocation fails. Make sure to catch any allocation
+  failures and exit early if so.
+  
+  In passing, also move to EVP_DigestInit rather than EVP_DigestInit_ex
+  as the latter is intended for ENGINE selection which we don't do.
+  
+  Closes #6224
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Emil Engler <me@emilengler.com>
+
+Daniel Stenberg (19 Nov 2020)
+- [Vincent Torri brought this change]
+
+  cmake: use libcurl.rc in all Windows builds
+  
+  Reviewed-by: Marcel Raad
+  Closes #6215
+
+- [Cristian Morales Vega brought this change]
+
+  cmake: make CURL_ZLIB a tri-state variable
+  
+  By differentiating between ON and AUTO it can make a missing zlib
+  library a hard error when CURL_ZLIB=ON is used.
+  
+  Reviewed-by: Jakub Zakrzewski
+  Closes #6221
+  Fixes #6173
+
+- quiche: remove 'static' from local buffer
+  
+  For thread-safety
+  
+  Closes #6223
+
+- KNOWN_BUGS: cmake: libspsl is not supported
+  
+  Closes #6214
+
+- KNOWN_BUGS: cmake autodetects cert paths when cross-compiling
+  
+  Closes #6178
+
+- KNOWN_BUGS: cmake build doesn't fail if zlib not found
+  
+  Closes #6173
+
+- KNOWN_BUGS: cmake libcurl.pc uses absolute library paths
+  
+  Closes #6169
+
+- KNOWN_BUGS: cmake: generated .pc file contains strange entries
+  
+  Closes #6167
+
+- KNOWN_BUGS: cmake uses -lpthread instead of Threads::Threads
+  
+  Closes #6166
+
+- KNOWN_BUGS: cmake build in Linux links libcurl to libdl
+  
+  Closes #6165
+
+- KNOWN_BUGS: make a new section for cmake topics
+  
+  Closes #6219
+
+- [Emil Engler brought this change]
+
+  cirrus: build with FreeBSD 12.2 in CirrusCI
+  
+  Closes #6211
+
+Marc Hoersken (14 Nov 2020)
+- tests/*server.py: close log file after each log line
+  
+  Make sure the log file is not locked once a test has
+  finished and align with the behavior of our logmsg.
+  
+  Rename curl_test_data.py to be a general util.py.
+  Format and sort Python imports with isort/VSCode.
+  
+  Bug: #6058
+  Closes #6206
+
+Daniel Stenberg (13 Nov 2020)
+- CURLOPT_HSTS.3: document the file format
+  
+  Closes #6205
+
+- RELEASE-NOTES: synced
+
+- release-notes.pl: detect #[number] better for Ref: etc
+
+- curl: only warn not fail, if not finding the home dir
+  
+  ... as there's no good reason to error out completely.
+  
+  Reported-by: Andreas Fischer
+  Fixes #6200
+  Closes #6201
+
+- httpput-postfields.c: new example doing PUT with POSTFIELDS
+  
+  Proposed-by: Jeroen Ooms
+  Ref: #6186
+  Closes #6188
+
+- [Tobias Hieta brought this change]
+
+  cmake: correctly handle linker flags for static libs
+  
+  curl CMake was setting the the EXE flags for static libraries which made
+  the /manifest:no flag ended up when linking the static library, which is
+  not a valid flag for lib.exe or llvm-lib.exe and caused llvm-lib to exit
+  with an error.
+  
+  The better way to handle this is to make sure that we pass the correct
+  linker flags to CMAKE_STATIC_LINKER_FLAGS instead.
+  
+  Reviewed-by: Jakub Zakrzewski
+  Closes #6195
+
+- [Tobias Hieta brought this change]
+
+  cmake: don't pass -fvisibility=hidden to clang-cl on Windows
+  
+  When using clang-cl on windows -fvisibility=hidden is not an known
+  argument. Instead it behaves exactly like MSVC in this case. So let's
+  make sure we take that path.
+  
+  In CMake clang-cl sets both CMAKE_C_COMPILER_ID=clang and MSVC get's
+  defined since clang-cl is basically a MSVC emulator. So guarding like we
+  do in this patch seems logical.
+  
+  Reviewed-by: Jakub Zakrzewski
+  Closes #6194
+
+- http_proxy: use enum with state names for 'keepon'
+  
+  To make the code clearer, change the 'keepon' from an int to an enum
+  with better state names.
+  
+  Reported-by: Niranjan Hasabnis
+  Bug: https://curl.se/mail/lib-2020-11/0026.html
+  Closes #6193
+
+- curl_easy_escape: limit output string length to 3 * max input
+  
+  ... instead of the limiting it to just the max input size. As every
+  input byte can be expanded to 3 output bytes, this could limit the input
+  string to 2.66 MB instead of the intended 8 MB.
+  
+  Reported-by: Marc Schlatter
+  Closes #6192
+
+- docs: document the 8MB input string limit
+  
+  for curl_easy_escape and curl_easy_setopt()
+  
+  The limit is there to catch mistakes and abuse. It is meant to be large
+  enough to allow virtually all "fine" use cases.
+  
+  Reported-by: Marc Schlatter
+  Fixes #6190
+  Closes #6191
+
+- mqttd: fclose test file when done
+  
+  Reported-by: Marc Hörsken
+  Reviewed-by: Jay Satiro
+  Bug: #6058
+  Closes #6189
+
+- RELEASE-NOTES: synced
+
+- THANKS-filter: ignore autobuild links
+
+- Revert "libcurl.pc: make it relocatable"
+  
+  This reverts commit 3862c37b6373a55ca704171d45ba5ee91dec2c9f.
+  
+  That fix should either be done differently or with an option.
+  
+  Reported-by: asavah on github
+  Fixes #6157
+  Closes #6183
+
+- examples/httpput: remove use of CURLOPT_PUT
+  
+  It is deprecated and unnecessary since it already sets CURLOPT_UPLOAD.
+  
+  Reported-by: Jeroen Ooms
+  Fixes #6186
+  Closes #6187
+
+- Curl_pgrsStartNow: init speed limit time stamps at start
+  
+  By setting the speed limit time stamps unconditionally at transfer
+  start, we can start off a transfer without speed limits and yet allow
+  them to get set during transfer and have an effect.
+  
+  Reported-by: Kael1117 on github
+  Fixes #6162
+  Closes #6184
+
+- ngtcp2: adapt to recent nghttp3 updates
+  
+  'reset_stream' was added to the nghttp3_conn_callbacks struct
+  
+  Closes #6185
+
+- configure: pass -pthread to Libs.private for pkg-config
+  
+  Reported-by: Cristian Morales Vega
+  Fixes #6168
+  Closes #6181
+
+- altsvc: minimize variable scope and avoid "DEAD_STORE"
+  
+  Closes #6182
+
+- FAQ: remove "Why is there a HTTP/1.1 in my HTTP/2 request?"
+  
+  This hasn't been the case for a while now, remove.
+
+- FAQ: refresh "Why do I get "certificate verify failed"
+  
+  Add more details, remove references to ancient curl version.
+
+- test493: verify --hsts upgrade and that %{url_effective} reflects that
+  
+  Closes #6175
+
+- url: make sure an HSTS upgrade updates URL and scheme correctly
+  
+  Closes #6175
+
+- tool_operate: set HSTS with CURLOPT_HSTS to pass on filename
+  
+  Closes #6175
+
+- hsts: remove debug code leftovers
+  
+  Closes #6175
+
+- FAQ: refreshed
+  
+   - remove a few ancient questions
+   - add configure with static libs question
+   - updated wording in several places
+   - lowercased curl
+  
+  Closes #6177
+
+Daniel Gustafsson (5 Nov 2020)
+- examples: fix comment syntax
+  
+  Commit ac0a88fd2 accidentally added a stray character outside of the
+  comment which broke compilation. Fix by removing.
+  
+  Reported-by:  autobuild https://curl.se/dev/log.cgi?id=20201105084306-12742
+
+- hsts: Remove pointless call to free in errorpath
+  
+  The line variable will always be NULL in the error path, so remove
+  the free call since it's pointless.
+  
+  Closes #6170
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- docs: Fix various typos in documentation
+  
+  Closes #6171
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (5 Nov 2020)
+- copyright: fix year ranges
+  
+  Follow-up from 4d2f8006777
+
+- HISTORY: the new domain
+
+- curl.se: new home
+  
+  Closes #6172
+
+- KNOWN_BUGS: FTPS with Schannel times out file list operation
+  
+  Reported-by: bobmitchell1956 on github
+  Closes #5284
+
+- KNOWN_BUGS: SMB tests fail with Python 2
+  
+  Reported-by: Jay Satiro
+  Closes #5983
+
+- KNOWN_BUGS: LDAPS with NSS is slow
+  
+  Reported-by: nosajsnikta on github
+  Closes #5874
+
+Sergei Nikulov (4 Nov 2020)
+- travis: use ninja-build for CMake builds
+  
+  Added package ninja-build to environment
+  Use ninja to speed up CMake builds
+  
+  Closes #6077
+
+Daniel Stenberg (4 Nov 2020)
+- [Harry Sintonen brought this change]
+
+  rtsp: error out on empty Session ID, unified the code
+
+- [Harry Sintonen brought this change]
+
+  rtsp: fixed the RTST Session ID mismatch in test 570
+  
+  Closes #6161
+
+- [Harry Sintonen brought this change]
+
+  rtsp: fixed Session ID comparison to refuse prefix
+  
+  Closes #6161
+
+- RELEASE-NOTES: synced
+  
+  (forgot to update the list of contributors)
+
+- RELEASE-NOTES: synced
+
+- curlver: bumped to 7.74.0
+
+- hsts: add read/write callbacks
+  
+  - read/write callback options
+  - man pages for the 4 new setopts
+  - test 1915 verifies the callbacks
+  
+  Closes #5896
+
+- hsts: add support for Strict-Transport-Security
+  
+  - enable in the build (configure)
+  - header parsing
+  - host name lookup
+  - unit tests for the above
+  - CI build
+  - CURL_VERSION_HSTS bit
+  - curl_version_info support
+  - curl -V output
+  - curl-config --features
+  - CURLOPT_HSTS_CTRL
+  - man page for CURLOPT_HSTS_CTRL
+  - curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
+  - man page for --hsts
+  - save cache to disk
+  - load cache from disk
+  - CURLOPT_HSTS
+  - man page for CURLOPT_HSTS
+  - added docs/HSTS.md
+  - fixed --version docs
+  - adjusted curl_easy_duphandle
+  
+  Closes #5896
+
+- [Sergei Nikulov brought this change]
+
+  CI/tests: enable test target on TravisCI for CMake builds
+  
+  Added test-nonflaky target to CMake builds
+  
+  Disabled test 1139 because the cmake build doesn't create docs/curl.1
+  
+  Closes #6074
+
+- tool_debug_cb: do not assume zero-terminated data
+  
+  Follow-up to d70a5b5a0f5e3
+
+- sendf: move the verbose-check into Curl_debug
+  
+  Saves us from having the same check done everywhere.
+  
+  Closes #6159
+
+- travis: use valgrind when running tests for debug builds
+  
+  Except the non-x86 and sanitizer builds
+  
+  Closes #6154
+
+- header.d: fix syntax mistake
+  
+  follow-up from 1144886f38fd0
+
+- [Harry Sintonen brought this change]
+
+  gnutls: fix memory leaks (certfields memory wasn't released)
+  
+  Closes #6153
+
+- tests: add missing global_init/cleanup calls
+  
+  Without the cleanup call in these test files, the mbedTLS backend leaks
+  memory.
+  
+  Closes #6156
+
+- tool_operate: --retry for HTTP 408 responses too
+  
+  This was inadvertently dropped from the code when the parallel support
+  was added.
+  
+  Regression since b88940850 (7.66.0)
+  
+  Reviewed-by: Jay Satiro
+  Closes #6155
+
+- http: pass correct header size to debug callback for chunked post
+  
+  ... when the chunked framing was added, the size of the "body part" of
+  the data was calculated wrongly so the debug callback would get told a
+  header chunk a few bytes too big that would also contain the first few
+  bytes of the request body.
+  
+  Reported-by: Dirk Wetter
+  Ref: #6144
+  Closes #6147
+
+- header.d: mention the "Transfer-Encoding: chunked" handling
+  
+  Ref: #6144
+  Closes #6148
+
+- acinclude: detect manually set minimum macos/ipod version
+  
+  ... even if set in the CC or IPHONEOS/MACOSX_DEPLOYMENT_TARGET
+  variables.
+  
+  Reported-by: hamstergene on github
+  Fixes #6138
+  Closes #6140
+
+Jay Satiro (29 Oct 2020)
+- tests: fix some http/2 tests for older versions of nghttpx
+  
+  - Add regex that strips http/2 server header name to those http/2 tests
+    that don't already have it.
+  
+  - Improve that regex in all http/2 tests.
+  
+  Tests 358 and 359 were failing for me before this change on a system
+  that uses an older version of nghttpx which includes its version number
+  in the server header.
+  
+  Closes https://github.com/curl/curl/pull/6139
+
+Daniel Stenberg (30 Oct 2020)
+- RELEASE-NOTES: synced
+
+- [Cristian Morales Vega brought this change]
+
+  configure: use pkgconfig to find openSSL when cross-compiling
+  
+  This reverts 736a40fec (November 2004), which doesn't explain why it was
+  done.
+  
+  Closes #6145
+
+- tool_operate: bail out proper on errors for parallel setup
+  
+  ... otherwise for example trying to upload a missing file just causes a
+  loop.
+  
+  Reported-by: BrumBrum on hackerone
+  Closes #6141
+
+- [Sergei Nikulov brought this change]
+
+  CMake: make BUILD_TESTING dependent option
+  
+  CMake will now handle BUILD_TESTING depending on PERL_FOUND and
+  CURL_DISABLE_TESTING
+  
+  Ref: #6036
+  Closes #6072
+
+- libssh2: fix transport over HTTPS proxy
+  
+  The fix in #6021 was not enough. This fix makes sure SCP/SFTP content
+  can also be transfered over a HTTPS proxy.
+  
+  Fixes #6113
+  Closes #6128
+
+- curl.1: add an "OUTPUT" section at the top of the manpage
+  
+  Explain the basic concepts behind curl output.
+  
+  Inspired by #6124
+  
+  Closes #6134
+
+- mailmap: set Viktor Szakats's email
+
+- runtests: show keywords when no tests ran
+  
+  To help out future debugging, runtests now outputs the list of keywords
+  when it fails because no tests ran.
+  
+  Ref: #6120
+  Closes #6126
+
+Jay Satiro (26 Oct 2020)
+- CURLOPT_DNS_USE_GLOBAL_CACHE.3: fix typo
+  
+  Reported-by: Rui LIU
+  
+  Closes https://github.com/curl/curl/issues/6131
+
+- range.d: fix typo
+  
+  Follow-up to 15ae039 from earlier today.
+
+Daniel Stenberg (26 Oct 2020)
+- CI/github: work-around for brew breakage on macOS
+  
+  ... and make it use OpenSSL 1.1 properly
+  
+  Fixes #6130
+  Closes #6129
+
+- [José Joaquín Atria brought this change]
+
+  range.d: clarify that curl will not parse multipart responses
+  
+  Closes #6127
+  Fixes #6124
+
+- RELEASE-NOTES: synced
+
+- [Baruch Siach brought this change]
+
+  libssh2: fix build with disabled proxy support
+  
+  Build breaks because the http_proxy field is missing:
+  
+  vssh/libssh2.c:3119:10: error: 'struct connectdata' has no member named 'http_proxy'
+  
+  Regression from #6021, shipped in curl 7.73.0
+  
+  Closes #6125
+
+- alt-svc: enable by default
+  
+  Remove CURLALTSVC_IMMEDIATELY, which was never implemented/supported.
+  
+  alt-svc support in curl is no longer considered experimental
+  
+  Closes #5868
+
+- CI/appveyor: remove (unused) runtests.pl -b option
+
+- [Emil Engler brought this change]
+
+  tool_help: make "output" description less confusing
+  
+  Currently the description of "output" is misleading when comparing it
+  "verbose".
+  
+  Closes #6118
+
+- CI/appveyor: disable test 571 in two cmake builds
+  
+  ...  they're simply too flaky there.
+  
+  Closes #6119
+
+- cmake: set the unicode feature in curl-config on Windows
+  
+  ... if built that way. To make it match curl -V output.
+  
+  Reviewed-by: Marcel Raad
+  Closes #6117
+
+- libssh2: require version 1.0 or later
+  
+  ... and simplify the code accordingly. libssh2 version 1.0 was released
+  in April 2009.
+  
+  Closes #6116
+
+- KNOWN_BUGS: mention the individual cmake issues
+  
+  ... to make them easier to refer to and address separately and
+  one-by-one.
+
+- CMake: store IDN2 information in curl_config.h
+  
+  This allows the build to enable IDN properly and it makes test 1014
+  happier.
+  
+  Ref: #6074
+  Closes #6108
+
+- CMake: call the feature unixsockets without dash
+  
+  ... so that curl-config gets correct and makes test 1014 happy!
+  
+  Ref: #6074
+  Closes #6108
+
+- CI/travis: add brotli and zstd to the libssh2 build
+  
+  ... to make sure such tests are run with valgrind. Suppress the zstd
+  valgrind warnings we get with version 1.3.3 on Ubuntu 18.04 (for debug
+  and non-debug builds).
+  
+  Closes #6105
+
+- runtests: revert the mistaken edit of $CURL
+  
+  Regression from c4693adc62
+
+- RELEASE-NOTES: synced
+
+- curl_url_set.3: fix typo in the RETURN VALUE section
+  
+  Reported-by: Basuke Suzuki
+  Fixes #6102
+
+Jay Satiro (17 Oct 2020)
+- [Daniel Stenberg brought this change]
+
+  packages/OS400: make the source code-style compliant
+  
+  ... and make sure 'make checksrc' in the root dir also verifies the
+  packages/OS400 sources.
+  
+  Closes https://github.com/curl/curl/pull/6085
+
+- os400: Sync libcurl API options
+  
+  This fixes the OS400 build and also an incorrect entry for
+  CURLINFO_APPCONNECT_TIME_T where it was treated as
+  CURLINFO_STARTTRANSFER_TIME_T.
+  
+  Reported-by: Jon Rumsey
+  
+  Fixes https://github.com/curl/curl/issues/6083
+  Closes https://github.com/curl/curl/pull/6084
+
+Daniel Stenberg (16 Oct 2020)
+- CURLOPT_NOBODY.3: fix typo
+  
+  Reported-by: Basuke Suzuki
+  Fixes #6097
+
+Marc Hoersken (16 Oct 2020)
+- CI/azure: improve on flakiness by avoiding libtool wrappers
+  
+  Install curl binaries into MinGW bin folder and use that
+  for the tests in order to avoid libtool wrapper binaries.
+  
+  The libtool wrapper binaries (not scripts) on Windows seem
+  to be one of the possible causes for the following issues:
+  
+  1. Process output can be lost in the wrapper process chain.
+  2. Killing the wrapper process does not kill the actual one.
+  
+  Derived from #5904
+  Closes #6049
+
+Daniel Stenberg (16 Oct 2020)
+- CURLOPT_URL.3: clarify SCP/SFTP URLs are for uploads as well
+
+- [Zenju brought this change]
+
+  CURLOPT_TCP_NODELAY.3: fix comment in example code
+  
+  Closes #6096
+
+- openssl: acknowledge SRP disabling in configure properly
+  
+  Follow-up to 68a513247409
+  
+  Use a new separate define that is the combination of both
+  HAVE_OPENSSL_SRP and USE_TLS_SRP: USE_OPENSSL_SRP
+  
+  Bug: https://curl.haxx.se/mail/lib-2020-10/0037.html
+  
+  Closes #6094
+
+Viktor Szakats (16 Oct 2020)
+- http3: fix two build errors, silence warnings
+  
+  * fix two build errors due to mismatch between function
+    declarations and their definitions
+  * silence two mismatched signs warnings via casts
+  
+  Approved-by: Daniel Stenberg
+  Closes #6093
+
+- Makefile.m32: add support for HTTP/3 via ngtcp2+nghttp3
+  
+  Approved-by: Daniel Stenberg
+  Closes #6092
+
+Daniel Stenberg (16 Oct 2020)
+- tool_operate: fix compiler warning when --libcurl is disabled
+  
+  Closes #6095
+
+- checksrc: warn on empty line before open brace
+  
+  ... and fix a few occurances
+  
+  Closes #6088
+
+- urlapi: URL encode a '+' in the query part
+  
+  ... when asked to with CURLU_URLENCODE.
+  
+  Extended test 1560 to verify.
+  Reported-by: Dietmar Hauser
+  Fixes #6086
+  Closes #6087
+
+- [Cristian Morales Vega brought this change]
+
+  libcurl.pc: make it relocatable
+  
+  It supposes when people specify the libdir/includedir they do it to
+  change where under prefix/exec_prefix it should be, not to make it
+  independent of prefix/exec_prefix.
+  
+  Closes #6061
+
+- runtests: return error if no tests ran
+  
+  ... and make TESTFAIL stand out a little better by adding newlines
+  before and after.
+  
+  Reported-by: Marc Hörsken
+  Issue: #6052
+  Closes #6053
+
+- docs/FEATURE: convert to markdown
+  
+  ... and clean it up a bit.
+  
+  Closes #6067
+
+- [Philipp Klaus Krause brought this change]
+
+  strerror: use 'const' as the string should never be modified
+  
+  Closes #6068
+
+- [Jay Satiro brought this change]
+
+  connect: repair build without ipv6 availability
+  
+  Assisted-by: Daniel Stenberg
+  Reported-by: Tom G. Christensen
+  
+  Fixes https://github.com/curl/curl/issues/6069
+  Closes https://github.com/curl/curl/pull/6071
+
+- RELEASE-NOTES: synced
+  
+  Started over for the journey to next release.
+
+- src/tool_filetime: disable -Wformat on mingw for this file
+  
+  With gcc 10 on mingw we otherwise get this warning:
+  
+   error: ISO C does not support the 'I' printf flag [-Werror=format=]
+  
+  Fixes #6079
+  Closes #6082
+
+- test122[12]: remove these two tests
+  
+  ... and remove the objnames scripts they tested. They're not used for
+  anything anymore so testing them serves no purpose!
+  
+  Reported-by: Marc Hörsken
+  Fixes #6080
+  Closes #6081
+
+Version 7.73.0 (14 Oct 2020)
+
+Daniel Stenberg (14 Oct 2020)
+- RELEASE-NOTES: synced
+  
+  for 7.73.0
+
+- THANKS: from 7.73.0 and .mailmap fixes
+
+- mailmap: fixups of some contributors
+
+- projects/build-wolfssl.bat: fix the copyright year range
+
+Marc Hoersken (14 Oct 2020)
+- [Sergei Nikulov brought this change]
+
+  CI/tests: fix invocation of tests for CMake builds
+  
+  Update appveyor.yml to set env variable TFLAGS and run tests
+  Remove curly braces due to CMake error (${TFLAGS} -> $TFLAGS)
+  Move testdeps build to build step (per review comments)
+  
+  Reviewed-by: Marc Hörsken
+  
+  Closes #6066
+  Fixes #6052
+
+- tests/server/util.c: fix support for Windows Unicode builds
+  
+  Detected via #6066
+  Closes #6070
+
+Daniel Stenberg (13 Oct 2020)
+- [Jay Satiro brought this change]
+
+  strerror: Revert to local codepage for Windows error string
+  
+  - Change get_winapi_error() to return the error string in the local
+    codepage instead of UTF-8 encoding.
+  
+  Two weeks ago bed5f84 fixed get_winapi_error() to work on xbox, but it
+  also changed the error string's encoding from local codepage to UTF-8.
+  
+  We return the local codepage version of the error string because if it
+  is output to the user's terminal it will likely be with functions which
+  expect the local codepage (eg fprintf, failf, infof).
+  
+  This is essentially a partial revert of bed5f84. The support for xbox
+  remains but the error string is reverted back to local codepage.
+  
+  Ref: https://github.com/curl/curl/pull/6005
+  
+  Reviewed-by: Marcel Raad
+  Closes #6065
+
+Marc Hoersken (13 Oct 2020)
+- CI/tests: use verification curl for test reporting APIs
+  
+  Avoid using our own, potentially installed, curl for
+  the test reporting APIs in case it is broken.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Preparation for #6049
+  Closes #6063
+
+Viktor Szakats (12 Oct 2020)
+- windows: fix comparison of mismatched types warning
+  
+  clang 10, mingw-w64:
+  ```
+  vtls/openssl.c:2917:33: warning: comparison of integers of different signs: 'DWORD' (aka 'unsigned long') and 'HRESULT' (aka 'long')
+        [-Wsign-compare]
+                if(GetLastError() != CRYPT_E_NOT_FOUND)
+                   ~~~~~~~~~~~~~~ ^  ~~~~~~~~~~~~~~~~~
+  ```
+  
+  Approved-by: Daniel Stenberg
+  Closes #6062
+
+Daniel Stenberg (11 Oct 2020)
+- [Viktor Szakats brought this change]
+
+  src/Makefile.m32: fix undefined curlx_dyn_* errors
+  
+  by linking `lib/dynbuf.c` when building a static curl binary.
+  Previously this source file was only included when building
+  a dynamic curl binary. This was likely possibly because no
+  functions from the `src/Makefile.inc` / `CURLX_CFILES` sources
+  were actually required for a curl tool build. This has
+  recently changed with the introduction of `curlx_dyn_*()`
+  memory functions and their use by the tool sources.
+  
+  Closes #6060
+
+- HISTORY: curl verifies SSL certs by default since version 7.10
+
+Marc Hoersken (8 Oct 2020)
+- runtests.pl: use $LIBDIR variable instead of hardcoded path
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #6051
+
+Daniel Stenberg (7 Oct 2020)
+- checksrc: detect // comments on column 0
+  
+  Spotted while working on #6045
+  
+  Closes #6048
+
+- [Frederik Wedel-Heinen brought this change]
+
+  mbedtls: add missing header when defining MBEDTLS_DEBUG
+  
+  Closes #6045
+
+- curl: make sure setopt CURLOPT_IPRESOLVE passes on a long
+  
+  Previously, it would pass on a define (int) which could make libcurl
+  read junk as a value - which prevented the CURLOPT_IPRESOLVE option to
+  "take". This could then make test 2100 do two DoH requests instead of
+  one!
+  
+  Fixes #6042
+  Closes #6043
+
+- RELEASE-NOTES: synced
+
+- scripts/release-notes.pl: don't "embed" $ in format string for printf()
+  
+  ... since they might contain %-codes that mess up the output!
+
+Jay Satiro (5 Oct 2020)
+- [M.R.T brought this change]
+
+  build-wolfssl: fix build with Visual Studio 2019
+  
+  Closes https://github.com/curl/curl/pull/6033
+
+Daniel Stenberg (4 Oct 2020)
+- runtests: add %repeat[]% for test files
+  
+  ... and use this new keywords in all the test files larger than 50K to reduce
+  their sizes and make them a lot easier to read and understand.
+  
+  Closes #6040
+
+- [Emil Engler brought this change]
+
+  --help: move two options from the misc category
+  
+  The cmdline opts delegation and suppress-connect-headers
+  fit better into auth and proxy rather than misc.
+  
+  Follow-up to aa8777f63febc
+  Closes #6038
+
+- [Samanta Navarro brought this change]
+
+  docs/opts: fix typos in two manual pages
+  
+  Closes #6039
+
+- ldap: reduce the amount of #ifdefs needed
+  
+  Closes #6035
+
+- runtests: provide curl's version string as %VERSION for tests
+  
+  ... so that we can check HTTP requests for User-Agent: curl/%VERSION
+  
+  Update 600+ test cases accordingly.
+  
+  Closes #6037
+
+- checksrc: warn on space after exclamation mark
+  
+  Closes #6034
+
+- test1465: verify --libcurl with binary POST data
+
+- runtests: allow generating a binary sequence from hex
+
+- tool_setopt: escape binary data to hex, not octal
+
+- curl: make --libcurl show binary posts correctly
+  
+  Reported-by: Stephan Mühlstrasser
+  Fixes #6031
+  Closes #6032
+
+Jay Satiro (1 Oct 2020)
+- strerror: fix null deref on winapi out-of-memory
+  
+  Follow-up to bed5f84 from several days ago.
+  
+  Ref: https://github.com/curl/curl/pull/6005
+
+Daniel Stenberg (1 Oct 2020)
+- [Kamil Dudka brought this change]
+
+  vtls: deduplicate some DISABLE_PROXY ifdefs
+  
+  ... in the code of gtls, nss, and openssl
+  
+  Closes #5735
+
+- RELEASE-NOTES: synced
+
+- [Emil Engler brought this change]
+
+  TODO: Add OpenBSD libtool notice
+  
+  See #5862
+  Closes #6030
+
+- tests/unit/README: convert to markdown
+  
+  ... and add to dist!
+  
+  Closes #6028
+
+- tests/README: convert to markdown
+  
+  Closes #6028
+
+- include/README: convert to markdown
+  
+  Closes #6028
+
+- examples/README: convert to markdown
+  
+  Closes #6028
+
+- configure: don't say HTTPS-proxy is enabled when disabled!
+  
+  Reported-by: Kamil Dudka
+  Reviewed-by: Kamil Dudka
+  Bug: https://github.com/curl/curl/pull/5735#issuecomment-701376388
+  Closes #6029
+
+Daniel Gustafsson (30 Sep 2020)
+- src: Consistently spell whitespace without whitespace
+  
+  Whitespace is spelled without a space between white and space, so
+  make sure to consistently spell it that way across the codebase.
+  
+  Closes #6023
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Emil Engler <me@emilengler.com>
+
+- MANUAL: update examples to resolve without redirects
+  
+  www.netscape.com is redirecting to a cookie consent form on Aol, and
+  cool.haxx.se isn't responding to FTP anymore. Replace with examples
+  that resolves in case users try out the commands when reading the
+  manual.
+  
+  Closes #6024
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Emil Engler <me@emilengler.com>
+
+Daniel Stenberg (30 Sep 2020)
+- HISTORY: add some 2020 events
+
+- sectransp: make it build with --disable-proxy
+  
+  Follow-up from #5466 and f3d501dc678d80
+  Reported-by: Javier Navarro
+  Fixes #6025
+  Closes #6026
+
+- ECH: renamed from ESNI in docs and configure
+  
+  Encrypted Client Hello (ECH) is the current name.
+  
+  Closes #6022
+
+- configure: use "no" instead of "disabled" for the end summary
+  
+  ... for consistency but also to make them more distinctly stand out next
+  to the "enabled" lines.
+
+- TODO: SSH over HTTPS proxy with more backends
+  
+  ... as right now only the libssh2 backend supports it.
+
+- libssh2: handle the SSH protocols done over HTTPS proxy
+  
+  Reported-by: Robin Douine
+  Fixes #4295
+  Closes #6021
+
+- [Emil Engler brought this change]
+
+  memdebug: remove 9 year old unused debug function
+  
+  There used to be a way to have memdebug fill allocated memory. 9 years
+  later this has no value there (valgrind and ASAN etc are way better). If
+  people need to know about it they can have a look at VCS logs.
+  
+  Closes #5973
+
+- sendf: move Curl_sendf to dict.c and make it static
+  
+  ... as the only remaining user of that function. Also fix gopher.c to
+  instead use Curl_write()
+  
+  Closes #6020
+
+- ROADMAP: updates and cleanups
+  
+  Fix the HSTS PR
+  
+  Remove DoT, thread-safe init and hard-coded localhost. I feel very
+  little interest for these with users so I downgrade them to plain "TODO"
+  entries again.
+
+- schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
+  
+  This matches what is returned in other TLS backends in the same
+  situation.
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Emil Engler
+  Follow-up to 5a3efb1
+  Reported-by: iammrtau on github
+  Fixes #6003
+  Closes #6018
+
+- RELEASE-NOTES: synced
+
+- ftp: make a 552 response return CURLE_REMOTE_DISK_FULL
+  
+  Added test 348 to verify. Added a 'STOR' command to the test FTP
+  server to enable test 348. Documented the command in FILEFORMAT.md
+  
+  Reported-by: Duncan Wilcox
+  Fixes #6016
+  Closes #6017
+
+- pause: only trigger a reread if the unpause sticks
+  
+  As an unpause might itself get paused again and then triggering another
+  reread doesn't help.
+  
+  Follow-up from e040146f22608fd9 (shipped since 7.69.1)
+  
+  Bug: https://curl.haxx.se/mail/lib-2020-09/0081.html
+  Patch-by: Kunal Chandarana
+  Fixes #5988
+  Closes #6013
+
+- test163[12]: require http to be built-in to run
+  
+  ... as speaking over an HTTPS proxy implies http!
+  
+  Closes #6014
+
+- ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define
+  
+  Closes #6012
+
+- [Javier Blazquez brought this change]
+
+  strerror: honor Unicode API choice on Windows
+  
+  Closes #6005
+
+- imap: make imap_send use dynbuf for the send buffer management
+  
+  Reuses the buffer and thereby reduces number of mallocs over a transfer.
+  
+  Closes #6010
+
+- Curl_send: return error when pre_receive_plain can't malloc
+  
+  ... will probably trigger some false DEAD CODE positives on non-windows
+  code analyzers for the conditional code.
+  
+  Closes #6011
+
+- ftp: separate FTPS from FTP over "HTTPS proxy"
+  
+  When using HTTPS proxy, SSL is used but not in the view of the FTP
+  protocol handler itself so separate the connection's use of SSL from the
+  FTP control connection's sue.
+  
+  Reported-by: Mingtao Yang
+  Fixes #5523
+  Closes #6006
+
+Dan Fandrich (23 Sep 2020)
+- tests/data: Fix some mismatched XML tags in test cases
+  
+  This allows these test files to pass xmllint.
+
+Daniel Stenberg (23 Sep 2020)
+- pingpong: use a dynbuf for the *_pp_sendf() function
+  
+  ... reuses the same dynamic buffer instead of doing repeated malloc/free
+  cycles.
+  
+  Test case 100 (FTP dir list PASV) does 7 fewer memory allocation calls
+  after this change in my test setup (132 => 125), curl 7.72.0 needed 140
+  calls for this.
+  
+  Test case 103 makes 9 less allocations now (130). Down from 149 in
+  7.72.0.
+  
+  Closes #6004
+
+- dynbuf: add Curl_dyn_vaddf
+  
+  Closes #6004
+
+- dynbuf: make *addf() not require extra mallocs
+  
+  ... by introducing a printf() function that appends directly into a
+  dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if
+  the buffer is already big enough it can just printf directly into it.
+  
+  Since this less-malloc version requires tthe use of a library internal
+  printf function, we only provide this version when building libcurl and
+  not for the dynbuf code that is used when building the curl tool.
+  
+  Closes #5998
+
+- KNOWN_BUGS: Unable to use PKCS12 certificate with Secure Transport
+  
+  Closes #5403
+
+- pingpong: remove a malloc per Curl_pp_vsendf call
+  
+  This typically makes 7-9 fewer mallocs per FTP transfer.
+  
+  Closes #5997
+
+- symbian: drop support
+  
+  The OS is deprecated. I see no traces of anyone having actually built
+  curl for Symbian after 2012.
+  
+  The public headers are unmodified.
+  
+  Closes #5989
+
+- RELEASE-NOTES: synced
+
+- curl_krb5.h: rename from krb5.h
+  
+  Follow-up from f4873ebd0be32cf
+  
+  Turns out some older openssl installations go bananas otherwise.
+  Reported-by: Tom van der Woerdt
+  Fixes #5995
+  Closes #5996
+
+- test1297: verify GOT_NOTHING with http proxy tunnel
+
+- http_proxy: do not count proxy headers in the header bytecount
+  
+  ... as that counter is subsequently used to detect if nothing was
+  returned from the peer. This made curl return CURLE_OK when it should
+  have returned CURLE_GOT_NOTHING.
+  
+  Fixes #5992
+  Reported-by: Tom van der Woerdt
+  Closes #5994
+
+- setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument
+  
+  Fixed two return code mixups. CURLE_UNKNOWN_OPTION is saved for when the
+  option is, yeah, not known. Clarified this in the setopt man page too.
+  
+  Closes #5993
+
+- krb5: merged security.c and krb specific FTP functions in here
+  
+  These two files were always tightly connected and it was hard to
+  understand what went into which. This also allows us to make the
+  ftpsend() function static (moved from ftp.c).
+  
+  Removed security.c
+  Renamed curl_sec.h to krb5.h
+  
+  Closes #5987
+
+- Curl_handler: add 'family' to each protocol
+  
+  Makes get_protocol_family() faster and it moves the knowledge about the
+  "families" to each protocol handler, where it belongs.
+  
+  Closes #5986
+
+- parsedate: tune the date to epoch conversion
+  
+  By avoiding an unnecessary error check and the temp use of the tm
+  struct, the time2epoch conversion function gets a little bit faster.
+  When repeating test 517, the updated version is perhaps 1% faster (on
+  one particular build on one particular architecture).
+  
+  Closes #5985
+
+- cmake: remove scary warning
+  
+  Remove the text saying
+  
+  "the curl cmake build system is poorly maintained. Be aware"
+  
+  ... not because anything changed just now, but to encourage users to use
+  it and subsequently improve it.
+  
+  Closes #5984
+
+- docs/MQTT: remove outdated paaragraphs
+
+- docs/MQTT: not experimental anymore
+  
+  Follow-up to e37e4468688d8f
+
+- docs/RESOURCES: remove
+  
+  This document is not maintained and rather than trying to refresh it,
+  let's kill it. A more up-to-date document with relevant RFCs is this
+  page on the curl website: https://curl.haxx.se/rfc/
+  
+  Closes #5980
+
+- docs/TheArtOfHttpScripting: convert to markdown
+  
+  Makes it easier to browse on github etc. Offers (better) links.
+  
+  It should be noted that this document is already mostly outdated and
+  "Everything curl" at https://ec.haxx.se/ is a better resource and
+  tutorial.
+  
+  Closes #5981
+
+- BUGS: convert document to markdown
+  
+  Closes #5979
+
+- --help: strdup the category
+  
+  ... since it is converted and the original pointer is freed on Windows
+  unicode handling.
+  
+  Follow-up to aa8777f63febc
+  Fixes #5977
+  Closes #5978
+  Reported-by: xwxbug on github
+
+- CHECKSRC: document two missing warnings
+
+- RELEASE-NOTES: synced
+
+- ftp: avoid risk of reading uninitialized integers
+  
+  If the received PASV response doesn't match the expected pattern, we
+  could end up reading uninitialized integers for IP address and port
+  number.
+  
+  Issue pointed out by muse.dev
+  Closes #5972
+
+- [Quentin Balland brought this change]
+
+  easy_reset: clear retry counter
+  
+  Closes #5975
+  Fixes #5974
+
+- ftp: get rid of the PPSENDF macro
+  
+  The use of such a macro hides some of what's actually going on to the
+  reader and is generally disapproved of in the project.
+  
+  Closes #5971
+
+- man pages: switch to https://example.com URLs
+  
+  Since HTTPS is "the new normal", this update changes a lot of man page
+  examples to use https://example.com instead of the previous "http://..."
+  
+  Closes #5969
+
+- github: remove the duplicate "Security vulnerability" entry
+  
+  ... since github adds an entry automatically by itself.
+  
+  Closes #5970
+
+- [Emil Engler brought this change]
+
+  github: use new issue template feature
+  
+  This helps us to avoid getting feature requests as well as security
+  bugs reported into the issue tracker.
+  
+  Closes #5936
+
+- [Emil Engler brought this change]
+
+  urlapi: use more Curl_safefree
+  
+  Closes #5968
+
+Marc Hoersken (17 Sep 2020)
+- multi: align WinSock mask variables in Curl_multi_wait
+  
+  Also skip pre-checking sockets to set timeout_ms to 0
+  after the first socket has been detected to be ready.
+  
+  Reviewed-by: rcombs on github
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5886
+
+- multi: reuse WinSock events variable in Curl_multi_wait
+  
+  Since the struct is quite large (1 long and 10 ints) we
+  declare it once at the beginning of the function instead
+  of multiple times inside loops to avoid stack movements.
+  
+  Reviewed-by: Viktor Szakats
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5886
+
+Daniel Stenberg (16 Sep 2020)
+- TODO: dynamically decide to use socketpair
+  
+  Suggested-by: Anders Bakken
+  
+  Closes #4829
+
+- TODO: add PR reference for native IDN support on macOS
+  
+  As there was work started on this that never got completed.
+  
+  Closes #5371
+
+- tool_help.h: update copyright year range
+  
+  Follow-up from aa8777f63febca
+
+- CI/azure: disable test 571 in the msys2 builds
+  
+  It's just too flaky there
+  
+  Reviewed-by: Marc Hoersken
+  Closes #5954
+
+- tool_writeout: protect fputs() from NULL
+  
+  When the code was changed to do fputs() instead of fprintf() it got
+  sensitive for NULL pointers; add checks for that.
+  
+  Follow-up from 0c1e767e83ec66
+  
+  Closes #5963
+
+- test3015: verify stdout "as text"
+  
+  Follow-up from 0c1e767e83e to please win32 tests
+  
+  Closes #5962
+
+- travis: use libressl v3.1.4 instead of master
+  
+  ... as their git master seems too fragile to use (and 3.2.1 which is the
+  latest has a build failure).
+  
+  Closes #5964
+
+- tests/FILEFORMAT: document type=shell for <command>
+
+- tests/FILEFORMAT: document nonewline support for <file>
+  
+  The one in <client>, that creates files.
+  
+  Follow-up from b83947c8df7
+
+- [anio brought this change]
+
+  tool_writeout: add new writeout variable, %{num_headers}
+  
+  This variable gives the number of headers.
+  
+  Closes #5947
+
+- tool_urlglob: fix compiler warning "unreachable code"
+  
+  (On Windows builds.)
+  
+  Follow-up to 70a3b003d9
+
+- [Gergely Nagy brought this change]
+
+  vtls: deduplicate client certificates in ssl_config_data
+  
+  Closes #5629
+
+- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
+  
+  This is primarily interesting for cases where CURLOPT_NOBODY is set as
+  previously curl would not return an error for this case.
+  
+  MDTM getting 550 now also returns this error (it returned
+  CURLE_FTP_COULDNT_RETR_FILE before) in order to unify return codes for
+  missing files across protocols and specific FTP commands.
+  
+  libcurl already returns error on a 550 as a MDTM response (when
+  CURLOPT_FILETIME is set). If CURLOPT_NOBODY is not set, an error would
+  happen subsequently anyway since the RETR command would fail.
+  
+  Add test 1913 and 1914 to verify. Updated several tests accordingly due
+  to the updated SIZE behavior.
+  
+  Reported-by: Tomas Berger
+  Fixes #5953
+  Closes #5957
+
+- curl: make checkpasswd use dynbuf
+  
+  Closes #5952
+
+- curl: make glob_match_url use dynbuf
+  
+  Closes #5952
+
+- curl: make file2memory use dynbuf
+  
+  Closes #5952
+
+- curl: make file2string use dynbuf
+  
+  Closes #5952
+
+- [Antarpreet Singh brought this change]
+
+  imap: set cselect_bits to CURL_CSELECT_IN initially
+  
+  ... when continuing a transfer from a FETCH response.
+  
+  When the size of the file was small enough that the entirety of the
+  transfer happens in a single go and schannel buffers holds the entire
+  data. However, it wasn't completely read in Curl_pp_readresp since a
+  line break was found before that could happen. So, by the time we are in
+  imap_state_fetch_resp - there's data in buffers that needs to be read
+  via Curl_read but nothing to read from the socket. After we setup a
+  transfer (Curl_setup_transfer), curl just waits on the socket state to
+  change - which doesn't happen since no new data ever comes.
+  
+  Closes #5961
+
+- RELEASE-NOTES: synced
+
+- test434: test -K use in a single line without newline
+  
+  Closes #5946
+
+- runtests: allow creating files without newlines
+  
+  Closes #5946
+
+- curl: use curlx_dynbuf for realloc when loading config files
+  
+  ... fixes an integer overflow at the same time.
+  
+  Reported-by: ihsinme on github
+  Assisted-by: Jay Satiro
+  
+  Closes #5946
+
+- dynbuf: provide curlx_ names for reuse by the curl tool
+  
+  Closes #5946
+
+- dynbuf: make sure Curl_dyn_tail() zero terminates
+  
+  Closes #5959
+
+- tests: add test1912 to the dist
+  
+  Follow-up to 70984ce1be4cab6c
+
+- docs/LICENSE-MIXING: remove
+  
+  This document is not maintained and I feel that it doesn't provide much
+  value to users anymore (if it ever did).
+  
+  Closes #5955
+
+- [Laramie Leavitt brought this change]
+
+  http: consolidate nghttp2_session_mem_recv() call paths
+  
+  Previously there were several locations that called
+  nghttp2_session_mem_recv and handled responses slightly differently.
+  Those have been converted to call the existing
+  h2_process_pending_input() function.
+  
+  Moved the end-of-session check to h2_process_pending_input() since the
+  only place the end-of-session state can change is after nghttp2
+  processes additional input frames.
+  
+  This will likely fix the fuzzing error. While I don't have a root cause
+  the out-of-bounds read seems like a use after free, so moving the
+  nghttp2_session_check_request_allowed() call to a location with a
+  guaranteed nghttp2 session seems reasonable.
+  
+  Also updated a few nghttp2 callsites to include error messages and added
+  a few additional error checks.
+  
+  Closes #5648
+
+- HISTORY: mention alt-svc added in 2019
+  
+  ... and make 1996 the first year subtitle
+
+- base64: also build for pop3 and imap
+  
+  Follow-up to the fix in 20417a13fb8f83
+  
+  Reported-by: Michael Olbrich
+  Fixes #5937
+  Closes #5948
+
+- base64: enable in build with SMTP
+  
+  The oauth2 support is used with SMTP and it uses base64 functions.
+  
+  Reported-by: Michael Olbrich
+  Fixes #5937
+  Closes #5938
+
+- curl_mime_headers.3: fix the example's use of curl_slist_append
+  
+  Reported-by: sofaboss on github
+  Fixes #5942
+  Closes #5943
+
+- lib583: fix enum mixup
+  
+  grrr the previous follow-up to 17fcdf6a31 was wrong
+
+- libtest: fix build errors
+  
+  Follow-up from 17fcdf6a310d4c8076
+
+- lib: fix -Wassign-enum warnings
+  
+  configure --enable-debug now enables -Wassign-enum with clang,
+  identifying several enum "abuses" also fixed.
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/879007f8118771f4896334731aaca5850a154675#commitcomment-42087553
+  
+  Closes #5929
+
+- RELEASE-NOTES: synced
+
+- [Diven Qi brought this change]
+
+  url: use blank credentials when using proxy w/o username and password
+  
+  Fixes proxy regression brought in commit ad829b21ae (7.71.0)
+  
+  Fixed #5911
+  Closes #5914
+
+- travis: add a build using libressl (from git master)
+  
+  The v3.2.1 tag (latest release atm) results in a broken build.
+  
+  Closes #5932
+
+- configure: let --enable-debug set -Wenum-conversion with gcc >= 10
+  
+  Unfortunately, this option is not detecting the same issues as clang's
+  -Wassign-enum flag, but should still be useful to detect future
+  mistakes.
+  
+  Closes #5930
+
+- openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
+  
+  If the error reason from the lib is
+  SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return
+  CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR.
+  
+  This unifies the libcurl return code and makes libressl run test 313
+  (CRL testing) fine.
+  
+  Closes #5934
+
+- FAQ: refreshed some very old language
+
+- cmake: make HTTP_ONLY also disable MQTT
+  
+  ... and alphasort the order of disabling protocols to make it easier to
+  browse.
+  
+  Closes #5931
+
+- libtest: remove lib1541 leftovers
+  
+  Caused automake errors.
+  
+  Follow-up to 8ca54a03ea08a
+
+- tests/libtests: remove test 1900 and 2033
+  
+  We already remove the test files, now remove the libtest codes as well.
+  
+  Follow-up to e50a877df74
+
+Marc Hoersken (7 Sep 2020)
+- CI/azure: add test number to title for display in analytics
+  
+  To ease identification of tests the test number is added to
+  the test case title in order to have it on the Azure DevOps
+  Analytics pages and reports which currently do not show it.
+  
+  Bump test case revision to make Azure DevOps update titles.
+  
+  Closes #5927
+
+Daniel Stenberg (6 Sep 2020)
+- altsvc: clone setting in curl_easy_duphandle
+  
+  The cache content is not duplicated, like other caches, but the setting
+  and specified file name are.
+  
+  Test 1908 is extended to verify this somewhat. Since the duplicated
+  handle gets the same file name, the test unfortunately overwrites the
+  same file twice (with different contents) which makes it hard to check
+  automatically.
+  
+  Closes #5923
+
+- test1541: remove since it is a known bug
+  
+  A shared connection cache is not thread-safe is a known issue. Stop
+  testing this until we believe this issue is addressed. Reduces
+  occasional test failures we don't care about.
+  
+  The test code in lib1541.c is left in git to allow us to restore it when
+  we get to fix this.
+  
+  Closes #5922
+
+- tests: remove pipelining tests
+  
+  Remove the tests 530, 584, 1900, 1901, 1902, 1903 and 2033. They were
+  previously disabled.
+  
+  The Pipelining code was removed from curl in commit 2f44e94efb3df8e,
+  April 2019.
+  
+  Closes #5921
+
+- curl: retry delays in parallel mode no longer sleeps blocking
+  
+  The previous sleep for retries would block all other concurrent
+  transfers. Starting now, the retry will instead be properly marked to
+  not get restarted until after the delay time but other transfers can
+  still continue in the mean time.
+  
+  Closes #5917
+
+- curl:parallel_transfers: make sure retry readds the transfer
+  
+  Reported-by: htasta on github
+  Fixes #5905
+  Closes #5917
+
+- build: drop support for building with Watcom
+  
+  These files are not maintained, they seem to have no users, Watcom
+  compilers look like not having users nor releases anymore.
+  
+  Closes #5918
+
+- winbuild/rundebug.cmd: remove
+  
+  Seems to have been added by mistake? Not included in dists.
+  
+  Closes #5919
+
+- curl: in retry output don't call all problems "transient"
+  
+  ... because when --retry-all-errors is used, the error isn't necessarily
+  transient at all.
+  
+  Closes #5916
+
+- easygetopt: pass a valid enum to avoid compiler warning
+  
+  "integer constant not in range of enumerated type 'CURLoption'"
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/6ebe63fac23f38df911edc348e8ccc72280f9434#commitcomment-42042843
+  
+  Closes #5915
+
+- [Emil Engler brought this change]
+
+  tests: Add tests for new --help
+  
+  This commit is a part of "--help me if you can"
+  
+  Closes #5680
+
+- [Emil Engler brought this change]
+
+  tool: update --help with categories
+  
+  This commit is a part of "--help me if you can"
+  
+  Closes #5680
+
+- [Emil Engler brought this change]
+
+  docs: add categories to all cmdline opts
+  
+  Adapted gen.pl with 'listcats'
+  
+  This commit is a part of "--help me if you can"
+  
+  Closes #5680
+
+- RELEASE-NOTES: synced
+
+- [ihsinme brought this change]
+
+  connect.c: remove superfluous 'else' in Curl_getconnectinfo
+  
+  Closes #5912
+
+- [Samuel Marks brought this change]
+
+  CMake: remove explicit `CMAKE_ANSI_CFLAGS`
+  
+  This variable was removed from cmake in commit
+  https://gitlab.kitware.com/cmake/cmake/commit/5a834b0bb0bc288. A later
+  CMake commit removes the variable from the tests, claiming that it was
+  removed in CMake 2.6
+  
+  Reviewed-By: Peter Wu
+  Closes #5439
+
+- [cbe brought this change]
+
+  libssh2: pass on the error from ssh_force_knownhost_key_type
+  
+  Closes #5909
+
+- scripts/delta: add diffstat summary
+  
+  ... and make output more table-like
+
+- [Martin Bašti brought this change]
+
+  http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+  
+  ... in case NO_PROXY takes an effect
+  
+  Without this patch, the following command crashes:
+  
+      $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+          git clone https://github.com/curl/curl.git
+  
+  Minimal libcurl-based reproducer:
+  
+      #include <curl/curl.h>
+  
+      int main() {
+        CURL *curl = curl_easy_init();
+        if(curl) {
+          CURLcode ret;
+          curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+          curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+          /* set the proxy type */
+          curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+          curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+          curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+          ret = curl_easy_perform(curl);
+          curl_easy_cleanup(curl);
+          return ret;
+        }
+        return -1;
+      }
+  
+  Assisted-by: Kamil Dudka
+  Bug: https://bugzilla.redhat.com/1873327
+  Closes #5902
+
+- travis: add a CI job with openssl3 (from git master)
+  
+  Closes #5908
+
+- openssl: avoid error conditions when importing native CA
+  
+  The code section that is OpenSSL 3+ specific now uses the same logic as
+  is used in the version < 3 section. It caused a compiler error without
+  it.
+  
+  Closes #5907
+
+- setopt: avoid curl_ on local variable
+  
+  Closes #5906
+
+- mqtt.c: avoid curl_ prefix on local variable
+  
+  Closes #5906
+
+- wildcard: strip "curl_" prefix from private symbols
+  
+  Closes #5906
+
+- vtls: make it 'struct Curl_ssl_session'
+  
+  Use uppercase C for internal symbols.
+  
+  Closes #5906
+
+- curl_threads: make it 'struct Curl_actual_call'
+  
+  Internal names should not be prefixed "curl_"
+  
+  Closes #5906
+
+- schannel: make it 'struct Curl_schannel*'
+  
+  As internal global names should use captical C.
+  
+  Closes #5906
+
+- hash: make it 'struct Curl_hash'
+  
+  As internal global names should use captical C.
+  
+  Closes #5906
+
+- llist: make it "struct Curl_llist"
+  
+  As internal global names should use captical C.
+  
+  Closes #5906
+
+Marc Hoersken (2 Sep 2020)
+- telnet.c: depend on static requirement of WinSock version 2
+  
+  Drop dynamic loading of ws2_32.dll and instead rely on the
+  imported version which is now required to be at least 2.2.
+  
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Viktor Szakats
+  
+  Closes #5854
+
+- win32: drop support for WinSock version 1, require version 2
+  
+  IPv6, telnet and now also the multi API require WinSock
+  version 2 which is available starting with Windows 95.
+  
+  Therefore we think it is time to drop support for version 1.
+  
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Viktor Szakats
+  
+  Follow up to #5634
+  Closes #5854
+
+- select: align poll emulation to return all relevant events
+  
+  The poll emulation via select already consumes POLLRDNORM,
+  POLLWRNORM and POLLRDBAND as input events. Therefore it
+  should also return them as output events if signaled.
+  
+  Also fix indentation in input event handling block.
+  
+  Assisted-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Replaces #5852
+  Closes #5883
+
+- CI/azure: MQTT is now enabled by default
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5858
+  Closes #5903
+
+Daniel Stenberg (2 Sep 2020)
+- copyright.pl: ignore buildconf
+
+- test971: show test mismatches "inline"
+
+- lib/Makefile.am: bump VERSIONINFO due to new functions
+  
+  ... we're generally bad at this, but we are adding new functions for
+  this release.
+  
+  Closes #5899
+
+- optiontable: use DEBUGBUILD
+  
+  Follow-up to commit 6e18568ba38 (#5877)
+
+- cmdline-opts/gen.pl: generate nicer "See Also" in curl.1
+  
+  If there are more than two items in the list, use commas for all but the
+  last separator which is set to 'and'. Reads better.
+  
+  Closes #5898
+
+- curl.1: add see also no-progress-meter on two spots
+  
+  Ref: #5894
+  
+  Closes #5897
+
+- RELEASE-NOTES: synced
+
+- mqtt: enable by default
+  
+  No longer considered experimental.
+  
+  Closes #5858
+
+- [Michael Baentsch brought this change]
+
+  tls: add CURLOPT_SSL_EC_CURVES and --curves
+  
+  Closes #5892
+
+- url: remove funny embedded comments in Curl_disonnect calls
+
+- [Chris Paulson-Ellis brought this change]
+
+  conn: check for connection being dead before reuse
+  
+  Prevents incorrect reuse of an HTTP connection that has been prematurely
+  shutdown() by the server.
+  
+  Partial revert of 755083d00deb16
+  
+  Fixes #5884
+  Closes #5893
+
+Marc Hoersken (29 Aug 2020)
+- buildconf: exec autoreconf to avoid additional process
+  
+  Also make buildconf exit with the return code of autoreconf.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5853
+  Closes #5890
+
+- CI/azure: no longer ignore results of test 1013
+  
+  Follow up to #5771
+  Closes #5889
+
+- docs: add description about CI platforms to CONTRIBUTE.md
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
+  
+  Closes #5882
+
+Daniel Stenberg (29 Aug 2020)
+- tests/getpart: use MIME::Base64 instead of home-cooked
+  
+  Since we already use the base64 package since a while back, we can just
+  as well switch to that here too.
+  
+  It also happens to use the exact same function name, which otherwise
+  causes a run-time warning.
+  
+  Reported-by: Marc Hörsken
+  Fixes #5885
+  Closes #5887
+
+Marcel Raad (29 Aug 2020)
+- ntlm: fix condition for curl_ntlm_core usage
+  
+  `USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES
+  backend is fine, but was excluded before.
+  
+  This also fixes test 1013 as the condition for SMB support in
+  configure.ac didn't match the condition in the source code. Now it
+  does.
+  
+  Fixes https://github.com/curl/curl/issues/1262
+  Closes https://github.com/curl/curl/pull/5771
+
+- AppVeyor: switch 64-bit Schannel Debug CMake builds to Unicode
+  
+  The Schannel builds are the most useful to verify as they make the most
+  use of the Windows API. Classic MinGW doesn't support Unicode at all,
+  only MinGW-w64 and MSVC do.
+  
+  Closes https://github.com/curl/curl/pull/5843
+
+- CMake: add option to enable Unicode on Windows
+  
+  As already existing for winbuild.
+  
+  Closes https://github.com/curl/curl/pull/5843
+
+Marc Hoersken (29 Aug 2020)
+- select: simplify return code handling for poll and select
+  
+  poll and select already return -1 on error according to POSIX,
+  so there is no need to perform a <0 to -1 conversion in code.
+  
+  Also we can just use one check with <= 0 on the return code.
+  
+  Assisted-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Replaces #5852
+  Closes #5880
+
+Daniel Stenberg (28 Aug 2020)
+- RELEASE-NOTES: synced
+
+- [Jeroen Ooms brought this change]
+
+  tests: add test1912 with typechecks
+  
+  Validates that gcc-typecheck macros match the new option type API.
+  
+  Closes #5873
+
+- easyoptions: provide debug function when DEBUGBUILD
+  
+  ... not CURLDEBUG as they're not always set in conjunction.
+  
+  Follow-up to 6ebe63fac23f38df
+  
+  Fixes #5877
+  Closes #5878
+
+Marc Hoersken (28 Aug 2020)
+- sockfilt: handle FD_CLOSE winsock event on write socket
+  
+  Learn from the way Cygwin handles and maps the WinSock events
+  to simulate correct and complete poll and select behaviour
+  according to Richard W. Stevens Network Programming book.
+  
+  Follow up to #5867
+  Closes #5879
+
+- multi: handle connection state winsock events
+  
+  Learn from the way Cygwin handles and maps the WinSock events
+  to simulate correct and complete poll and select behaviour
+  according to Richard W. Stevens Network Programming book.
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Follow up to #5634
+  Closes #5867
+
+Daniel Stenberg (28 Aug 2020)
+- Curl_pgrsTime - return new time to avoid timeout integer overflow
+  
+  Setting a timeout to INT_MAX could cause an immediate error to get
+  returned as timeout because of an overflow when different values of
+  'now' were used.
+  
+  This is primarily fixed by having Curl_pgrsTime() return the "now" when
+  TIMER_STARTSINGLE is set so that the parent function will continue using
+  that time.
+  
+  Reported-by: Ionuț-Francisc Oancea
+  Fixes #5583
+  Closes #5847
+
+- TLS: fix SRP detection by using the proper #ifdefs
+  
+  USE_TLS_SRP will be true if *any* selected TLS backend can use SRP
+  
+  HAVE_OPENSSL_SRP is defined when OpenSSL can use it
+  
+  HAVE_GNUTLS_SRP is defined when GnuTLS can use it
+  
+  Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
+  set if at least one of the supported backends offers SRP.
+  
+  Reported-by: Stefan Strogin
+  Fixes #5865
+  Closes #5870
+
+- [Dan Kenigsberg brought this change]
+
+  docs: SSLCERTS: fix English syntax
+  
+  Signed-off-by: Dan Kenigsberg <danken@redhat.com>
+  
+  Closes #5876
+
+- [Alessandro Ghedini brought this change]
+
+  docs: non-existing macros in man pages
+  
+  As reported by man(1) when invoked as:
+  
+    man --warnings -E UTF-8 -l -Tutf8 -Z <file> >/dev/null
+  
+  Closes #5846
+
+- [Alessandro Ghedini brought this change]
+
+  curl.1: fix typo invokved -> invoked
+  
+  Closes #5846
+
+- buildconf: invoke 'autoreconf -fi' instead
+  
+  The custom script isn't necessary anymore - but remains for simplicity
+  and just invokes autoreconf.
+  
+  Closes #5853
+
+- [Emil Engler brought this change]
+
+  lib: make Curl_gethostname accept a const pointer
+  
+  The address of that variable never gets changed, only the data in it so
+  why not make it a "char * const"?
+  
+  Closes #5866
+
+- docs/libcurl: update "Added in" version for curl_easy_option*
+  
+  Follow-up to 6ebe63fac23f38
+
+- scripts: improve the "get latest curl release tag" logic
+  
+  ... by insiting on it matching "^curl-".
+
+- configure: added --disable-get-easy-options
+  
+  To allow disabling of the curl_easy_option APIs in a build.
+  
+  Closes #5365
+
+- options: API for meta-data about easy options
+  
+   const struct curl_easyoption *curl_easy_option_by_name(const char *name);
+  
+   const struct curl_easyoption *curl_easy_option_by_id (CURLoption id);
+  
+   const struct curl_easyoption *
+   curl_easy_option_next(const struct curl_easyoption *prev);
+  
+  The purpose is to provide detailed enough information to allow for
+  example libcurl bindings to get option information at run-time about
+  what easy options that exist and what arguments they expect.
+  
+  Assisted-by: Jeroen Ooms
+  Closes #5365
+
+- [Eric Curtin brought this change]
+
+  HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29
+  
+  Closes #5871
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (26 Aug 2020)
+- openssl: Fix wincrypt symbols conflict with BoringSSL
+  
+  OpenSSL undefines the conflicting symbols but BoringSSL does not so we
+  must do it ourselves.
+  
+  Reported-by: Samuel Tranchet
+  Assisted-by: Javier Blazquez
+  
+  Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371
+  Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73
+  
+  Fixes https://github.com/curl/curl/issues/5669
+  Closes https://github.com/curl/curl/pull/5857
+
+Daniel Stenberg (26 Aug 2020)
+- socketpair: allow CURL_DISABLE_SOCKETPAIR
+  
+  ... to completely disable the use of socketpair
+  
+  Closes #5850
+
+- curl_get_line: build only if cookies or alt-svc are enabled
+  
+  Closes #5851
+
+- [fullincome brought this change]
+
+  schannel: fix memory leak when using get_cert_location
+  
+  The get_cert_location function allocates memory only on success.
+  Previously get_cert_location was able to allocate memory and return
+  error. It wasn't obvious and in this case the memory wasn't
+  released.
+  
+  Fixes #5855
+  Closes #5860
+
+- [Emil Engler brought this change]
+
+  git: ignore libtests in 3XXX area
+  
+  Currently the file tests/libtest/lib3010 is not getting
+  ignored by git. This fixes it by adding the 3XXX area to
+  the according .gitignore file.
+  
+  Closes #5859
+
+- [Emil Engler brought this change]
+
+  doh: add error message for DOH_DNS_NAME_TOO_LONG
+  
+  When this error code was introduced in b6a53fff6c1d07e8a9, it was
+  forgotten to be added in the errors array and doh_strerror function.
+  
+  Closes #5863
+
+- ngtcp2: adapt to the new pkt_info arguments
+  
+  Guidance-by: Tatsuhiro Tsujikawa
+  
+  Closes #5864
+
+- winbuild/README.md: make <options> visible
+  
+  Follow-up to be753add31c2d8c
+
+- winbuild: convert the instruction text to README.md
+  
+  Closes #5861
+
+- lib1560: verify "redirect" to double-slash leading URL
+  
+  Closes #5849
+
+Marc Hoersken (25 Aug 2020)
+- multi: expand pre-check for socket readiness
+  
+  Check readiness of all sockets before waiting on them
+  to avoid locking in case the one-time event FD_WRITE
+  was already consumed by a previous wait operation.
+  
+  More information about WinSock network events:
+  https://docs.microsoft.com/en-us/windows/win32/api/
+     winsock2/nf-winsock2-wsaeventselect#return-value
+  
+  Closes #5634
+
+- [rcombs brought this change]
+
+  multi: implement wait using winsock events
+  
+  This avoids using a pair of TCP ports to provide wakeup functionality
+  for every multi instance on Windows, where socketpair() is emulated
+  using a TCP socket on loopback which could in turn lead to socket
+  resource exhaustion.
+  
+  A previous version of this patch failed to account for how in WinSock,
+  FD_WRITE is set only once when writing becomes possible and not again
+  until after a send has failed due to the buffer filling. This contrasts
+  to how FD_READ and FD_OOB continue to be set until the conditions they
+  refer to no longer apply. This meant that if a user wrote some data to
+  a socket, but not enough data to completely fill its send buffer, then
+  waited on that socket to become writable, we'd erroneously stall until
+  their configured timeout rather than returning immediately.
+  
+  This version of the patch addresses that issue by checking each socket
+  we're waiting on to become writable with select() before the wait, and
+  zeroing the timeout if it's already writable.
+  
+  Assisted-by: Marc Hörsken
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Tested-by: Gergely Nagy
+  Tested-by: Rasmus Melchior Jacobsen
+  Tested-by: Tomas Berger
+  
+  Replaces #5397
+  Reverts #5632
+  Closes #5634
+
+- select: reduce duplication of Curl_poll in Curl_socket_check
+  
+  Change Curl_socket_check to use select-fallback in Curl_poll
+  instead of implementing it in Curl_socket_check and Curl_poll.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Replaces #5262 and #5492
+  Closes #5707
+
+- select: fix poll-based check not detecting connect failure
+  
+  This commit changes Curl_socket_check to use POLLPRI to
+  check for connect failure on the write socket, because
+  POLLPRI maps to fds_err. This is in line with select(2).
+  
+  The select-based socket check correctly checks for connect
+  failures by adding the write socket also to fds_err.
+  
+  The poll-based implementation (which internally can itself
+  fallback to select again) did not previously check for
+  connect failure by using POLLPRI with the write socket.
+  
+  See the follow up commit to this for more information.
+  
+  This commit makes sure connect failures can be detected
+  and handled if HAVE_POLL_FINE is defined, eg. on msys2-devel.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Replaces #5509
+  Prepares #5707
+
+- select.h: make socket validation macros test for INVALID_SOCKET
+  
+  With Winsock the valid range is [0..INVALID_SOCKET-1] according to
+  https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5760
+
+Daniel Stenberg (24 Aug 2020)
+- docs: --output-dir is added in 7.73.0, nothing else
+  
+  Follow-up to 5620d2cc78c0
+
+- curl: add --output-dir
+  
+  Works with --create-dirs and with -J
+  
+  Add test 3008, 3009, 3011, 3012 and 3013 to verify.
+  
+  Closes #5637
+
+- configure: fix pkg-config detecting wolfssl
+  
+  When amending the include path with "/wolfssl", this now properly strips
+  off all whitespace from the path variable! Previously this would lead to
+  pkg-config builds creating bad command lines.
+  
+  Closes #5848
+
+- [Michael Musset brought this change]
+
+  sftp: add the option CURLKHSTAT_FINE_REPLACE
+  
+  Replace the old fingerprint of the host with a new.
+  
+  Closes #5685
+
+- RELEASE-NOTES: synced
+  
+  The next release is now to become 7.73.0
+
+- checksrc: verify do-while and spaces between the braces
+  
+  Updated mprintf.c to comply
+  
+  Closes #5845
+
+- curl: support XDG_CONFIG_HOME to find .curlrc
+  
+  Added test433 to verify. Updated documentation.
+  
+  Reviewed-by: Jay Satiro
+  Suggested-by: Eli Schwartz
+  Fixes #5829
+  Closes #5837
+
+- etag: save and use the full received contents
+  
+  ... which makes it support weak tags and non-standard etags too!
+  
+  Added test case 347 to verify blank incoming ETag:
+  
+  Fixes #5610
+  Closes #5833
+
+- setopt: if the buffer exists, refuse the new BUFFERSIZE
+  
+  The buffer only exists during transfer and then we shouldn't change the
+  size (the setopt is not documented to work then).
+  
+  Reported-by: Harry Sintonen
+  Closes #5842
+
+- [COFFEETALES brought this change]
+
+  sftp: add new quote commands 'atime' and 'mtime'
+  
+  Closes #5810
+
+- CURLE_PROXY: new error code
+  
+  Failures clearly returned from a (SOCKS) proxy now causes this return
+  code. Previously the situation was not very clear as what would be
+  returned and when.
+  
+  In addition: when this error code is returned, an application can use
+  CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then
+  returns a value from the new 'CURLproxycode' enum.
+  
+  Closes #5770
+
+- runtests: make cleardir() erase dot files too
+  
+  Because test cases might use dot files.
+  
+  Closes #5838
+
+- KNOWN_BUGS:  'no_proxy' string-matches IPv6 numerical addreses
+  
+  Also: the current behavior is now documented in the curl.1 and
+  CURLOPT_NOPROXY.3 man pages.
+  
+  Reported-by: Andrew Barnes
+  Closes #5745
+  Closes #5841
+
+Viktor Szakats (22 Aug 2020)
+- Makefile.m32: add ability to override zstd libs [ci skip]
+  
+  Similarly to brotli, where this was already possible.
+  E.g. it allows to link zstd statically to libcurl.dll.
+  
+  Ref: https://github.com/curl/curl-for-win/issues/12
+  Ref: https://github.com/curl/curl-for-win/commit/d9b266afd2e5d3f5604483010ef62340b5918c89
+  
+  Closes https://github.com/curl/curl/pull/5840
+
+Daniel Stenberg (21 Aug 2020)
+- runtests: avoid 'fail to start' repeated messages in attempt loops
+  
+  Closes #5834
+
+- runtests: clear pid variables when failing to start a server
+  
+  ... as otherwise the parent doesn't detect the failure and believe it
+  actually worked to start.
+  
+  Reported-by: Christian Weisgerber
+  Bug: https://curl.haxx.se/mail/lib-2020-08/0018.html
+  Closes #5834
+
+- TODO: Virtual external sockets
+  
+  Closes #5835
+
+- [Don J Olmstead brought this change]
+
+  dist: add missing CMake Find modules to the distribution
+  
+  Closes #5836
+
+- RELEASE-NOTES: synced
+  
+  ... and version bumped to 7.72.1
+
+- tls: provide the CApath verbose log on its own line
+  
+  ... not newline separated from the previous line. This makes it output
+  asterisk prefixed properly like other verbose putput!
+  
+  Reported-by: jmdavitt on github
+  Fixes #5826
+  Closes #5827
+
+Version 7.72.0 (19 Aug 2020)
+
+Daniel Stenberg (19 Aug 2020)
+- RELEASE-NOTES: synced
+  
+  The curl 7.72.0 release
+
+- THANKS: add names from curl 7.72.0 release
+
+Jay Satiro (18 Aug 2020)
+- KNOWN_BUGS: Schannel TLS 1.2 handshake bug in old Windows versions
+  
+  Reported-by: plujon@users.noreply.github.com
+  
+  Closes https://github.com/curl/curl/issues/5488
+
+Daniel Stenberg (17 Aug 2020)
+- Curl_easy: remember last connection by id, not by pointer
+  
+  CVE-2020-8231
+  
+  Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+  
+  Reported-by: Marc Aldorasi
+  Closes #5824
+
+- examples/rtsp.c: correct the copyright year
+
+- RELEASE-PROCEDURE.md: add more future release dates
+
+- [H3RSKO brought this change]
+
+  docs: change "web site" to "website"
+  
+  According to wikipedia:
+  
+   While "web site" was the original spelling, this variant has become
+   rarely used, and "website" has become the standard spelling
+  
+  Closes #5822
+
+- [Bevan Weiss brought this change]
+
+  CMake: don't complain about missing nroff
+  
+  The curl_nroff_check() was always being called, and complaining if
+  *NROFF wasn't found, even when not making the manual.
+  
+  Only check for nroff (and complain) if actually making the manual
+  
+  Closes #5817
+
+- [Brian Inglis brought this change]
+
+  libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin
+  
+  copy the LDFLAGS approach for adding same option with `libhostname` in
+  `libtest/Makefile.am`:
+  
+  - init `libstubgss_la_LDFLAGS_EXTRA` variable,
+  - add option to variable inside conditional,
+  - use variable in `libstubgss_la_LDFLAGS`
+  
+  Fixes #5819
+  Closes #5820
+
+- docs: clarify MAX_SEND/RECV_SPEED functionality
+  
+  ... in particular what happens if the maximum speed limit is set to a
+  value that's smaller than the transfer buffer size in use.
+  
+  Reported-by: Tomas Berger
+  Fixes #5788
+  Closes #5813
+
+- test1140: compare stdout
+  
+  To make problems more immediately obvious when tests fail.
+  
+  Closes #5814
+
+- asyn-ares: correct some bad comments
+  
+  Closes #5812
+
+- [Emil Engler brought this change]
+
+  docs: Add video link to docs/CONTRIBUTE.md
+  
+  Closes #5811
+
+- curl-config: ignore REQUIRE_LIB_DEPS in --libs output
+  
+  Fixes a curl-config issue on cygwin by making sure REQUIRE_LIB_DEPS is
+  not considered for the --libs output.
+  
+  Reported-by: ramsay-jones on github
+  Assisted-by: Brian Inglis and Ken Brown
+  Fixes #5793
+  Closes #5808
+
+- copyright: update/correct the year range on a few files
+
+- scripts/copyright.pl: ignore .muse files
+
+- [Emil Engler brought this change]
+
+  multi: Remove 10-year old out-commented code
+  
+  The code hasn't been touched since 2010-08-18
+  
+  Closes #5805
+
+- KNOWN_BUGS: A shared connection cache is not thread-safe
+  
+  Closes #4915
+  Closes #5802
+
+- CONTRIBUTE: extend git commit message description
+  
+  In particular how the first line works.
+  
+  Closes #5803
+
+- RELEASE-NOTES: synced
+
+- [Stefan Yohansson brought this change]
+
+  transfer: move retrycount from connect struct to easy handle
+  
+  This flag was applied to the connection struct that is released on
+  retry.  These changes move the retry counter into Curl_easy struct that
+  lives across retries and retains the new connection.
+  
+  Reported-by: Cherish98 on github
+  Fixes #5794
+  Closes #5800
+
+- libssh2: s/ssherr/sftperr/
+  
+  The debug output used ssherr instead of sftperr which not only outputs
+  the wrong error code but also casues a warning on Windows.
+  
+  Follow-up to 7370b4e39f1
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/7370b4e39f1390e701f5b68d910c619151daf72b#r41334700
+  Closes #5799
+
+- ftp: don't do ssl_shutdown instead of ssl_close
+  
+  The shutdown function is for downgrading a connection from TLS to plain,
+  and this is not requested here.
+  
+  Have ssl_close reset the TLS connection state.
+  
+  This partially reverts commit f002c850d98d
+  
+  Reported-by: Rasmus Melchior Jacobsen
+  Reported-by: Denis Goleshchikhin
+  Fixes #5797
+
+Marc Hoersken (9 Aug 2020)
+- CI/azure: fix test outcome values and use latest API version
+  
+  This makes sure that tests ignored or skipped are not shown
+  just in the category "Other", but with their correct state.
+  
+  Closes #5796
+
+- CI/azure: show runtime stats to investigate slowness
+  
+  Also avoid naming conflict of TFLAGS env and tflags variables.
+  
+  Closes #5776
+
+Daniel Stenberg (8 Aug 2020)
+- TLS naming: fix more Winssl and Darwinssl leftovers
+  
+  The CMake option is now called CMAKE_USE_SCHANNEL
+  
+  The winbuild flag is USE_SCHANNEL
+  
+  The CI jobs and build scripts only use the new names and the new name
+  options
+  
+  Tests now require 'Schannel' (when necessary)
+  
+  Closes #5795
+
+- smtp_parse_address: handle blank input string properly
+  
+  Closes #5792
+
+- runtests: run the DICT server on a random port number
+  
+  Removed support for -b (base port number)
+  
+  Closes #5783
+
+- RELEASE-NOTES: synced
+
+- runtests: move the TELNET server to a dynamic port
+  
+  Rename the port variable to TELNETPORT to better match the existing
+  pattern.
+  
+  Closes #5785
+
+- ngtcp2: adapt to error code rename
+  
+  Closes #5786
+
+- runtests: move the smbserver to use a dynamic port number
+  
+  Closes #5782
+
+- runtests: run the http2 tests on a random port number
+  
+  Closes #5779
+
+- gtls: survive not being able to get name/issuer
+  
+  Closes #5778
+
+- runtests: move the gnutls-serv tests to a dynamic port
+  
+  Affects test 320, 321, 322 and 324.
+  
+  Closes #5778
+
+- runtests: support dynamicly base64 encoded sections in tests
+  
+  This allows us to make test cases to use base64 at run-time and still
+  use and verify information determined at run-time, such as the IMAP test
+  server's port number in test 842.
+  
+  This change makes 12 tests run again that basically never ran since we
+  moved to dynamic port numbers.
+  
+  ftpserver.pl is adjusted to load test instructions and test number from
+  the preprocessed test file.
+  
+  FILEFORMAT.md now documents the new base64 encoding syntax.
+  
+  Reported-by: Marcel Raad
+  Fixes #5761
+  Closes #5775
+
+- curl.1: add a few missing valid exit codes
+  
+  93 - 96 can be returned as well.
+  
+  Closes #5777
+
+- TODO: Use multiple parallel transfers for a single download
+  
+  Closes #5774
+
+- TODO: Set the modification date on an uploaded file
+  
+  Closes #5768
+
+- [Thomas M. DuBuisson brought this change]
+
+  CI: Add muse CI config
+  
+  Closes #5772
+
+- [Thomas M. DuBuisson brought this change]
+
+  travis/script.sh: fix use of `-n' with unquoted envvar
+  
+  Shellcheck tells us "-n doesn't work with unquoted arguments. quote or
+  use [[ ]]."
+  
+  And testing shows:
+  
+  ```
+  docker run --rm -it ubuntu bash
+  root@fe85ce156856:/# [ -n $DOES_NOT_EXIST ] && echo "I ran"
+  I ran
+  root@fe85ce156856:/# [ -n "$DOES_NOT_EXIST" ] && echo "I ran"
+  root@fe85ce156856:/#
+  ```
+  
+  Closes #5773
+
+- h2: repair trailer handling
+  
+  The previous h2 trailer fix in 54a2b63 was wrong and caused a
+  regression: it cannot deal with trailers immediately when read since
+  they may be read off the connection by the wrong 'data' owner.
+  
+  This change reverts the logic back to gathering all trailers into a
+  single buffer, like before 54a2b63.
+  
+  Reported-by: Tadej Vengust
+  Fixes #5663
+  Closes #5769
+
+Viktor Szakats (3 Aug 2020)
+- windows: disable Unix Sockets for old mingw
+  
+  Classic mingw and 10y+ old versions of mingw-w64 don't ship with
+  Windows headers having the typedef necessary for Unix Sockets
+  support, so try detecting these environments to disable this
+  feature.
+  
+  Ref: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/cf6afc57179a5910621215f8f4037d406892072c/
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Fixes #5674
+  Closes #5758
+
+Marcel Raad (3 Aug 2020)
+- test1908: treat file as text
+  
+  Fixes the line endings on Windows.
+  
+  Closes https://github.com/curl/curl/pull/5767
+
+- TrackMemory tests: ignore realloc and free in getenv.c
+  
+  These are only called for WIN32.
+  
+  Closes https://github.com/curl/curl/pull/5767
+
+Daniel Stenberg (3 Aug 2020)
+- tests/FILEFORMAT.md: mention %HTTP2PORT
+
+- RELEASE-NOTES: synced
+
+- tlsv1.3.d. only for TLS-using connections
+  
+  ... and rephrase that "not all" TLS backends support it.
+  
+  Closes #5764
+
+- tls-max.d: this option is only for TLS-using connections
+  
+  Ref: #5763
+  Closes #5764
+
+Marcel Raad (2 Aug 2020)
+- [Cameron Cawley brought this change]
+
+  tool_doswin: Simplify Windows version detection
+  
+  Closes https://github.com/curl/curl/pull/5754
+
+- [Cameron Cawley brought this change]
+
+  win32: Add Curl_verify_windows_version() to curlx
+  
+  Closes https://github.com/curl/curl/pull/5754
+
+- runtests.pl: treat LibreSSL and BoringSSL as OpenSSL
+  
+  This makes the tests that require the OpenSSL feature also run for
+  those two compatible libraries.
+  
+  Closes https://github.com/curl/curl/pull/5762
+
+Daniel Stenberg (1 Aug 2020)
+- multi: Condition 'extrawait' is always true
+  
+  Reported by Codacy.
+  
+  Reviewed-by: Marcel Raad
+  Closes #5759
+
+Marcel Raad (1 Aug 2020)
+- openssl: fix build with LibreSSL < 2.9.1
+  
+  `SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were
+  introduced in LibreSSL 2.9.1 [0].
+  
+  [0] https://github.com/libressl-portable/openbsd/commit/0db809ee178457c8170abfae3931d7bd13abf3ef
+  
+  Closes https://github.com/curl/curl/pull/5757
+
+Daniel Stenberg (1 Aug 2020)
+- [Marc Aldorasi brought this change]
+
+  multi_remove_handle: close unused connect-only connections
+  
+  Previously any connect-only connections in a multi handle would be kept
+  alive until the multi handle was closed.  Since these connections cannot
+  be re-used, they can be marked for closure when the associated easy
+  handle is removed from the multi handle.
+  
+  Closes #5749
+
+- checksrc: invoke script with -D to find .checksrc proper
+  
+  Without the -D command line option, checksrc.pl won't know which
+  directory to load the ".checksrc" file from when building out of the
+  source tree.
+  
+  Reported-by: Marcel Raad
+  Fixes #5715
+  Closes #5755
+
+- [Carlo Marcelo Arenas Belón brought this change]
+
+  buildconf: retire ares buildconf invocation
+  
+  no longer needed after 4259d2df7dd95637a4b1e3fb174fe5e5aef81069
+
+- [Carlo Marcelo Arenas Belón brought this change]
+
+  buildconf: excempt defunct reference to ACLOCAL_FLAGS
+  
+  retired with 09f278121e815028adb24d228d8092fc6cb022aa but kept around as
+  the name is generic enough that it might be in use and relied upon from
+  the environment.
+
+- [Carlo Marcelo Arenas Belón brought this change]
+
+  buildconf: avoid array concatenation in die()
+  
+  reported as error SC2145[1] by shellcheck, but not expected to cause
+  any behavioural differences otherwise.
+  
+  [1] https://github.com/koalaman/shellcheck/wiki/SC2145
+  
+  Closes #5701
+
+- travis: add ppc64le and s390x builds
+  
+  Closes #5752
+
+Marc Hoersken (31 Jul 2020)
+- connect: remove redundant message about connect failure
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5708
+
+- tests/sshserver.pl: fix compatibility with OpenSSH for Windows
+  
+  Follow up to #5721
+
+- CI/azure: install libssh2 for use with msys2-based builds
+  
+  This enables building and running the SFTP tests.
+  Unfortunately OpenSSH for Windows does not support SCP (yet).
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5721
+
+- CI/azure: increase Windows job timeout once again
+  
+  Avoid aborted jobs due to performance issues on Azure DevOps.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Closes #5738
+
+Jay Satiro (30 Jul 2020)
+- TODO: Schannel: 'Add option to allow abrupt server closure'
+  
+  We should offer an option to allow abrupt server closures (server closes
+  SSL transfer without sending a known termination point such as length of
+  transfer or close_notify alert). Abrupt server closures are usually
+  because of misconfigured or very old servers.
+  
+  Closes https://github.com/curl/curl/issues/4427
+
+- url: fix CURLU and location following
+  
+  Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was
+  incorrectly used for the location follow, resulting in infinite requests
+  to the original location.
+  
+  Reported-by: sspiri@users.noreply.github.com
+  
+  Fixes https://github.com/curl/curl/issues/5709
+  Closes https://github.com/curl/curl/pull/5713
+
+Daniel Stenberg (30 Jul 2020)
+- RELEASE-NOTES: synced
+
+- [divinity76 brought this change]
+
+  docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions
+  
+  it helps make it obvious that most developers don't have to care about
+  the CURLM_CALL_MULTI_PERFORM value (last release using it is nearly 11
+  years old, November 4 2009)
+  
+  Closes #5744
+
+Jay Satiro (29 Jul 2020)
+- tool_cb_wrt: fix outfile mode flags for Windows
+  
+  - Use S_IREAD and S_IWRITE mode permission flags to create the file
+    on Windows instead of S_IRUSR, S_IWUSR, etc.
+  
+  Windows only accepts a combination of S_IREAD and S_IWRITE. It does not
+  acknowledge other combinations, for which it may generate an assertion.
+  
+  This is a follow-up to 81b4e99 from yesterday, which improved the
+  existing file check with -J.
+  
+  Ref: https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/open-wopen#remarks
+  Ref: https://github.com/curl/curl/pull/5731
+  
+  Closes https://github.com/curl/curl/pull/5742
+
+Daniel Stenberg (28 Jul 2020)
+- checksrc: ban gmtime/localtime
+  
+  They're not thread-safe so they should not be used in libcurl code.
+  
+  Explictly enabled when deemed necessary and in examples and tests
+  
+  Reviewed-by: Nicolas Sterchele
+  Closes #5732
+
+- transfer: fix data_pending for builds with both h2 and h3 enabled
+  
+  Closes #5734
+
+- curl_multi_setopt: fix compiler warning "result is always false"
+  
+  On systems with 32 bit long the expression is always false. Avoid
+  the warning.
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232
+  Closes #5736
+
+- curl: improve the existing file check with -J
+  
+  Previously a file that isn't user-readable but is user-writable would
+  not be properly avoided and would get overwritten.
+  
+  Reported-by: BrumBrum on hackerone
+  Assisted-by: Jay Satiro
+  Bug: https://hackerone.com/reports/926638
+  Closes #5731
+
+- [Jonathan Nieder brought this change]
+
+  multi: update comment to say easyp list is linear
+  
+  Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1,
+  2013-08-02), the easy handle list is not circular but ends with
+  ->next pointing to NULL.
+  
+  Reported-by: Masaya Suzuki <masayasuzuki@google.com>
+  Closes #5737
+
+- CURLOPT_NOBODY.3: fix the syntax for referring to options
+  
+  As test 1140 fails otherwise!
+  
+  Follow-up to e1bac81cc815
+
+- ngtcp2: store address in sockaddr_storage
+  
+  Reported-by: Tatsuhiro Tsujikawa
+  Closes #5733
+
+- CURLOPT_NOBODY.3: clarify what setting to 0 means
+  
+  ... and mention that HTTP with other methods than HEAD might get a body and
+  there's no option available to stop that.
+  
+  Closes #5729
+
+- setopt: unset NOBODY switches to GET if still HEAD
+  
+  Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
+  action but before 7.71.0 that used to switch back to GET and with this
+  change (assuming the method is still set to HEAD) this behavior is
+  brought back.
+  
+  Reported-by: causal-agent on github
+  Fixes #5725
+  Closes #5728
+
+- [Ehren Bendler brought this change]
+
+  configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
+  
+  Also choose a different wolfSSL function to test for NTLM support.
+  
+  Fixes #5605
+  Closes #5682
+
+- configure: show zstd "no" in summary when built without it
+  
+  Reported-by: Marc Hörsken
+  Fixes #5720
+  Closes #5730
+
+- quiche: handle calling disconnect twice
+  
+  Reported-by: lilongyan-huawei on github
+  Fixes #5726
+  Closes #5727
+
+- [Nicolas Sterchele brought this change]
+
+  getinfo: reset retry-after value in initinfo
+  
+  - Avoid re-using retry_after value from preceding request
+  - Add libtest 3010 to verify
+  
+  Reported-by: joey-l-us on github
+  Fixes #5661
+  Closes #5672
+
+Marcel Raad (27 Jul 2020)
+- WIN32: stop forcing narrow-character API
+  
+  Except where the results are only used for character output.
+  getenv is not touched because it's part of the public API, and having
+  it return UTF-8 instead of ANSI would be a breaking change.
+  
+  Fixes https://github.com/curl/curl/issues/5658
+  Fixes https://github.com/curl/curl/issues/5712
+  Closes https://github.com/curl/curl/pull/5718
+
+Jay Satiro (27 Jul 2020)
+- [Tobias Stoeckmann brought this change]
+
+  mprintf: Fix stack overflows
+  
+  Stack overflows can occur with precisions for integers and floats.
+  
+  Proof of concepts:
+  - curl_mprintf("%d, %.*1$d", 500, 1);
+  - curl_mprintf("%d, %+0500.*1$f", 500, 1);
+  
+  Ideally, compile with -fsanitize=address which makes this undefined
+  behavior a bit more defined for debug purposes.
+  
+  The format strings are valid. The overflows occur due to invalid
+  arguments. If these arguments are variables with contents controlled
+  by an attacker, the function's stack can be corrupted.
+  
+  Also see CVE-2016-9586 which partially fixed the float aspect.
+  
+  Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+  
+  Closes https://github.com/curl/curl/pull/5722
+
+- [Tobias Stoeckmann brought this change]
+
+  mprintf: Fix dollar string handling
+  
+  Verify that specified parameters are in range. If parameters are too
+  large, fail early on and avoid out of boundary accesses.
+  
+  Also do not read behind boundaries of illegal format strings.
+  
+  These are defensive measures since it is expected that format strings
+  are well-formed. Format strings should not be modifiable by user
+  input due to possible generic format string attacks.
+  
+  Closes https://github.com/curl/curl/pull/5722
+
+Daniel Stenberg (26 Jul 2020)
+- ntlm: free target_info before (re-)malloc
+  
+  OSS-Fuzz found a way this could get called again with the pointer still
+  pointing to a malloc'ed memory, leading to a leak.
+  
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379
+  
+  Closes #5724
+
+Marcel Raad (26 Jul 2020)
+- CI/macos: set minimum macOS version
+  
+  This enables some deprecation warnings.
+  Previously, autotools defaulted to 10.8.
+  
+  Closes https://github.com/curl/curl/pull/5723
+
+Daniel Stenberg (26 Jul 2020)
+- RELEASE-NOTES: synced
+
+Marcel Raad (25 Jul 2020)
+- CI/macos: enable warnings as errors for CMake builds
+  
+  Closes https://github.com/curl/curl/pull/5716
+
+- CMake: fix test for warning suppressions
+  
+  GCC doesn't warn for unknown `-Wno-` options, except if there are other
+  warnings or errors [0]. This was problematic with `CURL_WERROR` as that
+  warning-as-error cannot be suppressed. Notably, this always happened
+  with `-Wno-pedantic-ms-format` when not targeting Windows. So test for
+  the positive form of the warning instead, which should always result in
+  a diagnostic if unknown.
+  
+  [0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
+  
+  Closes https://github.com/curl/curl/pull/5714
+
+Jay Satiro (23 Jul 2020)
+- curl.h: update CURLINFO_LASTONE
+  
+  CURLINFO_LASTONE should have been updated when
+  CURLINFO_EFFECTIVE_METHOD was added.
+  
+  Reported-by: xwxbug@users.noreply.github.com
+  
+  Fixes https://github.com/curl/curl/issues/5711
+
+Marc Hoersken (22 Jul 2020)
+- CI/azure: unconditionally enable warnings-as-errors with autotools
+  
+  Reviewed-by: Marcel Raad
+  
+  Follow up to #5694
+  Closes #5706
+
+Marcel Raad (21 Jul 2020)
+- doh: remove redundant cast
+  
+  Closes https://github.com/curl/curl/pull/5704
+
+- CI/macos: unconditionally enable warnings-as-errors with autotools
+  
+  Previously, warnings were only visible in the output for most jobs.
+  
+  Closes https://github.com/curl/curl/pull/5694
+
+- util: silence conversion warnings
+  
+  timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might
+  be a 64-bit integer. This is the case when building for recent macOS
+  versions, for example. Just treat tv_usec as an int, which should
+  hopefully always be sufficient on systems with
+  `HAVE_CLOCK_GETTIME_MONOTONIC`.
+  
+  Closes https://github.com/curl/curl/pull/5695
+
+- md(4|5): don't use deprecated macOS functions
+  
+  They are marked as deprecated for -mmacosx-version-min >= 10.15,
+  which might result in warnings-as-errors.
+  
+  Closes https://github.com/curl/curl/pull/5695
+
+Daniel Stenberg (18 Jul 2020)
+- strdup: remove the odd strlen check
+  
+  It confuses code analyzers with its use of -1 for unsigned value. Also,
+  a check that's not normally used in strdup() code - and not necessary.
+  
+  Closes #5697
+
+- [Alessandro Ghedini brought this change]
+
+  travis: update quiche builds for new boringssl layout
+  
+  This is required after https://github.com/cloudflare/quiche/pull/593
+  moved BoringSSL around slightly.
+  
+  This also means that Go is not needed to build BoringSSL anymore (the
+  one provided by quiche anyway).
+  
+  Closes #5691
+
+Marcel Raad (17 Jul 2020)
+- configure: allow disabling warnings
+  
+  When using `--enable-warnings`, it was not possible to disable warnings
+  via CFLAGS that got explicitly enabled. Now warnings are not enabled
+  anymore if they are explicitly disabled (or enabled) in CFLAGS. This
+  works for at least GCC, clang, and TCC as they have corresponding
+  `-Wno-` options for every warning.
+  
+  Closes https://github.com/curl/curl/pull/5689
+
+Daniel Stenberg (16 Jul 2020)
+- ngtcp2: adjust to recent sockaddr updates
+  
+  Closes #5690
+
+- page-header: provide protocol details in the curl.1 man page
+  
+  Add protocol and version specific information about all protocols curl
+  supports.
+  
+  Fixes #5679
+  Reported-by: tbugfinder on github
+  Closes #5686
+
+Daniel Gustafsson (16 Jul 2020)
+- docs: Update a few leftover mentions of DarwinSSL
+  
+  Commit 76a9c3c4be10b3d4d379d5b23ca76806bbae536a renamed DarwinSSL to the
+  more correct/common name Secure Transport, but a few mentions in the docs
+  remained.
+  
+  Closes #5688
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (16 Jul 2020)
+- file2memory: use a define instead of -1 unsigned value
+  
+  ... to use the maximum value for 'size_t' when detecting integer overflow.
+  Changed the limit to max/4 as already that seems unreasonably large.
+  
+  Codacy didn't like the previous approach.
+  
+  Closes #5683
+
+- CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
+  
+  ... by adding support for a new dedicated return code.
+  
+  Suggested-by: Jonathan Cardoso
+  Assisted-by: Erik Johansson
+  URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
+  Closes #5636
+
+- [Baruch Siach brought this change]
+
+  nss: fix build with disabled proxy support
+  
+  Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
+  defined.
+  
+  Closes #5667
+
+- test1139: make it display the difference on test failures
+
+- test1119: verify stdout in the test
+  
+  So that failures will be displayed in the terminal, as it makes test failures
+  visually displayed easier and faster.
+  
+  Closes #5644
+
+- curl: add %{method} to the -w variables
+  
+  Gets the CURLINFO_EFFECTIVE_METHOD from libcurl.
+  
+  Added test 1197 to verify.
+
+- CURLINFO_EFFECTIVE_METHOD: added
+  
+  Provide the HTTP method that was used on the latest request, which might
+  be relevant for users when there was one or more redirects involved.
+  
+  Closes #5511
+
+Viktor Szakats (14 Jul 2020)
+- windows: add unicode to feature list
+  
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Marc Hörsken
+  
+  Closes #5491
+
+Daniel Stenberg (14 Jul 2020)
+- multi: remove two checks always true
+  
+  Detected by Codacy
+  Closes #5676
+
+Marc Hoersken (13 Jul 2020)
+- workflows: limit what branches to run CodeQL on
+  
+  Align CodeQL action with existing CI actions:
+  - Update branch filter to avoid duplicate CI runs.
+  - Shorten workflow name due to informative job name.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5660
+
+- appveyor: collect libcurl.dll variants with prefix or suffix
+  
+  On some platforms libcurl is build with a platform-specific
+  prefix and/or a version number suffix.
+  
+  Assisted-by: Jay Satiro
+  
+  Closes #5659
+
+Daniel Stenberg (12 Jul 2020)
+- [ihsinme brought this change]
+
+  socks: use size_t for size variable
+  
+  Use the unsigned type (size_t) in the arithmetic of pointers. In this
+  context, the signed type (ssize_t) is used unnecessarily.
+  
+  Authored-by: ihsinme on github
+  Closes #5654
+
+- RELEASE-NOTES: synced
+  
+  ... and bumped to 7.72.0 as the next release version number
+
+- [Gilles Vollant brought this change]
+
+  content_encoding: add zstd decoding support
+  
+  include zstd curl patch for Makefile.m32 from vszakats
+  and include Add CMake support for zstd from Peter Wu
+  
+  Helped-by: Viktor Szakats
+  Helped-by: Peter Wu
+  Closes #5453
+
+- asyn.h: remove the Curl_resolver_getsock define
+  
+   - not used
+   - used the wrong number of arguments
+   - confused the Codeacy code analyzer
+  
+  Closes #5647
+
+- [Nicolas Sterchele brought this change]
+
+  configure.ac: Sort features name in summary
+  
+  - Same as protocols
+  
+  Closes #5656
+
+- [Matthias Naegler brought this change]
+
+  cmake: fix windows xp build
+  
+  Reviewed-by: Marcel Raad
+  Closes #5662
+
+- ngtcp2: update to modified qlog callback prototype
+  
+  Closes #5675
+
+- transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
+  
+  Added test case 674 to reproduce and verify the bug report.
+  
+  Fixes #5665
+  Reported-by: NobodyXu on github
+  Closes #5673
+
+- [Baruch Siach brought this change]
+
+  bearssl: fix build with disabled proxy support
+  
+  Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
+  defined.
+  
+  Reviewed-by: Nicolas Sterchele
+  Closes #5666
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (11 Jul 2020)
+- [Carlo Marcelo Arenas Belón brought this change]
+
+  cirrus-ci: upgrade 11-STABLE to 11.4
+  
+  Meant to be the last of the 11 series and so make sure that all
+  other references reflect all 11 versions so they can be retired
+  together later.
+  
+  Closes https://github.com/curl/curl/pull/5668
+
+- [Filip Salomonsson brought this change]
+
+  CURLINFO_CERTINFO.3: fix typo
+  
+  Closes https://github.com/curl/curl/pull/5655
+
+Daniel Stenberg (4 Jul 2020)
+- http2: only do the *done() cleanups for HTTP
+  
+  Follow-up to ef86daf4d3
+  
+  Closes #5650
+  Fixes #5646
+
+- [Alex Kiernan brought this change]
+
+  gnutls: repair the build with `CURL_DISABLE_PROXY`
+  
+  `http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn`
+  if `CURL_DISABLE_PROXY` is enabled.  Repair the build with that
+  configuration.
+  
+  Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+  Closes #5645
+
+Alex Kiernan (3 Jul 2020)
+- gnutls: Fetch backend when using proxy
+  
+  Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge")
+  Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+
+Daniel Stenberg (3 Jul 2020)
+- [Laramie Leavitt brought this change]
+
+  http2: close the http2 connection when no more requests may be sent
+  
+  Well-behaving HTTP2 servers send two GOAWAY messages. The first
+  message is a warning that indicates that the server is going to
+  stop accepting streams. The second one actually closes the stream.
+  
+  nghttp2 reports this state (and the other state of no more stream
+  identifiers) via the call nghttp2_session_check_request_allowed().
+  In this state the client should not create more streams on the
+  session (tcp connection), and in curl this means that the server
+  has requested that the connection is closed.
+  
+  It would be also be possible to put the connclose() call into the
+  on_http2_frame_recv() function that triggers on the GOAWAY message.
+  
+  This fixes a bug seen when the client sees the following sequence of
+  frames:
+  
+  // advisory GOAWAY
+  HTTP2 GOAWAY [stream-id = 0, promised-stream-id = -1]
+  ... some additional frames
+  
+  // final GOAWAY
+  HTTP2 GOAWAY [stream-id = 0, promised-stream-id = N ]
+  
+  Before this change, curl will attempt to reuse the connection even
+  after the last stream, will encounter this error:
+  
+  * Found bundle for host localhost: 0x5595f0a694e0 [can multiplex]
+  * Re-using existing connection! (#0) with host localhost
+  * Connected to localhost (::1) port 10443 (#0)
+  * Using Stream ID: 9 (easy handle 0x5595f0a72e30)
+  > GET /index.html?5 HTTP/2
+  > Host: localhost:10443
+  > user-agent: curl/7.68.0
+  > accept: */*
+  >
+  * stopped the pause stream!
+  * Connection #0 to host localhost left intact
+  curl: (16) Error in the HTTP2 framing layer
+  
+  This error may posion the connection cache, causing future requests
+  which resolve to the same curl connection to go through the same error
+  path.
+  
+  Closes #5643
+
+- ftpserver: don't verify SMTP MAIL FROM names
+  
+  Rely on tests asking the names to get refused instead - test servers
+  should be as dumb as possible. Edited test 914, 955 and 959 accordingly.
+  
+  Closes #5639
+
+- curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
+  
+  This came up in #5640. It make sense to clarify this in the docs!
+  
+  Reminded-by: Kamil Dudka
+  Closes #5642
+
+Kamil Dudka (3 Jul 2020)
+- tool_getparam: make --krb option work again
+  
+  It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
+  
+  Bug: https://bugzilla.redhat.com/1833193
+  Closes #5640
+
+Daniel Stenberg (2 Jul 2020)
+- [Jeremy Maitin-Shepard brought this change]
+
+  http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
+  
+  Confusingly, nghttp2 has two different error code enums:
+  
+  - nghttp2_error, to be used with nghttp2_strerror
+  - nghttp2_error_code, to be used with nghttp2_http2_strerror
+  
+  Closes #5641
+
+Marcel Raad (2 Jul 2020)
+- url: silence MSVC warning
+  
+  Since commit f3d501dc678, if proxy support is disabled, MSVC warns:
+  url.c : warning C4701: potentially uninitialized local variable
+  'hostaddr' used
+  url.c : error C4703: potentially uninitialized local pointer variable
+  'hostaddr' used
+  
+  That could actually only happen if both `conn->bits.proxy` and
+  `CURL_DISABLE_PROXY` were enabled.
+  Initialize it to NULL to silence the warning.
+  
+  Closes https://github.com/curl/curl/pull/5638
+
+Daniel Stenberg (1 Jul 2020)
+- RELEASE-NOTES: synced
+
+Version 7.71.1 (30 Jun 2020)
+
+Daniel Stenberg (30 Jun 2020)
+- RELEASE-NOTES: curl 7.71.1
+
+- THANKS: add contributors to 7.71.1
+
+- scripts/copyright.pl: skip .dcignore
+
+- Revert "multi: implement wait using winsock events"
+  
+  This reverts commit 8bc25c590e530de87595d1bb3577f699eb1309b9.
+  
+  That commit (from #5397) introduced a regression in 7.71.0.
+  
+  Reported-by: tmkk on github
+  Fixes #5631
+  Closes #5632
+
+- TODO: Add flag to specify download directory
+
+- TODO: return code to CURLMOPT_PUSHFUNCTION to fail connection
+
+- cirrus-ci: disable FreeBSD 13 (again)
+  
+  It has been failing for a good while again. This time we better leave it
+  disabled until we have more reason to believe it behaves.
+  
+  Closes #5628
+
+- ngtcp2: sync with current master
+  
+  ngtcp2 added two new callbacks
+  
+  Reported-by: Lucien Zürcher
+  Fixes #5624
+  Closes #5627
+
+- examples/multithread.c: call curl_global_cleanup()
+  
+  Reported-by: qiandu2006 on github
+  Fixes #5622
+  Closes #5623
+
+- vtls: compare cert blob when finding a connection to reuse
+  
+  Reported-by: Gergely Nagy
+  Fixes #5617
+  Closes #5619
+
+- RELEASE-NOTES: synced
+
+- terminology: call them null-terminated strings
+  
+  Updated terminology in docs, comments and phrases to refer to C strings
+  as "null-terminated". Done to unify with how most other C oriented docs
+  refer of them and what users in general seem to prefer (based on a
+  single highly unscientific poll on twitter).
+  
+  Reported-by: coinhubs on github
+  Fixes #5598
+  Closes #5608
+
+- http: fix proxy auth with blank password
+  
+  Regression in 7.71.0
+  
+  Added test case 346 to verify.
+  
+  Reported-by: Kristoffer Gleditsch
+  Fixes #5613
+  Closes #5616
+
+- .dcignore: ignore tests and docs directories
+  
+  This is a config file for deepcode.ai, a static code analyzer.
+
+Jay Satiro (26 Jun 2020)
+- tool_cb_hdr: Fix etag warning output and return code
+  
+  - Return 'failure' on failure, to follow the existing style.
+  
+  - Put Warning: and the warning message on the same line.
+  
+  Ref: https://github.com/curl/curl/issues/5610
+  
+  Closes https://github.com/curl/curl/pull/5612
+
+Daniel Stenberg (26 Jun 2020)
+- CURLOPT_READFUNCTION.3: provide the upload data size up front
+  
+  Assisted-by: Jay Satiro
+  Closes #5607
+
+- test1539: do a HTTP 1.0 POST without a set size (fails)
+  
+  Attempt to reproduce #5593. Test case 1514 is very similar but uses
+  HTTP/1.1 and thus switches to chunked.
+  
+  Closes #5595
+
+- [Baruch Siach brought this change]
+
+  mbedtls: fix build with disabled proxy support
+  
+  Don't reference fields that do not exist. Fixes build failure:
+  
+  vtls/mbedtls.c: In function 'mbed_connect_step1':
+  vtls/mbedtls.c:249:54: error: 'struct connectdata' has no member named 'http_proxy'
+  
+  Closes #5615
+
+- codeql-analysis.yml: fix the 'languages' setting
+  
+  It needs a 'with:' in front of it.
+
+GitHub (26 Jun 2020)
+- [Daniel Stenberg brought this change]
+
+  gtihub: codeql-analysis.yml
+  
+  enables code security scanning with github actions
+
+Daniel Stenberg (25 Jun 2020)
+- tests: verify newline in username and password for HTTP
+  
+  test 1296 is a simply command line test
+  
+  test 1910 is a libcurl test including a redirect
+
+- url: allow user + password to contain "control codes" for HTTP(S)
+  
+  Reported-by: Jon Johnson Jr
+  Fixes #5582
+  Closes #5592
+
+- escape: make the URL decode able to reject only %00 bytes
+  
+  ... or all "control codes" or nothing.
+  
+  Assisted-by: Nicolas Sterchele
+
+- http2: set the correct URL in pushed transfers
+  
+  ...previously CURLINFO_EFFECTIVE_URL would report the URL of the
+  original "mother transfer", not the actually pushed resource.
+  
+  Reported-by: Jonathan Cardoso Machado
+  Fixes #5589
+  Closes #5591
+
+Jay Satiro (25 Jun 2020)
+- [Javier Blazquez brought this change]
+
+  openssl: Fix compilation on Windows when ngtcp2 is enabled
+  
+  - Include wincrypt before OpenSSL includes so that the latter can
+    properly handle any conflicts between the two.
+  
+  Closes https://github.com/curl/curl/pull/5606
+
+Daniel Stenberg (25 Jun 2020)
+- test543: extended to verify zero length input
+  
+  As was reported in #5601
+
+- escape: zero length input should return a zero length output
+  
+  Regression added in 7.71.0.
+  
+  Fixes #5601
+  Reported-by: Kristoffer Gleditsch
+  Closes #5602
+
+- Curl_inet_ntop: always check the return code
+  
+  Reported-by: Siva Sivaraman
+  Fixes #5412
+  Closes #5597
+
+- sendf: improve the message on client write errors
+  
+  Replace "Failed writing body (X != Y)" with
+  "Failure writing output to destination". Possibly slightly less cryptic.
+  
+  Reported-by: coinhubs on github
+  Fixes #5594
+  Closes #5596
+
+- RELEASE-NOTES: synced
+
+- curlver: start working on 7.71.1
+
+- [Denis Baručić brought this change]
+
+  DYNBUF.md: fix a typo: trail => tail
+  
+  Closes #5599
+
+Version 7.71.0 (23 Jun 2020)
+
+Daniel Stenberg (23 Jun 2020)
+- RELEASE-NOTES: curl 7.71.0 release
+
+- THANKS: curl 7.71.0 additions
+
+- url: make sure pushed streams get an allocated download buffer
+  
+  Follow-up to c4e6968127e876b0
+  
+  When a new transfer is created, as a resuly of an acknowledged push,
+  that transfer needs a download buffer allocated.
+  
+  Closes #5590
+
+Jay Satiro (22 Jun 2020)
+- openssl: Don't ignore CA paths when using Windows CA store
+  
+  This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
+  not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
+  locations. Instead the CA store can now be used at the same time.
+  
+  The change is due to the impending release. The issue is still being
+  discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
+  is now documented as experimental.
+  
+  Ref: bc052cc (parent commit)
+  Ref: https://github.com/curl/curl/issues/5585
+
+- tool_operate: Don't use Windows CA store as a fallback
+  
+  Background:
+  
+  148534d added CURLSSLOPT_NATIVE_CA to use the Windows OS certificate
+  store in libcurl w/ OpenSSL on Windows. CURLSSLOPT_NATIVE_CA overrides
+  CURLOPT_CAINFO if both are set. The curl tool will fall back to
+  CURLSSLOPT_NATIVE_CA if it could not find a certificate bundle to set
+  via CURLOPT_CAINFO.
+  
+  Problem:
+  
+  libcurl may be built with hardcoded paths to a certificate bundle or
+  directory, and if CURLSSLOPT_NATIVE_CA is used then those paths are
+  ignored.
+  
+  Solution:
+  
+  A solution is still being discussed but since there's an impending
+  release this commit removes using CURLSSLOPT_NATIVE_CA in the curl tool.
+  
+  Ref: https://github.com/curl/curl/issues/5585
+
+- openssl: Fix CA fallback logic for OpenSSL 3.0 build
+  
+  Prior to this change I assume a build error would occur when
+  CURL_CA_FALLBACK was used.
+  
+  Closes https://github.com/curl/curl/pull/5587
+
+Daniel Stenberg (22 Jun 2020)
+- copyright: update mismatched copyright years
+
+- test1460: verify that -Ji is not ok
+
+- tool_getparam: -i is not OK if -J is used
+  
+  Reported-by: sn on hackerone
+  Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+
+- [Peter Wu brought this change]
+
+  CMake: ignore INTERFACE_LIBRARY targets for pkg-config file
+  
+  Reviewed-by: Marcel Raad
+  Fixes #5512
+  Closes #5517
+
+- [Valentyn Korniienko brought this change]
+
+  multibyte: Fixed access-> waccess to file for Windows Plarform
+  
+  Reviewed-by: Marcel Raad
+  Closes #5580
+
+- altsvc: bump to h3-29
+  
+  Closes #5584
+
+- urlglob: treat literal IPv6 addresses with zone IDs as a host name
+  
+  ... and not as a "glob". Now done by passing the supposed host to the
+  URL parser which supposedly will do a better job at identifying "real"
+  numerical IPv6 addresses.
+  
+  Reported-by: puckipedia on github
+  Fixes #5576
+  Closes #5579
+
+- test1179: verify error message for non-existing cmdline option
+
+- tool_getparam: repair the error message for unknown flag
+  
+  Follow-up to 9e5669f3880674
+  Detected by Coverity CID 1464582 ("Logically dead code")
+  
+  Closes #5577
+
+- FILEFORMAT: describe verify/stderr
+
+- connect: improve happy eyeballs handling
+  
+  For QUIC but also for regular TCP when the second family runs out of IPs
+  with a failure while the first family is still trying to connect.
+  
+  Separated the timeout handling for IPv4 and IPv6 connections when they
+  both have a number of addresses to iterate over.
+
+- ngtcp2: never call fprintf() in lib code in release version
+
+- ngtcp2: fix happy eyeballs quic connect crash
+  
+  Reported-by: Peter Wu
+  Fixes #5565
+  Closes #5568
+
+- select: remove the unused ELAPSED_MS() macro
+  
+  Closes #5573
+
+Marc Hoersken (17 Jun 2020)
+- [rcombs brought this change]
+
+  multi: implement wait using winsock events
+  
+  This avoids using a pair of TCP ports to provide wakeup functionality
+  for every multi instance on Windows, where socketpair() is emulated
+  using a TCP socket on loopback which could in turn lead to socket
+  resource exhaustion.
+  
+  Reviewed-by: Gergely Nagy
+  Reviewed-by: Marc Hörsken
+  
+  Closes #5397
+
+Daniel Stenberg (17 Jun 2020)
+- manpage: add three missing environment variables
+  
+  CURL_SSL_BACKEND, QLOGDIR and SSLKEYLOGFILE
+  
+  Closes #5571
+
+- RELEASE-NOTES: synced
+
+- configure: for wolfSSL, check for the DES func needed for NTLM
+  
+  Also adds pkg-config support for the wolfSSL detection.
+
+- [Ruurd Beerstra brought this change]
+
+  ntlm: enable NTLM support with wolfSSL
+  
+  When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
+  functions that OpenSSL has. This change take advantage of that.
+  
+  Co-authored-by: Daniel Stenberg
+  Closes #5556
+  Fixes #5548
+
+- http: move header storage to Curl_easy from connectdata
+  
+  Since the connection can be used by many independent requests (using
+  HTTP/2 or HTTP/3), things like user-agent and other transfer-specific
+  data MUST NOT be kept connection oriented as it could lead to requests
+  getting the wrong string for their requests. This struct data was
+  lingering like this due to old HTTP1 legacy thinking where it didn't
+  mattered..
+  
+  Fixes #5566
+  Closes #5567
+
+- CODE_REVIEW.md: how to do code reviews in curl
+  
+  Assisted-by: Daniel Gustafsson
+  Assisted-by: Rich Salz
+  Assisted-by: Hugo van Kemenade
+  Assisted-by: James Fuller
+  Assisted-by: Marc Hörsken
+  Assisted-by: Jay Satiro
+  
+  Closes #5555
+
+- altsvc: remove the num field from the altsvc struct
+  
+  It was superfluous since we have the list.size alredy
+  
+  Reported-by: Jay Satiro
+  Fixes #5553
+  Closes #5563
+
+- version.d: expanded and alpha-sorted
+  
+  Added a few missing features not previously mentioned. Ordered them
+  alphabetically.
+  
+  Closes #5558
+
+- ABI.md: rename to .md and polish the markdown
+  
+  Closes #5562
+
+- HELP-US: add a section for "smaller tasks"
+  
+  The point of this section is to meet the CII Best Practices gold level
+  critera:
+  
+   "The project MUST clearly identify small tasks that can be performed by
+    new or casual contributors"
+  
+  Closes #5560
+
+- TODO: retry on the redirected-to URL
+  
+  Closes #5462
+
+- mailmap: Nicolas Sterchele
+
+- [Nicolas Sterchele brought this change]
+
+  TODO: remove 19.3 section title
+  
+  Follow-up to ad6416986755e417c66e2c6, which caused wrong formatting on
+  curl documentation website
+  
+  Closes #5561
+
+- [Martin V brought this change]
+
+  test1560: avoid possibly negative association in wording
+  
+  Closes #5549
+
+- share: don't set the share flag it something fails
+  
+  When asking for a specific feature to be shared in the share object,
+  that bit was previously set unconditionally even if the shared feature
+  failed or otherwise wouldn't work.
+  
+  Closes #5554
+
+- buildconf: remove -print from the find command that removes files
+  
+  It's just too annoying and unnecessary to get a long list of files shown
+
+- RELEASE-NOTES: synced
+
+- wording: avoid blacklist/whitelist stereotypes
+  
+  Instead of discussing if there's value or meaning (implied or not) in
+  the colors, let's use words without the same possibly negative
+  associations.
+  
+  Closes #5546
+
+Jay Satiro (9 Jun 2020)
+- tool_getparam: fix memory leak in parse_args
+  
+  Prior to this change in Windows Unicode builds most parsed options would
+  not be freed.
+  
+  Found using _CrtDumpMemoryLeaks().
+  
+  Ref: https://github.com/curl/curl/issues/5545
+
+Daniel Stenberg (8 Jun 2020)
+- socks: detect connection close during handshake
+  
+  The SOCKS4/5 state machines weren't properly terminated when the proxy
+  connection got closed, leading to a busy-loop.
+  
+  Reported-By: zloi-user on github
+  Fixes #5532
+  Closes #5542
+
+- [James Fuller brought this change]
+
+  multi: add defensive check on data->multi->num_alive
+  
+  Closes #5540
+
+- Curl_addrinfo: use one malloc instead of three
+  
+  To reduce the amount of allocations needed for creating a Curl_addrinfo
+  struct, make a single larger malloc instead of three separate smaller
+  ones.
+  
+  Closes #5533
+
+- [Alessandro Ghedini brought this change]
+
+  quiche: update SSLKEYLOGFILE support
+  
+  quiche now requires the application to explicitly set the keylog path
+  for each connection, rather than reading the environment variable
+  itself.
+  
+  Closes #5541
+
+- tests: add two simple tests for --login-options
+  
+  Test 895 and 896 - as a follow-up to a3e972313b
+  
+  Closes #5539
+
+- ngtcp2: update with recent API changes
+  
+  Syncs with ngtcp2 commit 7e9a917d386d98 merged June 7 2020.
+  
+  Assisted-by: Tatsuhiro Tsujikawa
+  Closes #5538
+
+- [James Fuller brought this change]
+
+  socks: remove unreachable breaks in socks.c and mime.c
+  
+  Closes #5537
+
+- tool_cfgable: free login_options at exit
+  
+  Memory leak
+  Reported-by: Geeknik Labs
+  Fixes #5535
+  Closes #5536
+
+- libssh2: keep sftp errors as 'unsigned long'
+  
+  Remove weird work-around for storing the SFTP errors as int instead of
+  the "unsigned long" that libssh2 actually returns for SFTP errors.
+  
+  Closes #5534
+
+Marc Hoersken (6 Jun 2020)
+- timeouts: move ms timeouts to timediff_t from int and long
+  
+  Now that all functions in select.[ch] take timediff_t instead
+  of the limited int or long, we can remove type conversions
+  and related preprocessor checks to silence compiler warnings.
+  
+  Avoiding conversions from time_t was already done in 842f73de.
+  
+  Based upon #5262
+  Supersedes #5214, #5220 and #5221
+  Follow up to #5343 and #5479
+  Closes #5490
+
+Daniel Stenberg (6 Jun 2020)
+- [François Rigault brought this change]
+
+  openssl: set FLAG_TRUSTED_FIRST unconditionally
+  
+  On some systems, openssl 1.0.x is still the default, but it has been
+  patched to contain all the recent security fixes. As a result of this
+  patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
+  defined, while the previous behavior of openssl to not look at trusted
+  chains first, remains.
+  
+  Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
+  probe for the behavior of openssl based on the existence ofmacros.
+  
+  Closes #5530
+
+- server/util: fix logmsg format using curl_off_t argument
+  
+  ... this caused segfaults on armv7.
+  
+  Regression added in dd0365d560aea5a (7.70.0)
+  
+  Reviewed-by: Jay Satiro
+  Closes #5529
+
+- RELEASE-NOTES: synced
+
+- [Cherish98 brought this change]
+
+  socks: fix expected length of SOCKS5 reply
+  
+  Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the
+  reply ATYP is X'01'. This resulted in erroneously expecting more bytes
+  when the request length is greater than the reply length (e.g., when
+  remotely resolving the hostname).
+  
+  Closes #5527
+
+Marc Hoersken (5 Jun 2020)
+- .gitignore: add directory containing the stats repo
+  
+  Since the new curl/stats repository is designed to be
+  checked out into the curl repository working tree as stats/
+  it should be on the ignore list to aid in commit staging.
+
+Daniel Stenberg (5 Jun 2020)
+- [Adnan Khan brought this change]
+
+  HTTP3.md: clarify cargo build directory
+  
+  Cargo needs to be called from within the 'quiche' directory.
+  
+  Closes #5522
+
+- user-agent.d: spell out what happens given a blank argument
+  
+  Closes #5525
+
+- trailers: switch h1-trailer logic to use dynbuf
+  
+  In the continued effort to remove "manual" realloc schemes.
+  
+  Closes #5524
+
+- CURLINFO_ACTIVESOCKET.3: clarify the description
+  
+  Reported-by: Jay Satiro
+  Fixes #5299
+  Closes #5520
+
+- mailmap: Don J Olmstead
+
+- configure: only strip first -L from LDFLAGS
+  
+  In the logic that works out if a given OpenSSL path works, it stripped
+  off a possibly leading -L flag using an incorrect sed pattern which
+  would remove all instances of -L in the string, including if the path
+  itself contained that two-letter sequence!
+  
+  The same pattern was used and is now updated in multiple places. Now it
+  only removes -L if it starts the strings.
+  
+  Reported-by: Mohamed Osama
+  Fixes #5519
+  Closes #5521
+
+Peter Wu (4 Jun 2020)
+- quiche: advertise draft 28 support
+  
+  Fix the verbose message while at it, quiche currently supports draft
+  27 and draft 28 simultaneously.
+  
+  Closes #5518
+
+Daniel Stenberg (4 Jun 2020)
+- KNOWN_BUGS: RTSP authentication breaks without redirect support
+  
+  Closes #4750
+
+Jay Satiro (4 Jun 2020)
+- projects: Add crypt32.lib to dependencies for all OpenSSL configs
+  
+  Windows project configurations that use OpenSSL with USE_WIN32_CRYPTO
+  need crypt32.
+  
+  Follow-up to 148534d which added CURLSSLOPT_NATIVE_CA for 7.71.0.
+  
+  The changes that are in this commit were made by script.
+  
+  Ref: https://gist.github.com/jay/a1861b50ecce2b32931237180f856e28
+  
+  Closes https://github.com/curl/curl/pull/5516
+
+Marc Hoersken (3 Jun 2020)
+- CI/macos: fix 'is already installed' errors by using bundle
+  
+  Avoid failing CI builds due to nghttp2 being already installed.
+  
+  Closes #5513
+
+Daniel Stenberg (3 Jun 2020)
+- altsvc: fix 'dsthost' may be used uninitialized in this function
+
+- RELEASE-NOTES: synced
+
+- urldata: let the HTTP method be in the set.* struct
+  
+  When the method is updated inside libcurl we must still not change the
+  method as set by the user as then repeated transfers with that same
+  handle might not execute the same operation anymore!
+  
+  This fixes the libcurl part of #5462
+  
+  Test 1633 added to verify.
+  
+  Closes #5499
+
+- hostip: fix the memory-leak introduced in 67d2802
+  
+  Fixes #5503
+  Closes #5504
+
+- test970: make it require proxy support
+  
+  This test verifies the -w %json output and the test case includes a full
+  generated "blob". If there's no proxy support built into libcurl, it
+  will return an error for proxy related info variables and they will not
+  be included in the json, thus causing a mismatch and this test fails.
+  
+  Reported-by: Marc Hörsken
+  Fixes #5501
+  Closes #5502
+
+- [Radoslav Georgiev brought this change]
+
+  examples/http2-down/upload: add error checks
+  
+  If `index.html` does not exist in the directory from which the example
+  is invoked, the fopen(upload, "rb") invocation in `setup` would fail,
+  returning NULL.  This value is subsequently passed as the FILE* argument
+  of the `fread` invocation in the `read_callback` function, which is the
+  actual cause of the crash (apparently `fread` assumes that argument to
+  be non-null).
+  
+  In addition, mitigate some possible crashes of similar origin.
+  
+  Closes #5463
+
+- [kotoriのねこ brought this change]
+
+  examples/ephiperfifo: turn off interval when setting timerfd
+  
+  Reported-by: therealhirudo on github
+  Fixes #5485
+  Closes #5497
+
+- [Saleem Abdulrasool brought this change]
+
+  vtls: repair the build with `CURL_DISABLE_PROXY`
+  
+  `http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY`
+  is enabled.  Repair the build with that configuration.
+  
+  Follow-up to f3d501dc67
+  
+  Closes #5498
+
+- transfer: remove k->str NULL check
+  
+  "Null-checking k->str suggests that it may be null, but it has already
+  been dereferenced on all paths leading to the check" - and it can't
+  legally be NULL at this point. Remove check.
+  
+  Detected by Coverity CID 1463884
+  
+  Closes #5495
+
+Marc Hoersken (1 Jun 2020)
+- select: always use Sleep in Curl_wait_ms on Win32
+  
+  Since Win32 almost always will also have USE_WINSOCK,
+  we can reduce complexity and always use Sleep there.
+  
+  Assisted-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #5343
+  Closes #5489
+
+Daniel Stenberg (31 May 2020)
+- conncache: download buffer needs +1 size for trailing zero
+  
+  Follow-up to c4e6968127e
+  Detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5727799779524608
+
+Marc Hoersken (31 May 2020)
+- azure: use matrix strategy to avoid configuration redundancy
+  
+  This also includes the following changes:
+  
+  - Use the same timeout for all jobs on Linux (60 minutes)
+    and Windows (90 minutes)
+  - Use CLI stable apt-get install -y instead of apt install
+    which warns about that and run apt-get update first
+  - Enable MQTT for Windows msys2 builds instead of
+    legacy msys1 builds
+  - Add ./configure --prefix parameter to the msys2 builds
+  - The MSYSTEM environment variable is now preset inside
+    the container images for the msys2 builds
+  
+  Note: on Azure Pipelines the matrix strategy is basically
+  just a simple list of job copies and not really a matrix.
+  
+  Closes #5468
+
+Daniel Stenberg (30 May 2020)
+- build: disable more code/data when built without proxy support
+  
+  Added build to travis to verify
+  
+  Closes #5466
+
+- url: alloc the download buffer at transfer start
+  
+  ... and free it as soon as the transfer is done. It removes the extra
+  alloc when a new size is set with setopt() and reduces memory for unused
+  easy handles.
+  
+  In addition: the closure_handle now doesn't use an allocated buffer at
+  all but the smallest supported size as a stack based one.
+  
+  Closes #5472
+
+- timeouts: change millisecond timeouts to timediff_t from time_t
+  
+  For millisecond timers we like timediff_t better. Also, time_t can be
+  unsigned so returning a negative value doesn't work then.
+  
+  Closes #5479
+
+Marc Hoersken (30 May 2020)
+- select: add overflow checks for timeval conversions
+  
+  Using time_t and suseconds_t if suseconds_t is available,
+  long on Windows (maybe others in the future) and int elsewhere.
+  
+  Also handle case of ULONG_MAX being greater or equal to INFINITE.
+  
+  Assisted-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Part of #5343
+
+- select: use timediff_t instead of time_t and int for timeout_ms
+  
+  Make all functions in select.[ch] take timeout_ms as timediff_t
+  which should always be large enough and signed on all platforms
+  to take all possible timeout values and avoid type conversions.
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Replaces #5107 and partially #5262
+  Related to #5240 and #5286
+  Closes #5343
+
+- unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
+  
+  GCC 10 warns about this with warning: implicit conversion
+    from 'SANITIZEcode' to 'CURLcode' [-Wenum-conversion]
+  
+  Since 'expected_result' is not really of type 'CURLcode' and
+  it is not exposed in any way, we can just use 'SANITIZEcode'.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Marcel Raad
+  
+  Closes #5476
+
+- tests/libtest: fix undefined reference to 'curlx_win32_fopen'
+  
+  Since curl_setup.h now makes use of curlx_win32_fopen for Win32
+  builds with USE_WIN32_LARGE_FILES or USE_WIN32_SMALL_FILES defined,
+  we need to include the relevant files for tests using fopen,
+  because the libtest sources are also including curl_setup.h
+  
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  
+  Follow up to #3784 (ffdddb45d9)
+  Closes #5475
+
+- appveyor: add non-debug plain autotools-based build
+  
+  This should enable us to catch linking issues with the
+  testsuite early, like the one described/fixed in #5475.
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Marcel Raad
+  
+  Closes #5477
+
+Daniel Stenberg (29 May 2020)
+- RELEASE-NOTES: synced
+
+- Revert "buildconf: use find -execdir"
+  
+  This partially reverts commit c712009838f44211958854de431315586995bc61.
+  
+  Keep the ares_ files removed but bring back the older way to run find,
+  to make it work with busybox's find, as apparently that's being used.
+  
+  Reported-by: Max Peal
+  Fixes #5483
+  Closes #5484
+
+- server/sws: fix asan warning on use of uninitialized variable
+
+- libssh2: improved error output for wrong quote syntax
+  
+  Reported-by: Werner Stolz
+  
+  Closes #5474
+
+- mk-lib1521: generate code for testing BLOB options as well
+  
+  Follow-up to cac5374298b3
+  
+  Closes #5478
+
+- configure: repair the check if argv can be written to
+  
+  Due to bad escaping of the test code, the test wouldn't build and thus
+  result in a negative test result, which would lead to the unconditional
+  assumption that overwriting the arguments doesn't work and thus curl
+  would never hide credentials given in the command line, even when it
+  would otherwise be possible.
+  
+  Regression from commit 2d4c2152c (7.60.0)
+  
+  Reported-by: huzunhao on github
+  Fixes #5470
+  Closes #5471
+
+Peter Wu (28 May 2020)
+- CMake: rebuild Makefile.inc.cmake when Makefile.inc changes
+  
+  Otherwise the build might fail due to missing source files, as
+  demonstrated by the recent keylog.c addition on an existing build dir.
+  
+  Closes #5469
+
+Daniel Stenberg (28 May 2020)
+- urldata: fix comments: Curl_done() is called multi_done() now
+  
+  ... since 575e885db
+
+Peter Wu (27 May 2020)
+- ngtcp2: use common key log routine for better thread-safety
+  
+  Tested with ngtcp2 built against the OpenSSL library. Additionally
+  tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC).
+  
+  The TLS backend (independent of QUIC) may or may not already have opened
+  the keylog file before. Therefore Curl_tls_keylog_open is always called
+  to ensure the file is open.
+
+- wolfssl: add SSLKEYLOGFILE support
+  
+  Tested following the same curl and tshark commands as in commit
+  "vtls: Extract and simplify key log file handling from OpenSSL" using
+  WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
+  `./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.
+  
+  Full support for this feature requires certain wolfSSL build options,
+  see "Availability note" in lib/vtls/wolfssl.c for details.
+  
+  Closes #5327
+
+- vtls: Extract and simplify key log file handling from OpenSSL
+  
+  Create a set of routines for TLS key log file handling to enable reuse
+  with other TLS backends. Simplify the OpenSSL backend as follows:
+  
+   - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
+   - Do not perform dynamic memory allocation when preparing a log entry.
+     Unless the TLS specifications change we can suffice with a reasonable
+     fixed-size buffer.
+   - Simplify state tracking when SSL_CTX_set_keylog_callback is
+     unavailable. My original sslkeylog.c code included this tracking in
+     order to handle multiple calls to SSL_connect and detect new keys
+     after renegotiation (via SSL_read/SSL_write). For curl however we can
+     be sure that a single master secret eventually becomes available
+     after SSL_connect, so a simple flag is sufficient. An alternative to
+     the flag is examining SSL_state(), but this seems more complex and is
+     not pursued. Capturing keys after server renegotiation was already
+     unsupported in curl and remains unsupported.
+  
+  Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
+  (`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
+  against an OpenSSL 1.1.1f server configured with:
+  
+      # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
+      openssl s_server -www -tls1
+      # Likewise, but fail the server handshake.
+      openssl s_server -www -tls1 -Verify 2
+      # TLS 1.3 test. No need to test the failing server handshake.
+      openssl s_server -www -tls1_3
+  
+  Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
+  written using Wireshark. For the first and third case, expect four
+  matches per connection (decrypted Server Finished, Client Finished, HTTP
+  Request, HTTP Response). For the second case where the handshake fails,
+  expect a decrypted Server Finished only.
+  
+      tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
+          -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
+          -dtls.port==4433,http -ohttp.desegment_body:FALSE \
+          -Y 'tls.handshake.verify_data or http'
+  
+  A single connection can easily be identified via the `tcp.stream` field.
+
+Daniel Stenberg (27 May 2020)
+- FILEFORMAT: add more features that tests can depend on
+
+- [Michael Kaufmann brought this change]
+
+  transfer: close connection after excess data has been read
+  
+  For HTTP 1.x, it's a protocol error when the server sends more bytes
+  than announced. If this happens, don't reuse the connection, because the
+  start position of the next response is undefined.
+  
+  Closes #5440
+
+- [Estanislau Augé-Pujadas brought this change]
+
+  Revert "ssh: ignore timeouts during disconnect"
+  
+  This reverts commit f31760e63b4e9ef1eb25f8f211390f8239388515. Shipped in
+  curl 7.54.1.
+  
+  Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html
+  Closes #5465
+
+- urldata: connect related booleans live in struct ConnectBits
+  
+  And remove a few unused booleans!
+  
+  Closes #5461
+
+- hostip: on macOS avoid DoH when given a numerical IP address
+  
+  When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that
+  numerical IP addresses still need to get "resolved" - but not with DoH.
+  
+  Reported-by: Viktor Szakats
+  Fixes #5454
+  Closes #5459
+
+- ngtcp2: cleanup memory when failing to connect
+  
+  Reported-by: Peter Wu
+  Fixes #5447 (the ngtcp2 side of it)
+  Closes #5451
+
+- quiche: clean up memory properly when failing to connect
+  
+  Addresses the quiche side of #5447
+  Reported-by: Peter Wu
+  Closes #5450
+
+- cleanup: use a single space after equals sign in assignments
+
+- url: accept "any length" credentials for proxy auth
+  
+  They're only limited to the maximum string input restrictions, not to
+  256 bytes.
+  
+  Added test 1178 to verify
+  
+  Reported-by: Will Roberts
+  Fixes #5448
+  Closes #5449
+
+- [Maksim Stsepanenka brought this change]
+
+  test1167: fixes in badsymbols.pl
+  
+  Closes #5442
+
+- altsvc: fix parser for lines ending with CRLF
+  
+  Fixed the alt-svc parser to treat a newline as end of line.
+  
+  The unit tests in test 1654 were done without CRLF and thus didn't quite
+  match the real world. Now they use CRLF as well.
+  
+  Reported-by: Peter Wu
+  Assisted-by: Peter Wu
+  Assisted-by: Jay Satiro
+  Fixes #5445
+  Closes #5446
+
+Viktor Szakats (25 May 2020)
+- all: fix codespell errors
+  
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  Closes https://github.com/curl/curl/pull/5452
+
+Peter Wu (25 May 2020)
+- ngtcp2: fix build with current ngtcp2 master implementing draft 28
+  
+  Based on client.cc changes from ngtcp2. Tested with current git master,
+  ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380.
+  
+  Fixes #5444
+  Closes #5443
+
+Daniel Stenberg (25 May 2020)
+- RELEASE-NOTES: synced
+  
+  moved the new setopts up to a "change"
+
+- RELEASE-NOTES: synced
+
+- copyright: updated year ranges out of sync
+  
+  ... and whitelisted a few more files in the the copyright.pl script.
+
+- [Gilles Vollant brought this change]
+
+  setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
+  
+  Closes #5431
+
+- curl: remove -J "informational" written on stdout
+  
+  curl would previously show "curl: Saved to filename 'name from header'"
+  if -J was used and a name was picked from the Content-Disposition
+  header. That output could interfer with other stdout output, such as -w.
+  
+  This commit removes that output line.
+  Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html
+  Reported-by: Коваленко Анатолий Викторович
+  Closes #5435
+
+Peter Wu (22 May 2020)
+- travis: simplify quiche build instructions wrt boringssl
+  
+  quiche builds boringssl as static library, reuse that instead of
+  building another shared library.
+  
+  Closes #5438
+
+- configure: fix pthread check with static boringssl
+  
+  A shared boringssl/OpenSSL library requires -lcrypto only for linking.
+  A static build additionally requires `-ldl -lpthread`. In the latter
+  case `-lpthread` is added to LIBS which prevented `-pthread` from being
+  added to CFLAGS. Clear LIBS to fix linking failures for libtest tests.
+
+Daniel Stenberg (22 May 2020)
+- Revert "sendf: make failf() use the mvsnprintf() return code"
+  
+  This reverts commit 74623551f306990e70c7c5515b88972005604a74.
+  
+  Instead mark the function call with (void). Getting the return code and
+  using it instead triggered Coverity warning CID 1463596 because
+  snprintf() can return a negative value...
+  
+  Closes #5441
+
+- typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
+  
+  Reported-by: Billyzou0741326 on github
+  Fixes #5432
+  Closes #5436
+
+- tests/server/util.h: add extern to silence compiler warning
+  
+  Follow-up from a3b0699d5c1
+
+- typecheck-gcc.h: fix the OFF_T check
+  
+  The option number also needs to be less than CURLOPTTYPE_BLOB.
+  
+  Follow-up to cac5374298
+  Reported-by: Jeroen Ooms
+  Bug: https://github.com/curl/curl/pull/5365#issuecomment-631084114
+
+- TODO: --dry-run
+  
+  Closes #5426
+
+- TODO: Ratelimit or wait between serial requests
+  
+  Closes #5406
+
+- tool_paramhlp: fixup C89 mistake
+  
+  Follow-up to c5f0a9db22.
+
+- [Siva Sivaraman brought this change]
+
+  tool_paramhlp: fixed potentially uninitialized strtol() variable
+  
+  Seems highly unlikely to actually be possible, but better safe than
+  sorry.
+  
+  Closes #5417
+
+- [Siva Sivaraman brought this change]
+
+  tool_operate: fixed potentially uninitialized variables
+  
+  ... in curl_easy_getinfo() calls. They're harmless but clearing the
+  variables makes the code safer and comforts the reader.
+  
+  Closes #5416
+
+- sha256: move assign to the declaration line
+  
+  Follow-up to fae30656. Should've been squashed with that commit...
+
+- [Siva Sivaraman brought this change]
+
+  sha256: fixed potentially uninitialized variable
+  
+  Closes #5414
+
+- sendf: make failf() use the mvsnprintf() return code
+  
+  ... and avoid a strlen() call. Fixes a MonocleAI warning.
+  
+  Reported-by: MonocleAI
+  Fixes #5413
+  Closes #5420
+
+- hostip: make Curl_printable_address not return anything
+  
+  It was not used much anyway and instead we let it store a blank buffer
+  in case of failure.
+  
+  Reported-by: MonocleAI
+  Fixes #5411
+  Closes #5418
+
+- ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
+  
+  They're done on purpose, make that visible in the code.
+  Reported-by: MonocleAI
+  Fixes #5412
+  Closes #549
+
+- TODO: forbid TLS post-handshake auth and do TLS record padding
+  
+  Closes #5396
+  Closes #5398
+
+- RELEASE-NOTES: synced
+
+- dynbuf: return NULL when there's no buffer length
+  
+  ... as returning a "" is not a good idea as the string is supposed to be
+  allocated and returning a const string will cause issues.
+  
+  Reported-by: Brian Carpenter
+  Follow-up to ed35d6590e72c
+  Closes #5405
+
+Peter Wu (16 May 2020)
+- travis: upgrade to bionic, clang-9, improve readability
+  
+  Changes, partially to reduce build failures from external dependencies:
+   - Upgrade Ubuntu and drop unnecessary third-party repos.
+   - Properly clone apt config to ensure retries.
+   - Upgrade to clang-9 from the standard repos.
+   - Use Ubuntu 20.04 focal for the libssh build, use of ssh_get_publickey
+     fails on -Werror=deprecated-declarations in Ubuntu 18.04. Do not use
+     focal everywhere yet since Travis CI has not documented this option.
+     In focal, python-impacket (Py2.7) has been removed, leaving only
+     python3-impacket. Since it is only needed for SMB tests and not SSH,
+     skip it for the libssh job since it might need more work.
+   - apt: Remove gcc-8 and libstdc++-8-dev, already installed via g++-8.
+  
+  Non-functional cleanups:
+   - Simplify test matrix, drop redundant os and compiler keys.
+   - Deprecation fixes: remove sudo, rename matrix -> jobs.
+   - Every job has an 'env' key, put this key first in a list item.
+  
+  Closes #5370
+
+- travis: whitespace-only changes for consistency
+  
+  Automatically apply a consistent indentation with:
+  
+      python3 -c 'from ruamel.yaml import YAML;y=YAML();d=y.load(open(".travis.yml"));y.width=500;y.dump(d,open(".travis.yml.new","w"))'
+  
+  followed by manually re-indenting three comments.
+  
+  Closes #5370
+
+- CMake: add libssh build support
+  
+  Closes #5372
+
+Daniel Stenberg (15 May 2020)
+- KNOWN_BUGS: wolfssh: publickey auth doesn't work
+  
+  Closes #4820
+
+- KNOWN_BUGS: OS400 port requires deprecated IBM library
+  
+  Closes #5176
+
+- [Vyron Tsingaras brought this change]
+
+  http2: keep trying to send pending frames after req.upload_done
+  
+  Fixes #1410
+  Closes #5401
+
+- [Gilles Vollant brought this change]
+
+  setopt: support certificate options in memory with struct curl_blob
+  
+  This change introduces a generic way to provide binary data in setopt
+  options, called BLOBs.
+  
+  This change introduces these new setopts:
+  
+  CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
+  CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #5357
+
+- source cleanup: remove all custom typedef structs
+  
+   - Stick to a single unified way to use structs
+   - Make checksrc complain on 'typedef struct {'
+   - Allow them in tests, public headers and examples
+  
+   - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
+     typedef different types/structs depending on build conditions.
+  
+  Closes #5338
+
+- travis: remove the .checksrc fiddling
+
+- ftp: make domore_getsock() return the secondary socket properly
+  
+  Previously, after PASV and immediately after the data connection has
+  connected, the function would only return the control socket to wait for
+  which then made the data connection simply timeout and not get polled
+  correctly. This become obvious when running test 1631 and 1632 event-
+  based.
+
+- test1632: verify FTP through HTTPS-proxy with connection re-use
+
+- test1631: verify FTP download through HTTPS-proxy
+
+- sws: as last resort, get test number from server cmd file
+  
+  If it can't be found in the request. Also support --cmdfile to set it to
+  a custom file name.
+  
+  runtests.pl always writes this file with the test number in it since a
+  while back.
+
+- ftp: shut down the secondary connection properly when SSL is used
+  
+  Reported-by: Neal Poole
+  Fixes #5340
+  Closes #5385
+
+Marcel Raad (14 May 2020)
+- KNOWN_BUGS: adapt 5.5 to recent changes
+  
+  It only applies to non-Unicode builds now.
+  Also merge 5.10 into it as it's effectively a duplicate.
+  
+  Closes https://github.com/curl/curl/pull/3784
+
+- curl_setup: support Unicode functions to open files on Windows
+  
+  Use them only if `_UNICODE` is defined, in which case command-line
+  arguments have been converted to UTF-8.
+  
+  Closes https://github.com/curl/curl/pull/3784
+
+- tool: support UTF-16 command line on Windows
+  
+  - use `wmain` instead of `main` when `_UNICODE` is defined [0]
+  - define `argv_item_t` as `wchar_t *` in this case
+  - use the curl_multibyte gear to convert the command-line arguments to
+    UTF-8
+  
+  This makes it possible to pass parameters with characters outside of
+  the current locale on Windows, which is required for some tests, e.g.
+  the IDN tests. Out of the box, this currently only works with the
+  Visual Studio project files, which default to Unicode, and winbuild
+  with the `ENABLE_UNICODE` option.
+  
+  [0] https://devblogs.microsoft.com/oldnewthing/?p=40643
+  
+  Ref: https://github.com/curl/curl/issues/3747
+  Closes https://github.com/curl/curl/pull/3784
+
+- curl_multibyte: add to curlx
+  
+  This will also be needed in the tool and tests.
+  
+  Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
+  Closes https://github.com/curl/curl/pull/3784
+
+Daniel Stenberg (14 May 2020)
+- url: make the updated credentials URL-encoded in the URL
+  
+  Found-by: Gregory Jefferis
+  Reported-by: Jeroen Ooms
+  Added test 1168 to verify. Bug spotted when doing a redirect.
+  Bug: https://github.com/jeroen/curl/issues/224
+  Closes #5400
+
+- tests: add https-proxy support to the test suite
+  
+  Initial test 1630 added with basic HTTPS-proxy use. HTTPS-proxy is like
+  HTTP proxy but with a full TLS connection to the proxy.
+  
+  Closes #5399
+
+- mailmap: James Fuller
+
+- [Major_Tom brought this change]
+
+  vauth/cleartext: fix theoretical integer overflow
+  
+  Fix theoretical integer overflow in Curl_auth_create_plain_message.
+  
+  The security impact of the overflow was discussed on hackerone. We
+  agreed this is more of a theoretical vulnerability, as the integer
+  overflow would only be triggerable on systems using 32-bits size_t with
+  over 4GB of available memory space for the process.
+  
+  Closes #5391
+
+Jay Satiro (13 May 2020)
+- curl.1: Quote globbed URLs
+  
+  - Quote the globbing example URLs that contain characters [] {} since
+    otherwise they may be interpreted as shell metacharacters.
+  
+  Bug: https://github.com/curl/curl/issues/5388
+  Reported-by: John Simpson
+  
+  Closes https://github.com/curl/curl/pull/5394
+
+Daniel Stenberg (14 May 2020)
+- checksrc: enhance the ASTERISKSPACE and update code accordingly
+  
+  Fine: "struct hello *world"
+  
+  Not fine: "struct hello* world" (and variations)
+  
+  Closes #5386
+
+- docs/options-in-versions: which version added each cmdline option
+  
+  Added test 971 to verify that the list is in sync with the files in
+  cmdline-opts. The check also verifies that .d-files that uses Added:
+  specify the same version number as the options-in-versions file does.
+  
+  Closes #5381
+
+- docs: unify protocol lists
+  
+  We boast support for 25 transfer protocols. Make sure the lists are
+  consistent
+  
+  Closes #5384
+
+- OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
+  
+  ... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
+  
+  Reported-by: Michael Kaufmann
+  Fixes #5374
+  Closes #5376
+
+- tls13-ciphers.d: shorten the Arg
+
+- sasl-authzid.d: add Arg: and shorten the desc
+
+- cert-type.d: mention the available types in the desc
+
+- tool: shorten 3 --help descriptions
+  
+  --happy-eyeballs-timeout-ms, --resolve and --ssl-revoke-best-effort
+  
+  gen.pl already warned about these lines but we didn't listen
+  
+  Closes #5379
+
+- configure: the wolfssh backend does not provide SCP
+  
+  Closes #5387
+
+- RELEASE-NOTES: synced
+
+- url: reject too long input when parsing credentials
+  
+  Since input passed to libcurl with CURLOPT_USERPWD and
+  CURLOPT_PROXYUSERPWD circumvents the regular string length check we have
+  in Curl_setstropt(), the input length limit is enforced in
+  Curl_parse_login_details too, separately.
+  
+  Reported-by: Thomas Bouzerar
+  Closes #5383
+
+- list-only.d: this option existed already in 4.0
+
+Jay Satiro (12 May 2020)
+- retry-all-errors.d: Shorten the summary line
+  
+  Follow-up to b995bb5 from a few moments ago.
+  
+  Reported-by: Daniel Stenberg
+  
+  Ref: https://github.com/curl/curl/commit/b995bb5#r39108929
+
+- [denzor brought this change]
+
+  easy: fix dangling pointer on easy_perform fail
+  
+  Closes https://github.com/curl/curl/pull/5363
+
+- tool: Add option --retry-all-errors to retry on any error
+  
+  The "sledgehammer" of retrying.
+  
+  Closes https://github.com/curl/curl/pull/5185
+
+Daniel Stenberg (12 May 2020)
+- [James Le Cuirot brought this change]
+
+  libcurl.pc: Merge Libs.private into Libs for static-only builds
+  
+  A project being built entirely statically will call pkg-config with
+  --static, which utilises the Libs.private field. Conversely it will
+  not use --static when not being built entirely statically, even if
+  there is only a static build of libcurl available. This will most
+  likely cause the build to fail due to underlinking unless we merge the
+  Libs fields.
+  
+  Consider that this is what the Meson build system does when it
+  generates pkg-config files.
+  
+  I have also reflected this in the --libs argument of curl-config even
+  though REQUIRE_LIB_DEPS always seems to be "yes" anyway.
+  
+  Closes #5373
+
+- [Peter Wu brought this change]
+
+  CMake: fix runtests.pl with CMake, add new test targets
+  
+    * runtests.pl:
+      - Fix out-of-tree build under CMake when srcdir is not set. Default
+        srcdir to the location of runtests.pl.
+      - Add a hack to allow CMake to use the TFLAGS option as documented
+        in tests/README and used in scripts/travis/script.sh.
+    * Bump CMake version to 3.2 for USES_TERMINAL, dropping Debian Jessie
+      support (no one should care, it is already EOL.).
+    * Remove CTest since it defines its own 'test' target with no tests
+      since all unittests are already broken and not built by default.
+    * Add new test targets based on the options from Makefile.am. Since
+      new test targets are rarely added, I opted for duplicating the
+      runtests.pl options as opposed to creating a new Makefile.inc file.
+      Use top-level target names (test-x) instead of x-test since that is
+      used by CI and others.
+  
+  Closes #5358
+
+- [Peter Wu brought this change]
+
+  CMake: do not build test programs by default
+  
+  The default target should only build libcurl and curl. Add a dedicated
+  'testdeps' target which will be used later when running tests. Note that
+  unittests are currently broken in CMake and already excluded.
+  
+  Closes #5368
+
+- FILEFORMAT: moved up the variables section and further polished
+
+- runtests: remove ftp2 support, not used
+  
+  We once supported two separate ftp instances in the test suite. Has not
+  been used the last decade.
+  
+  Closes #5375
+
+- url: sort the protocol schemes in rough popularity order
+  
+  When looking for a protocol match among supported schemes, check the
+  most "popular" schemes first. It has zero functionality difference and
+  for all practical purposes a speed difference will not be measureable
+  but it still think it makes sense to put the least likely matches last.
+  
+  "Popularity" based on the 2019 user survey.
+  
+  Closes #5377
+
+Marc Hoersken (11 May 2020)
+- test1238: avoid tftpd being busy for tests shortly following
+  
+  The tftpd server may still be busy if the total timeout of
+  25 seconds has not been reached or no sread error was received
+  during or after the execution of the timeout test 1238.
+  
+  Once the next TFTP test comes around (eg. 1242 or 1243),
+  those will fail because the tftpd server is still waiting
+  on data from curl due to the UDP protocol being stateless
+  and having no connection close. On Linux this error may not
+  happen, because ICMP errors generated due to a swrite error
+  can also be returned async on the next sread call instead.
+  
+  Therefore we will now just kill the tftpd server after test
+  1238 to make sure that the following tests are not affected.
+  
+  This enables us to no longer ignore tests 1242, 1243, 2002
+  and 2003 on the CI platforms CirrusCI and AppVeyor.
+  
+  Assisted-by: Peter Wu
+  Closes #5364
+
+Daniel Stenberg (11 May 2020)
+- write-out.d: added "response_code"
+
+- KNOWN_BUGS: Build with staticly built dependency
+  
+  I rewrote the item 5.4 to be more generic about static dependencies.
+
+- ROADMAP: remove old entries
+  
+  MQTT - the start has already landed
+  
+  tiny-curl - also mostly landed and is a continuous work
+  
+  make menuconfig - basically no interest from users, not pushing there
+
+- [Peter Wu brought this change]
+
+  travis: Add ngtcp2 and quiche tests for CMake
+  
+  To avoid an explosion of jobs, extend the existing CMake tests with
+  ngtcp2 and quiche support. macOS was previously moved to GitHub actions,
+  so the non-Linux case can be dropped.
+
+- [Peter Wu brought this change]
+
+  CMake: add ENABLE_ALT_SVC option
+  
+  Tested alt-svc with quiche. While at it, add missing MultiSSL reporting
+  (not tested).
+
+- [Peter Wu brought this change]
+
+  CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
+  
+  Add three new CMake Find modules (using the curl license, but I grant
+  others the right to apply the CMake BSD license instead).
+  
+  This CMake config is simpler than the autotools one because it assumes
+  ngtcp2 and nghttp3 to be used together. Another difference is that this
+  CMake config checks whether QUIC is actually supported by the TLS
+  library (patched OpenSSL or boringssl) since this can be a common
+  configuration mistake that could result in build errors later.
+  
+  Unlike autotools, CMake does not warn you that the features are
+  experimental. The user is supposed to already know that and read the
+  documentation. It requires a very special build environment anyway.
+  
+  Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from
+  current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure
+  out which features (libldap-2.4, libssh2) to disable due to conflicts
+  with boringssl.
+  
+  Closes #5359
+
+Marc Hoersken (10 May 2020)
+- tests/server/tftpd.c: fix include and enhance debug logging
+  
+  setjmp.h should only be included if HAVE_SETJMP_H is defined.
+  
+  Add additional log statements to see wether reads and writes
+  are blocking or finishing before an alarm signal is received.
+  
+  Assisted-by: Peter Wu
+  Part of #5364
+
+Daniel Stenberg (10 May 2020)
+- tool_operate: only set CURLOPT_SSL_OPTIONS if SSL support is present
+  
+  Reported-by: Marcel Raad
+  Follow-up to 148534db5
+  Fixes #5367
+  Closes #5369
+
+Marc Hoersken (9 May 2020)
+- appveyor: update comments to be clear about toolchain
+  
+  - CMake-based MSYS builds use mingw-w64 to cross-compile.
+  - autotools-based builds are compiled using msys2-devel.
+  
+  The difference is that the later ones are not cross-compiled
+  to Windows and instead require the msys2 runtime to be present.
+  
+  At the moment only the Azure Pipelines CI builds actually
+  run autotools-based cross-compilation builds for Windows.
+
+- TODO: update regarding missing Schannel features
+  
+  Some aspects have already been implemented over the years.
+  
+  15.1 Client certificates are now supported:
+  
+  - System stores via e35b0256eb34f1fe562e3e2a2615beb50a391c52
+  - PKCS#12 files via 0fdf96512613574591f501d63fe49495ba40e1d5
+  
+  15.2 Ciphers can now be specified through:
+  
+  - Algorithms via 9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28
+  
+  Reviewed-by: Daniel Stenberg and Marcel Raad
+  Closes #5358
+
+Daniel Stenberg (8 May 2020)
+- checksrc: close the .checksrc file handle when done reading
+
+- RELEASE-NOTES: synced
+  
+  And bumped next version to 7.71.0
+
+- [Gilles Vollant brought this change]
+
+  CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)
+  
+  Closes #4346
+
+- TODO: native IDN support on macOS
+
+- urlapi: accept :: as a valid IPv6 address
+  
+  Text 1560 is extended to verify.
+  
+  Reported-by: Pavel Volgarev
+  Fixes #5344
+  Closes #5351
+
+- THANKS-filter: Peter Wang
+
+- [Peter Wang brought this change]
+
+  *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
+  
+  Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other
+  instances of QuerySecurityPackageInfo failing, as in
+  commit 2a81439553286f12cd04a4bdcdf66d8e026d8201.
+  
+  Closes #5355
+
+- docs/HTTP3: add qlog to the quiche build instruction
+
+- ngtcp2: introduce qlog support
+  
+  If the QLOGDIR environment variable is set, enable qlogging.
+  
+  ... and create Curl_qlogdir() in the new generic vquic/vquic.c file for
+  QUIC functions that are backend independent.
+  
+  Closes #5353
+
+- ntlm_sspi: fix bad use of CURLE_NOT_BUILT_IN
+  
+  That return code is reserved for build-time conditional code not being
+  present while this was a regular run-time error from a Windows API.
+  
+  Reported-by: wangp on github
+  Fixes #5349
+  Closes #5350
+
+- runtests: show elapsed test time with higher precision (ms)
+
+- RELEASE-NOTES: synced
+
+- http2: simplify and clean up trailer handling
+  
+  Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in
+  ed35d6590e72. This should make the trailer handling more straight forward and
+  hopefully less error-prone.
+  
+  Deliver the trailer header to the callback already at receive-time. No
+  longer caches the trailers to get delivered at end of stream.
+  
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030
+  Closes #5348
+
+Marc Hoersken (7 May 2020)
+- appveyor: disable test 1139 instead of ignoring it
+  
+  Spending time on manpage checking makes no sense
+  for these builds due to lacking manpage support.
+
+- appveyor: disable flaky test 1501 and ignore broken 1056
+  
+  Test 1501 is flaky on Windows CI due to being time sensitive
+  and the testsuite relying on taskkill.exe to check for the
+  existance of processes which can take to much time itself.
+  
+  Test 1056 is broken in autotools-based Windows builds due
+  to scope ID support missing in these builds at the moment.
+
+- test613.pl: make tests 613 and 614 work with OpenSSH for Windows
+  
+  OpenSSH for Windows shows group and other/world permissions as *,
+  because those concepts do not exist on Windows. It also does not
+  show the current or parent directory, so we just ignore those.
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #5328
+
+Daniel Stenberg (6 May 2020)
+- runtests: set +x mode again
+
+- libssh2: convert over to use dynbuf
+  
+  In my very basic test that lists sftp://127.0.0.1/tmp/, this patched
+  code makes 161 allocations compared to 194 in git master. A 17%
+  reduction.
+  
+  Closes #5336
+
+- travis: add "qlog" as feature in the quiche build
+
+- quiche: enable qlog output
+  
+  quiche has the potential to log qlog files. To enable this, you must
+  build quiche with the qlog feature enabled `cargo build --features
+  qlog`. curl then passes a file descriptor to quiche, which takes
+  ownership of the file. The FD transfer only works on UNIX.
+  
+  The convention is to enable logging when the QLOGDIR environment is
+  set. This should be a path to a folder where files are written with the
+  naming template <SCID>.qlog.
+  
+  Co-authored-by: Lucas Pardue
+  Replaces #5337
+  Closes #5341
+
+- urldata.h: remove #define HEADERSIZE, not used anymore
+  
+  Follow-up to ed35d6590e72c
+
+- ngtcp2: convert to dynbuf
+  
+  Closes #5335
+
+- connect: make happy eyeballs work for QUIC (again)
+  
+  Follow-up from dbd16c3e256c6c (regression in 7.70.0)
+  
+  Closes #5334
+
+- connect: add two asserts to clue code analyzers in a little
+
+- http_proxy: ported to use dynbuf instead of a static size buffer
+  
+  Removes a 16K static buffer from the easy handle. Simplifies the code.
+
+- dynbuf: introduce internal generic dynamic buffer functions
+  
+  A common set of functions instead of many separate implementations for
+  creating buffers that can grow when appending data to them. Existing
+  functionality has been ported over.
+  
+  In my early basic testing, the total number of allocations seem at
+  roughly the same amount as before, possibly a few less.
+  
+  See docs/DYNBUF.md for a description of the API.
+  
+  Closes #5300
+
+- runtests: remove sleep calls
+  
+  Remove many one second sleeps that were done *after* each newly started
+  test server already has been verified. They should not have any purpose
+  there.
+  
+  Closes #5323
+
+- asyn-*: remove support for never-used NULL entry pointers
+  
+  ... and instead convert those to asserts to make sure they are truly
+  never NULL.
+  
+  Closes #5324
+
+- [Emil Engler brought this change]
+
+  doc: Rename VERSIONS to VERSIONS.md as it already has Markdown syntax
+  
+  Closes #5325
+
+Jay Satiro (2 May 2020)
+- asyn-thread: fix cppcheck warning
+  
+  - Check for NULL entry parameter before attempting to deref entry in
+    Curl_resolver_is_resolved, like is already done in asyn-ares.
+  
+  This is to silence cppcheck which does not seem to understand that
+  asyn-ares and asyn-thread have separate Curl_resolver_is_resolved
+  and those units are mutually exclusive. Prior to this change it warned
+  of a scenario where asyn-thread's Curl_resolver_is_resolved is called
+  with a NULL entry from asyn-ares, but that couldn't happen.
+  
+  Reported-by: rl1987@users.noreply.github.com
+  
+  Fixes https://github.com/curl/curl/issues/5326
+
+- select: fix overflow protection in Curl_socket_check
+  
+  Follow-up to a96c752 which changed the timeout_ms type from time_t to
+  timediff_t.
+  
+  Ref: https://github.com/curl/curl/pull/5240
+  
+  Closes https://github.com/curl/curl/pull/5286
+
+Marc Hoersken (2 May 2020)
+- sockfilt: make select_ws stop waiting on exit signal event
+  
+  This makes sure that select_ws behaves similar to real select
+  which stops waiting on a signal handler being triggered.
+  
+  This makes it possible to gracefully stop sockfilt.exe on
+  Windows with taskkill /IM sockfilt.exe (without /F force flag).
+  
+  Reviewed-by: Jay Satiro
+  Part of #5260
+
+- tests/server/util.[ch]: add exit event to stop waiting on Windows
+  
+  This commit adds a global exit event to the test servers that
+  Windows-specific wait routines can use to get triggered if the
+  program was signaled to be terminated, eg. select_ws in sockfilt.c
+  
+  The exit event will be managed by the signal handling code and is
+  set to not reset automatically to support multiple wait routines.
+  
+  Reviewed-by: Jay Satiro
+  Closes #5260
+
+- tests/server/util.c: fix thread handle not being closed
+  
+  Reviewed-by: Jay Satiro
+  Part of #5260
+
+- tests/server/util.c: use raise instead of calling signal handler
+  
+  Use raise to trigger signal handler instead of calling it
+  directly and causing potential unexpected control flow.
+  
+  Reviewed-by: Jay Satiro
+  Part of #5260
+
+- tests: add support for SSH server variant specific transfer paths
+  
+  OpenSSH for Windows requires paths in the format of /C:/
+  instead of the pseudo-POSIX paths /cygdrive/c/ or just /c/
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #5298
+
+Daniel Stenberg (2 May 2020)
+- RELEASE-NOTES: synced
+
+- libssh2: set the expected total size in SCP upload init
+  
+  ... as otherwise the progress callback gets called without that
+  information, making the progress meter have less info.
+  
+  Reported-by: Murugan Balraj
+  Bug: https://curl.haxx.se/mail/archive-2020-05/0000.html
+  Closes #5317
+
+- runtests: make the logmsg from the ssh server only show in verbose
+
+- tests: make test 1248 + 1249 use %NOLISTENPORT
+  
+  ... instead of a port of a non-running server so that it works
+  stand-alone.
+  
+  Closes #5318
+
+- examples: remove asiohiper.cpp
+  
+  This example has repeatedly been reported to contain bugs, and as users
+  copy and paste code from this into production, I now deem it better to
+  not provide the example at all.
+  
+  Closes #5090
+  Closes #5322
+
+- [Emil Engler brought this change]
+
+  doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3
+  
+  Closes #5320
+
+- [Emil Engler brought this change]
+
+  KNOWN_BUGS: Remove "curl --upload-file . hang if delay in STDIN"
+  
+  It was fixed in 9a2cbf3
+  
+  Closes #5319
+
+- cirrus: disable SFTP and SCP tests
+  
+  ... as we can't seem to start the sshd server on it. Those problems
+  existed before d1239b50bececd (running the SSH server on a random port),
+  but they're more noticable now since there are more failed attempts in
+  the logs.
+  
+  Closes #5315
+
+- [Emil Engler brought this change]
+
+  runtests: fix typo in the existence of disabled tests checker
+  
+  Closes #5316
+
+Dan Fandrich (30 Apr 2020)
+- test75: Remove precheck test
+  
+  This has not been needed since commit 9fa42bed and often prevents it
+  from running at all with dynamic test ports.
+
+- tests: Stop referring to server ports when they're not used
+  
+  Several tests referred to specific server ports even when the test
+  didn't actually use that server or specify that it's needed. In such
+  cases, the test harness substitutes the text "[not running]" as the port
+  number which causes many such tests to fail due to the inability to
+  parse the URL.  These tests are changed to use %NOLISTENPORT which will
+  always be substituted correctly.
+
+Daniel Stenberg (30 Apr 2020)
+- [Emil Engler brought this change]
+
+  GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
+  
+  Closes #5287
+
+- conncache: various concept cleanups
+  
+  More connection cache accesses are protected by locks.
+  
+  CONNCACHE_* is a beter prefix for the connection cache lock macros.
+  
+  Curl_attach_connnection: now called as soon as there's a connection
+  struct available and before the connection is added to the connection
+  cache.
+  
+  Curl_disconnect: now assumes that the connection is already removed from
+  the connection cache.
+  
+  Ref: #4915
+  Closes #5009
+
+- tests: tests: run stunnel for HTTPS and FTPS on dynamic ports
+  
+  As stunnel is an external tool and it has no specific option to export
+  the actually used port number when asked to listen to 0, runtests
+  instead iterates over ten randomly picked high number ports and sticks
+  to the first one stunnel can listen to.
+  
+  Closes #5267
+
+- tests: pick a random port number for SSH
+  
+  Since sshd doesn't have such an option by itself, we iterate over a
+  series of random ports until one works.
+  
+  Closes #5273
+
+- [Rikard Falkeborn brought this change]
+
+  libtest/cmake: Remove commented code
+  
+  These were commented out in e9dd0998706a when Makefile.inc was included
+  instead. 11 years have passed since then and the commented code is of
+  course very outdated. Remove it to avoid confusion.
+  
+  Closes #5311
+
+- schannel: source code reindent
+  
+  White space edits only. Conform better to standard curl source code
+  indenting style.
+  
+  Closes #5305
+
+Kamil Dudka (29 Apr 2020)
+- test1177: look for curl.h in source directory
+  
+  If we use a separate build directory, there is no copy of the header.
+  
+  Closes #5310
+
+- tests: look for preprocessed tests in build directory
+  
+  ... which is not always the same directory as source directory
+  
+  Closes #5310
+
+Daniel Stenberg (29 Apr 2020)
+- RELEASE-NOTES: synced
+  
+  ... and bumped curlver.h to 7.70.1
+
+Version 7.70.0 (29 Apr 2020)
+
+Daniel Stenberg (29 Apr 2020)
+- RELEASE-NOTES: 7.70.0
+
+- THANKS: synced with the 7.70.0 release
+
+- headers: copyright range fix
+
+- [Rikard Falkeborn brought this change]
+
+  doh: Constify some input pointers
+  
+  Closes #5306
+
+- nss: check for PK11_CreateDigestContext() returning NULL
+  
+  ... to avoid crashes!
+  
+  Reported-by: Hao Wu
+  Fixes #5302
+  Closes #5303
+
+- travis: bump the wolfssl CI build to use 4.4.0
+  
+  Closes #5301
+
+- copyright updates: adjust year ranges
+
+Marc Hoersken (26 Apr 2020)
+- CI: do not include */ci branches in PR builds
+  
+  Align Azure Pipelines with GitHub Actions.
+
+Daniel Stenberg (25 Apr 2020)
+- runtests: check for the disabled tests relative srcdir
+  
+  To make it work correctly for out-of-tree builds.
+  
+  Follow-up to 75e8feb6fb08b
+  
+  Bug: https://github.com/curl/curl/pull/5288#issuecomment-619346389
+  Reported-by: Marcel Raad
+  Closes #5297
+
+- runtests: revert commenting out a line I did for debugging
+  
+  Follow-up to 11091cd4d. It was not meant to be pushed!
+
+- smtp: set auth correctly
+  
+  Regression since 7.69.0 and 68fb25fa3fcff.
+  
+  The code wrongly assigned 'from' instead of 'auth' which probably was a
+  copy and paste mistake from other code, leading to that auth could
+  remain NULL and later cause an error to be returned.
+  
+  Assisted-by: Eric Sauvageau
+  Fixes #5294
+  Closes #5295
+
+Marcel Raad (25 Apr 2020)
+- lib: clean up whitespace
+  
+  This fixes CodeFactor warnings.
+
+Daniel Stenberg (25 Apr 2020)
+- [Anderson Toshiyuki Sasaki brought this change]
+
+  libssh: avoid options override by configuration files
+  
+  Previously, options set explicitly through command line options could be
+  overridden by the configuration files parsed automatically when
+  ssh_connect() was called.
+  
+  By calling ssh_options_parse_config() explicitly, the configuration
+  files are parsed before setting the options, avoiding the options
+  override.  Once the configuration files are parsed, the automatic
+  configuration parsing is not executed.
+  
+  Fixes #4972
+  Closes #5283
+  Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+
+- runtests: when <killserver> mentions http, kill http/2 too
+  
+  Since the http2 test server is a mere proxy that needs to know about the
+  dynamic port the HTTP server is using, it too needs to get restarted
+  when the http server is killed.
+  
+  A regression caused by 80d6515.
+  
+  Fixes #5289
+  Closes #5291
+
+- [Yuri Slobodyanyuk brought this change]
+
+  docs: fix two typos
+  
+  Closes #5292
+
+- [Emil Engler brought this change]
+
+  tests/git: ignore mqttd and port files
+  
+  Closes #5290
+
+- tests: make runtests check that disabled tests exists
+  
+  ... and error out if so. Removed '536' from DISABLED as there is no such
+  test file.
+  
+  Closes #5288
+
+- test1154: set a proper name
+
+- select: make Curl_socket_check take timediff_t timeout
+  
+  Coverity found CID 1461718:
+  
+  Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
+  9223372036854775807L" is always false regardless of the values of its
+  operands. This occurs as the logical second operand of "||".
+  
+  Closes #5240
+
+- [i-ky brought this change]
+
+  libcurl-multi.3: added missing full stop
+  
+  Closes #5285
+
+Jay Satiro (22 Apr 2020)
+- transfer: Switch PUT to GET/HEAD on 303 redirect
+  
+  Prior to this change if there was a 303 reply to a PUT request then
+  the subsequent request to respond to that redirect would also be a PUT.
+  It was determined that was most likely incorrect based on the language
+  of the RFCs. Basically 303 means "see other" resource, which implies it
+  is most likely not the same resource, therefore we should not try to PUT
+  to that different resource.
+  
+  Refer to the discussions in #5237 and #5248 for more information.
+  
+  Fixes https://github.com/curl/curl/issues/5237
+  Closes https://github.com/curl/curl/pull/5248
+
+Daniel Stenberg (22 Apr 2020)
+- lib/mk-ca-bundle: skip empty certs
+  
+  Reviewed-by: Emil Engler
+  Reported-by: Ashwin Metpalli
+  Fixes #5278
+  Closes #5280
+
+- version: skip idn2_check_version() check and add precaution
+  
+  A gcc-10's -fanalyze complaint made me spot and do these improvements.
+  
+  Closes #5281
+
+- RELEASE-NOTES: synced
+
+- [Brian Bergeron brought this change]
+
+  curl.h: update comment typo
+  
+  "routines with be invoked" -> "routines will be invoked"
+  
+  Closes #5279
+
+- [Emil Engler brought this change]
+
+  GnuTLS: Don't skip really long certificate fields
+  
+  Closes #5271
+
+- gnutls: bump lowest supported version to 3.1.10
+  
+  GnuTLS 3.1.10 added new functions we want to use. That version was
+  released on Mar 22, 2013. Removing support for older versions also
+  greatly simplifies the code.
+  
+  Ref: #5271
+  Closes #5276
+
+- mqtt: make NOSTATE get within the debug name array
+
+- tests: run the RTSP test server on a dynamic port number
+  
+  To avoid port collisions.
+  
+  Closes #5272
+
+- tests: add %NOLISTENPORT and use it
+  
+  The purpose with this variable is to provide a port number that is
+  reasonably likely to not have a listener on the local host so that tests
+  can try connect failures against it. It uses port 47 - "reserved"
+  according to IANA.
+  
+  Updated six tests to use it instead of the previous different ports.
+  
+  Assisted-by: Emil Engler
+  Closes #5270
+
+- mqtt: remove code with no purpose
+  
+  Detected by Coverity. CID 1462319.
+  
+  "The same code is executed when the condition result is true or false,
+  because the code in the if-then branch and after the if statement is
+  identical."
+  
+  Closes #5275
+
+- mqtt: fix Curl_read()  error handling while reading remaining length
+  
+  Detected by Coverity. CID 1462320.
+  
+  Closes #5274
+
+- server/tftpd: fix compiler warning
+  
+  Follow-up from 369ce38ac1d
+  Reported-by: Marc Hörsken
+
+- http: free memory when Alt-Used header creation fails due to OOM
+  
+  Reported-by: James Fuller
+  Fixes #5268
+  Closes #5269
+
+Daniel Gustafsson (20 Apr 2020)
+- lib: fix typos in comments and errormessages
+  
+  This fixes a few randomly spotted typos in recently merged code, most
+  notably one in a userfacing errormessage the schannel code.
+
+Daniel Stenberg (20 Apr 2020)
+- tests: run the SOCKS test server on a dynamic port number
+  
+  Closes #5266
+
+- [Johannes Schindelin brought this change]
+
+  multi-ssl: reset the SSL backend on `Curl_global_cleanup()`
+  
+  When cURL is compiled with support for multiple SSL backends, it is
+  possible to configure an SSL backend via `curl_global_sslset()`, but
+  only *before* `curl_global_init()` was called.
+  
+  If another SSL backend should be used after that, a user might be
+  tempted to call `curl_global_cleanup()` to start over. However, we did
+  not foresee that use case and forgot to reset the SSL backend in that
+  cleanup.
+  
+  Let's allow that use case.
+  
+  Fixes #5255
+  Closes #5257
+  Reported-by: davidedec on github
+  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- tests: run the TFTP test server on a dynamic port number
+  
+  Picking a dynamic unused port is better than a fixed to avoid the
+  collision risk.
+  
+  Closes #5265
+
+- mqtt: improve the state machine
+  
+  To handle PUBLISH before SUBACK and more.
+  
+  Updated the existing tests and added three new ones.
+  
+  Reported-by: Christoph Krey
+  Bug: https://curl.haxx.se/mail/lib-2020-04/0021.html
+  Closes #5246
+
+- runtests: always put test number in servercmd file
+
+- RELEASE-NOTES: synced
+
+- release-notes.pl: fix parsing typo
+
+James Fuller (20 Apr 2020)
+- ensure all references to ports are replaced by vars
+
+- add more alt-svc test coverage
+
+Daniel Stenberg (20 Apr 2020)
+- test1247: use http server to get the port number set
+  
+  Follow-up to 0f5db7b263f
+
+- runtests: use a unix domain socket path with the pid in the name
+  
+  To make it impossible for test cases to access the file name without
+  using the proper variable for the purpose.
+  
+  Closes #5264
+
+Daniel Gustafsson (19 Apr 2020)
+- [Mipsters on github brought this change]
+
+  src: Remove C99 constructs to ensure C89 compliance
+  
+  This fixes the error: 'for' loop initial declaration used outside C99
+  mode by declaring the loop increment variable in the beginning of the
+  block instead of inside the for loop.
+  
+  Fixes #5254
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (19 Apr 2020)
+- runtests: dummy init the ports variables to avoid warnings
+  
+  ... and generate something that can help debug test cases.
+
+- [Patrick Monnerat brought this change]
+
+  mime: properly check Content-Type even if it has parameters
+  
+  New test 669 checks this fix is effective.
+  
+  Fixes #5256
+  Closes #5258
+  Reported-by: thanhchungbtc on github
+
+- tests/FILEFORMAT: converted to markdown and extended
+  
+  Closes #5261
+
+- test1245: make it work with dynamic FTP server port
+
+- test1055: make it work with dynamic FTP port
+
+- test1028: make it run on dynamic FTP server port
+
+- tests: move pingpong server to dynamic listening port
+  
+  FTP, IMAP, POP3, SMTP and their IPv6 versions are now all on dynamic
+  ports
+  
+  Test 842-845 are unfortunately a bit hard to move over to this concept
+  right now and require "default port" still...
+
+- test1056: work with dynamic HTTP ipv6 port
+
+- test1448: work with dynamic HTTP server port
+
+- tests: introduce preprocessed test cases
+  
+  The runtests script now always performs variable replacement on the
+  entire test source file before the test gets executed, and saves the
+  updated version in a temporary file (log/test[num]) so that all test
+  case readers/servers can use that version (if present) and thus enjoy
+  the powers of test case variable substitution.
+  
+  This is necessary to allow complete port number freedom.
+  
+  Test 309 is updated to work with a non-fixed port number thanks to this.
+
+- tests: make 2006-2010 handle different port number lengths
+
+- tests: run the sws server on "any port"
+  
+  Makes the test servers for HTTP and Gopher pop up on a currently unused
+  port and runtests adapts to that!
+  
+  Closes #5247
+
+Marc Hoersken (18 Apr 2020)
+- sockfilt: tidy variable naming and data structure in select_ws
+  
+  This commit does not introduce any logical changes to the code.
+  
+  Reviewed-by: Jay Satiro and Marcel Raad
+  Closes #5238
+
+Daniel Stenberg (17 Apr 2020)
+- [Anderson Toshiyuki Sasaki brought this change]
+
+  libssh: Use new ECDSA key types to check known hosts
+  
+  From libssh 0.9.0, ssh_key_type() returns different key types for ECDSA
+  keys depending on the curve.
+  
+  Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+  Fixes #5252
+  Closes #5253
+
+Marcel Raad (17 Apr 2020)
+- appveyor: add Unicode winbuild jobs
+  
+  These are cheap as they don't build tests.
+  
+  Closes https://github.com/curl/curl/pull/5063
+
+Daniel Stenberg (16 Apr 2020)
+- mqttd: s/errno/SOCKERRNO
+  
+  To behave proper on Windows
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/5e855bbd18f84a02c951be7cac6188276818cdac#r38507132
+  Closes #5241
+
+- buildconf: use find -execdir instead, remove -print and the ares files
+  
+  Follow-up to 1e41bec96a6e
+  
+  Suggested-by: Marc Hörsken
+
+- [Alexander V. Tikhonov brought this change]
+
+  buildconf: avoid using tempfile when removing files
+  
+  Closes #5213
+
+- copyright: bump the copyright year range
+
+- scripts/release-notes.pl: accept colon after the Fixes/Closes keywords
+
+- [JP Mens brought this change]
+
+  docs/MQTT: replace confusing 80 by 75
+  
+  I was a bit surprised by the `80`: first thought: what's HTTP doing
+  here? ;)
+  
+  Closes #5236
+
+- [Brad King brought this change]
+
+  cmake: Avoid MSVC C4273 warnings in send/recv checks
+  
+  We use `check_c_source_compiles` to check possible send/recv signatures
+  by reproducing the forward declarations from system headers.  On Windows
+  the `winsock2.h` header adds dll linkage settings to its forward
+  declaration.  If ours does not match the compiler warns:
+  
+      warning C4273: 'recv': inconsistent dll linkage
+  
+  Add `WINSOCK_API_LINKAGE` to our test signatures when it is defined so
+  that our linkage is consistent with that from `winsock2.h`.
+  
+  Fixes #4764
+  Closes #5232
+
+Jay Satiro (14 Apr 2020)
+- KNOWN_BUGS: Add entry 'Blocking socket operations'
+  
+  - Add threaded resolver cleanup and GSSAPI for FTP to the TODO list of
+    known blocking operations.
+  
+  - New known bugs entry 'Blocking socket operations in non-blocking API'
+    that directs to the TODO's list of known blocking operations.
+  
+  Ref: https://github.com/curl/curl/pull/5214#issuecomment-612488021
+  
+  Reported-by: Marc Hoersken
+  
+  Closes https://github.com/curl/curl/pull/5216
+
+Marc Hoersken (14 Apr 2020)
+- test2043: use revoked.badssl.com instead of revoked.grc.com
+  
+  The certificate of revoked.grc.com has expired on 2020-04-13.
+  
+  Reviewed-by: Jay Satiro
+  
+  Closes #5233
+
+- sockfilt: fix broken pipe on Windows to be ready in select_ws
+  
+  Closes #5228
+
+Daniel Stenberg (14 Apr 2020)
+- RELEASE-NOTES: synced
+
+- scripts/release-notes: fix duplicate output header
+
+- github/workflow: enable MQTT in the macOS debug build
+
+- azure: add mqtt support to one of the Windows builds
+
+- travis: add mqtt job on Linux
+
+- tests: add four MQTT tests 1190 - 1193
+
+- tests: add the mqtt test server mqttd
+
+- tests: support hex encoded data and mqtt server
+  
+  The mqtt server is started using a "random" port.
+
+- [Björn Stenberg brought this change]
+
+  mqtt: add new experimental protocol
+  
+  Closes #5173
+
+- TODO: Consider convenience options for JSON and XML?
+  
+  Closes #5203
+
+- tool: do not declare functions with Curl_ prefix
+  
+  To avoid collision risks with private libcurl symbols when linked with
+  static versions (or just versions not hiding internal symbols).
+  
+  Reported-by: hydra3333 on github
+  Fixes #5219
+  Closes #5234
+
+- [Nathaniel R. Lewis brought this change]
+
+  cmake: add aliases so exported target names are available in tree
+  
+  Reviewed-by: Brad King
+  Closes #5206
+
+- version: increase buffer space for ssl version output
+  
+  To avoid it getting truncated, especially when several SSL backends are
+  built-in.
+  
+  Reported-by: Gisle Vanem
+  Fixes #5222
+  Closes #5226
+
+Marc Hoersken (13 Apr 2020)
+- cirrus: no longer ignore test 504 which is working again
+  
+  The test is working again, because TCP blackholing is disabled.
+
+- appveyor: completely disable tests that fail to timeout early
+  
+  The tests changed from ignored to disabled are tests that are
+  about connecting to non-listening socket. On AppVeyor these
+  tests are not reliable, because for some unknown reason the
+  connect is not timing out before the test time limit is reached.
+
+Daniel Stenberg (13 Apr 2020)
+- test1908: avoid using fixed port number in test data
+  
+  Closes #5225
+
+Jay Satiro (12 Apr 2020)
+- [Andrew Kurushin brought this change]
+
+  schannel: Fix blocking timeout logic
+  
+  - Fix schannel_send for the case when no timeout was set.
+  
+  Prior to this change schannel would error if the socket was not ready
+  to send data and no timeout was set.
+  
+  This commit is similar to parent commit 89dc6e0 which recently made the
+  same change for SOCKS, for the same reason. Basically it was not well
+  understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms
+  but actually means no timeout.
+  
+  Fixes https://github.com/curl/curl/issues/5177
+  Closes https://github.com/curl/curl/pull/5221
+
+- socks: Fix blocking timeout logic
+  
+  - Document in Curl_timeleft's comment block that returning 0 signals no
+    timeout (ie there's infinite time left).
+  
+  - Fix SOCKS' Curl_blockread_all for the case when no timeout was set.
+  
+  Prior to this change if the timeout had a value of 0 and that was passed
+  to SOCKET_READABLE it would return right away instead of blocking. That
+  was likely because it was not well understood that when Curl_timeleft
+  returns 0 it is not a timeout of 0 ms but actually means no timeout.
+  
+  Ref: https://github.com/curl/curl/pull/5214#issuecomment-612512360
+  
+  Closes https://github.com/curl/curl/pull/5220
+
+- [Marc Hoersken brought this change]
+
+  gopher: check remaining time left during write busy loop
+  
+  Prior to this change gopher's blocking code would block forever,
+  ignoring any set timeout value.
+  
+  Assisted-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Similar to #5220 and #5221
+  Closes #5214
+
+Daniel Stenberg (13 Apr 2020)
+- [Dirkjan Bussink brought this change]
+
+  gnutls: ensure TLS 1.3 when SRP isn't requested
+  
+  When SRP is requested in the priority string, GnuTLS will disable
+  support for TLS 1.3. Before this change, curl would always add +SRP to
+  the priority list, effectively always disabling TLS 1.3 support.
+  
+  With this change, +SRP is only added to the priority list when SRP
+  authentication is also requested. This also allows updating the error
+  handling here to not have to retry without SRP. This is because SRP is
+  only added when requested and in that case a retry is not needed.
+  
+  Closes #5223
+
+Marc Hoersken (12 Apr 2020)
+- tests/server: add hidden window to gracefully handle WM_CLOSE
+  
+  Forward Window events as signals to existing signal event handler.
+
+- tests/server: add CTRL event handler for Win32 consoles
+  
+  Forward CTRL events as signals to existing signal event handler.
+
+- tests/server: move all signal handling routines to util.[ch]
+  
+  Avoid code duplication to prepare for portability enhancements.
+
+Daniel Stenberg (12 Apr 2020)
+- compressed.d: stress that the headers are not modified
+  
+  Suggested-by: Michael Osipov
+  Assisted-by: Jay Satiro
+  Bug: https://github.com/curl/curl/issues/5182#issuecomment-611638008
+  Closes #5217
+
+Marc Hoersken (11 Apr 2020)
+- tests/server/util.c: use curl_off_t instead of long for pid
+  
+  Avoid potential overflow of huge PIDs on Windows.
+  
+  Related to #5188
+  Assisted-by: Marcel Raad
+
+- tests: use Cygwin/msys PIDs for stunnel and sshd on Windows
+  
+  Since the Windows versions of both programs would write Windows
+  PIDs to their pidfiles which we cannot handle, we need to use
+  our known perl.exe Cygwin/msys PID together with exec() in order
+  to tie the spawned processes to the existance of our perl.exe
+  
+  The perl.exe that is executing secureserver.pl and sshserver.pl
+  has a Cygwin/msys PID, because it is started inside Cygwin/msys.
+  
+  Related to #5188
+
+- tests: add Windows compatible pidwait like pidkill and pidterm
+  
+  Related to #5188
+
+- tests: fix conflict between Cygwin/msys and Windows PIDs
+  
+  Add 65536 to Windows PIDs to allow Windows specific treatment
+  by having disjunct ranges for Cygwin/msys and Windows PIDs.
+  
+  See also:
+  - https://cygwin.com/git/?p=newlib-cygwin.git;a=commit; ↵
+    h=b5e1003722cb14235c4f166be72c09acdffc62ea
+  - https://cygwin.com/git/?p=newlib-cygwin.git;a=commit; ↵
+    h=448cf5aa4b429d5a9cebf92a0da4ab4b5b6d23fe
+  
+  Replaces #5178
+  Closes #5188
+
+Daniel Stenberg (11 Apr 2020)
+- RELEASE-NOTES: synced
+
+- release-notes.pl: detect the start of the references in cleanup mode
+
+- Revert "file: on Windows, refuse paths that start with \\"
+  
+  This reverts commit 1b71bc532bde8621fd3260843f8197182a467ff2.
+  
+  Reminded-by: Chris Roberts
+  Bug: https://curl.haxx.se/mail/archive-2020-04/0013.html
+  
+  Closes #5215
+
+Jay Satiro (11 Apr 2020)
+- lib: fix conversion warnings for SOCKET_WRITABLE/READABLE
+  
+  - If loss of data may occur converting a timediff_t to time_t and
+    the time value is > TIME_T_MAX then treat it as TIME_T_MAX.
+  
+  This is a follow-up to 8843678 which removed the (time_t) typecast
+  from the macros so that conversion warnings could be identified.
+  
+  Closes https://github.com/curl/curl/pull/5199
+
+- test1148: tolerate progress updates better (again)
+  
+  - Ignore intermediate progress updates.
+  
+  - Support locales that use a character other than period as decimal
+    separator (eg 100,0%).
+  
+  test1148 checks that the progress finishes at 100% and has the right
+  bar width. Prior to this change the test assumed that the only progress
+  reported for such a quick transfer was 100%, however in rare instances
+  (like in the CI where transfer time can slow considerably) there may be
+  intermediate updates. For example, below is stderrlog1148 from a failed
+  CI run with explicit \r and \n added (it is one line; broken up so that
+  it's easier to understand).
+  
+  \r
+  \r##################################                                        48.3%
+  \r######################################################################## 100.0%
+  \n
+  
+  Closes https://github.com/curl/curl/pull/5194
+
+Marc Hoersken (10 Apr 2020)
+- sshserver.pl: use cached Win32 environment check variable
+
+- appveyor: partially revert 3413a110 to keep build without proxy
+  
+  Ref: #5211 and #4526
+  Reported-by: Marcel Raad
+
+- appveyor: ignore failing 'connect to non-listening proxy' tests
+  
+  Closes #5211
+
+- CI/macos: convert CRLF to LF and align indentation
+
+Daniel Stenberg (9 Apr 2020)
+- url: allow non-HTTPS altsvc-matching for debug builds
+  
+  This is already partly supported but this part was missing.
+  Reported-by: James Fuller
+  
+  Closes #5205
+
+- server/resolve: remove AI_CANONNAME to make macos tell the truth
+  
+  With this bit set, my mac successfully resolves "ip6-localhost" when in
+  fact there is no such host known to my machine! That in turn made test
+  241 wrongly execute and fail.
+  
+  Closes #5202
+
+- runtests: fix warning about using an undefined variable
+  
+  Follow-up from 4d939ef6ceb2db1
+
+- release-notes: fix the initial reference list output
+
+- github actions: run when pushed to master or */ci + PRs
+  
+  Avoid double-builds when using "local" branches for PRs. For both macos
+  and fuzz jobs.
+  
+  Closes #5201
+
+- runtests: provide nicer errormsg when protocol "dump" file is empty
+
+- [Gilles Vollant brought this change]
+
+  schannel: support .P12 or .PFX client certificates
+  
+  Used with curl command line option like this: --cert
+  <filename>:<password> --cert-type p12
+  
+  Closes #5193
+
+- tests: verify split initial HTTP requests with CURL_SMALLREQSEND
+  
+  test1294: "split request" being when the entire request isn't sent in
+  the first go, and the remainder is sent in the PERFORM state. A GET
+  request is otherwise not sending anything during PERFORM.
+  
+  test1295: same kind of split but with POST
+  
+  Closes #5197
+
+- http: don't consider upload done if the request isn't completely sent off
+  
+  Fixes #4919
+  Closes #5197
+
+- http: allow Curl_add_buffer_send() to do a short first send by force
+  
+  In a debug build, settting the environment variable "CURL_SMALLREQSEND"
+  will make the first HTTP request send not send more bytes than the set
+  amount, thus ending up verifying that the logic for handling a split
+  HTTP request send works correctly.
+
+- connect: store connection info for QUIC connections
+  
+  Restores the --head functionality to the curl utility which extracts
+  'protocol' that is stored that way.
+  
+  Reported-by: James Fuller
+  Fixes #5196
+  Closes #5198
+
+- tests/README: update the port numbers list
+  
+  Since the pipelining server is long gone.
+  Reported-by: James Fuller
+
+- select: remove typecast from SOCKET_WRITABLE/READABLE macros
+  
+  So that they don't hide conversions-by-mistake
+  
+  Reviewed-by: Jay Satiro
+  Closes #5190
+
+- CURLOPT_WRITEFUNCTION.3: add inline example and new see-also
+  
+  Closes #5192
+
+- release-notes: output trailing references sorted numerically
+
+- cleanup: correct copyright year range on a few files
+
+- configure: remove use of -vec-report0 from CFLAGS with icc
+  
+  ... as it apparently isn't (always) supported.
+  Reported-by: Alain Miniussi
+  Fixes #5096
+  Closes #5191
+
+- warnless: remove code block for icc that didn't work
+  
+  Reported-by: Alain Miniussi
+  Fixes #5096
+
+Marc Hoersken (6 Apr 2020)
+- dist: add missing setup-win32.h
+  
+  Follow up to d820224b8b
+
+Daniel Stenberg (6 Apr 2020)
+- RELEASE-NOTES: synced
+
+- scripts/release-notes.pl: add helper script for RELEASE-NOTES maintenance
+  
+  This script helps putting entries in the RELEASE-NOTES using a coherent
+  style and sorting with a minimal human editing effort - as long as the
+  first line in the commit message is good enough! There's a short howto
+  at the top of the file.
+
+- [Dennis Felsing brought this change]
+
+  configure: don't check for Security.framework when cross-compiling
+  
+  Since it checks for the local file, not the cross-compiled one.
+  
+  Closes #5189
+
+- TODO: Option to make -Z merge lined based outputs on stdout
+  
+  Closes #5175
+
+- lib: never define CURL_CA_BUNDLE with a getenv
+  
+  - it breaks the build (since 6de756c9b1de34b7a1)
+  - it's not documented and not consistent across platforms
+  - the curl tool does that getenv magic
+  
+  Bug: https://github.com/curl/curl/commit/6de756c#r38127030
+  Reported-by: Gisle Vanem
+  
+  Closes #5187
+
+Marc Hoersken (5 Apr 2020)
+- lib670: use the same Win32 API check as all other lib tests
+
+- appveyor: use random test server ports based upon APPVEYOR_API_URL
+  
+  Avoid conflicts of test server ports with AppVeyor API on localhost.
+  
+  Closes #5034
+
+- appveyor: sort builds by type and add two new variants
+  
+  Related to #5034 and #5063
+
+- appveyor: show failed tests in log even if test is ignored
+  
+  And print API response with newline only if there is one
+
+- appveyor: turn disabled tests into ignored result tests
+
+Daniel Stenberg (5 Apr 2020)
+- KNOWN_BUGS: fixed "USE_UNIX_SOCKETS on Windows"
+  
+  Fixed with #5170 (commit 23a870f2fd041278)
+
+- test1566: verify --etag-compare that gets a 304 back
+  
+  Verifies the fix in #5183
+  
+  Closes #5186
+
+- [Kwon-Young Choi brought this change]
+
+  CURLINFO_CONDITION_UNMET: return true for 304 http status code
+  
+  In libcurl, CURLINFO_CONDITION_UNMET is used to avoid writing to the
+  output file if the server did not transfered a file based on time
+  condition. In the same manner, getting a 304 HTTP response back from the
+  server, for example after passing a custom If-Match-* header, also
+  fulfill this condition.
+  
+  Fixes #5181
+  Closes #5183
+
+- [Kwon-Young Choi brought this change]
+
+  curl: allow both --etag-compare and --etag-save with same file name
+  
+  This change inverse the order of processing for the --etag-compare and
+  --etag-save option to process first --etag-compare. This in turn allows
+  to use the same file name to compare and save an etag.
+  
+  The original behavior of not failing if the etag file does not exists is
+  conserved.
+  
+  Fixes #5179
+  Closes #5180
+
+Viktor Szakats (4 Apr 2020)
+- windows: enable UnixSockets with all build toolchains
+  
+  Extend existing unix socket support in Windows builds to be
+  enabled for all toolchain vendors or versions. (Previously
+  it was only supported with certain MSVC versions + more recent
+  Windows 10 SDKs)
+  
+  Ref: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/
+  Ref: https://github.com/curl/curl/issues/5162
+  Closes: https://github.com/curl/curl/pull/5170
+
+Daniel Stenberg (4 Apr 2020)
+- KNOWN_BUGS: Store TLS context per transfer instead of per connection
+  
+  Closes #5102
+
+Marc Hoersken (3 Apr 2020)
+- sockfilt: remove redundancy in timeout handling
+  
+  And update other logmsg output in select_ws on Windows.
+
+- sockfilt: fix handling of ready closed sockets on Windows
+  
+  Replace the incomplete workaround regarding FD_CLOSE
+  only signalling once by instead doing a pre-check with
+  standard select and storing the result for later use.
+  
+  select keeps triggering on closed sockets on Windows while
+  WSAEventSelect fires only once with data still available.
+  By doing the pre-check we do not run in a deadlock
+  due to waiting forever for another FD_CLOSE event.
+
+- sockfilt: fix race-condition of waiting threads and event handling
+  
+  Fix race-condition of waiting threads finishing while events are
+  already being processed which lead to invalid or skipped events.
+  
+  Use mutex to check for one event at a time or do post-processing.
+  In addition to mutex-based locking use specific event as signal.
+  
+  Closes #5156
+
+Daniel Stenberg (2 Apr 2020)
+- [Leo Neat brought this change]
+
+  CI-fuzz: increase fuzz time to 40 minutes
+  
+  Closes #5174
+
+Marc Hoersken (2 Apr 2020)
+- CI: increase Azure Pipelines timeouts due to performance issues
+  
+  The current demand on Azure negatively impacts the CI performance.
+
+- runtests.pl: log host OS as detected by Perl environment
+
+- ftpserver.pl: log before and after data connection is closed
+
+Daniel Stenberg (1 Apr 2020)
+- RELEASE-NOTES: synced
+
+- RELEASE-PROCEDURE.md: run the copyright.pl script!
+
+- vquic/ngtcp2.h: update copyright year range
+  
+  Follow-up to 0736ee73d346a52
+
+- [Daiki Ueno brought this change]
+
+  CI: add build with ngtcp2 + gnutls on Travis CI
+
+- [Daiki Ueno brought this change]
+
+  vquic: add support for GnuTLS backend of ngtcp2
+  
+  Currently, the TLS backend used by vquic/ngtcp2.c is selected at compile
+  time. Therefore OpenSSL support needs to be explicitly disabled.
+  
+  Signed-off-by: Daiki Ueno <dueno@redhat.com>
+  Closes #5148
+
+- [Gisle Vanem brought this change]
+
+  examples/sessioninfo.c: add include to fix compiler warning
+  
+  Fixes #5171
+
+- misc: copyright year updates
+  
+  Follow-up to 7a71965e9
+
+- [Harry Sintonen brought this change]
+
+  build: fixed build for systems with select() in unistd.h
+  
+  Closes #5169
+
+- memdebug: don't log free(NULL)
+  
+  ... it serves no purpose and fills up the log.
+
+- cleanup: insert newline after if() conditions
+  
+  Our code style mandates we put the conditional block on a separate
+  line. These mistakes are now detected by the updated checksrc.
+
+- checksrc: warn on obvious conditional blocks on the same line as if()
+  
+  Closes #5164
+
+- [Roger Orr brought this change]
+
+  cmake: add CMAKE_MSVC_RUNTIME_LIBRARY
+  
+  Fixes #5165
+  Closes #5167
+
+- [Daiki Ueno brought this change]
+
+  ngtcp2: update to git master for the key installation API change
+  
+  This updates the ngtcp2 OpenSSL backend to follow the API change in
+  commit 32e703164 of ngtcp2.
+  
+  Notable changes are:
+  - ngtcp2_crypto_derive_and_install_{rx,tx}_key have been added to replace
+    ngtcp2_crypto_derive_and_install_key
+  - the 'side' argument of ngtcp2_crypto_derive_and_install_initial_key
+    has been removed
+  
+  Fixes #5166
+  Closes #5168
+
+- [Cyrus brought this change]
+
+  SECURITY.md: minor rephrase
+  
+  Closes #5158
+
+- output.d: quote the URL when globbing
+  
+  Some shells do globbing of their own unless the URL is quoted, so maybe
+  encourage this.
+  
+  Co-authored-by: Jay Satiro
+  Closes #5160
+
+- dist: add tests/version-scan.pl to tarball
+  
+  ... used in test 1177.
+  
+  Follow-up to a97d826f6de3
+
+- test1177: verify that all the CURL_VERSION_ bits are documented
+
+- curl.h: remnove CURL_VERSION_ESNI. Never supported nor documented
+  
+  Considered experimental and therefore we can do this.
+  
+  Closes #5157
+
+- KNOWN_BUGS: DoH doesn't inherit all transfer options
+  
+  Closes #4578
+  Closes #4579
+
+- KNOWN_BUGS: DoH leaks memory after followlocation
+  
+  Closes #4592
+
+- KNOWN_BUGS: "FTPS needs session reuse"
+  
+  Closes #4654
+
+- KNOWN_BUGS: "stick to same family over SOCKS pro" is presumed fixed
+
+- TODO: Set custom client ip when using haproxy protocol
+  
+  Closes #5125
+
+Michael Kaufmann (27 Mar 2020)
+- writeout_json: Fix data type issues
+  
+  Load long values correctly (e.g. for http_code).
+  
+  Use curl_off_t (not long) for:
+  - size_download (CURLINFO_SIZE_DOWNLOAD_T)
+  - size_upload (CURLINFO_SIZE_UPLOAD_T)
+  
+  The unit for these values is bytes/second, not microseconds:
+  - speed_download (CURLINFO_SPEED_DOWNLOAD_T)
+  - speed_upload (CURLINFO_SPEED_UPLOAD_T)
+  
+  Fixes #5131
+  Closes #5152
+
+Daniel Stenberg (27 Mar 2020)
+- mailmap: fixup a few author names/fields
+  
+  Douglas Steinwand, Gökhan Şengün, Jessa Chandler, Julian Z and
+  Svyatoslav Mishyn
+
+- version: add 'cainfo' and 'capath' to version info struct
+  
+  Suggested-by: Timothe Litt
+  URL: https://curl.haxx.se/mail/lib-2020-03/0090.html
+  Reviewed-by: Jay Satiro
+  
+  Closes #5150
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (26 Mar 2020)
+- SSLCERTS.md: Fix example code for setting CA cert file
+  
+  Prior to this change the documentation erroneously said use
+  CURLOPT_CAPATH to set a CA cert file.
+  
+  Bug: https://curl.haxx.se/mail/lib-2020-03/0121.html
+  Reported-by: Timothe Litt
+  
+  Closes https://github.com/curl/curl/pull/5151
+
+Marc Hoersken (26 Mar 2020)
+- sockfilt: add logmsg output to select_ws_wait_thread on Windows
+  
+  Assisted-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #5086
+
+Daniel Stenberg (26 Mar 2020)
+- docs/make: generate curl.1 from listed files only
+  
+  Previously it rendered the page from files matching "*.d" in the correct
+  directory, which worked fine in git builds when the files were added but
+  made it easy to forget adding the files to the dist.
+  
+  Now, only man page sections listed in DPAGES in Makefile.inc will be
+  used, thus "forcing" us to update this to get the man page right and get
+  it included in the dist at the same time.
+  
+  Ref: #5146
+  Closes #5149
+
+- openssl: adapt to functions marked as deprecated since version 3
+  
+  OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES
+  functions we use.
+  
+  Fix the MD4 and SSL_CTX_load_verify_locations warnings.
+  
+  In configure, detect OpenSSL v3 and if so, inhibit the deprecation
+  warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and
+  until we rewrite the code to use non-deprecated functions we better
+  ignore these warnings as they don't help us.
+  
+  Closes #5139
+
+- dist: add mail-rcpt-allowfails.d to the tarball
+  
+  Reported-by: Maksim Stsepanenka
+  Reviewed-by: Jat Satiro
+  
+  Closes #5146