Update contrib/libs/curl to 7.81.0

ref:47b24ca6f73cd31c101d7e08fb558fb7ddd6b54f

contrib/libs/curl/.yandex_meta/devtools.copyrights.report

@@ -91,6 +91,18 @@ BELONGS ya.make
     Files with this license:
         lib/splay.h [10:10]
 
+KEEP     COPYRIGHT_SERVICE_LABEL 12905c2d6dcfe8f1ee19092ed4a751c9
+BELONGS ya.make
+    License text:
+         * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+         * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        lib/vtls/mbedtls.c [8:9]
+
 KEEP     COPYRIGHT_SERVICE_LABEL 19b6de0c05c370c2ad2cc7375c862dd6
 BELONGS ya.make
     License text:
@@ -115,6 +127,7 @@ BELONGS ya.make
     Files with this license:
         include/curl/curl.h [10:10]
         include/curl/curlver.h [10:10]
+        include/curl/multi.h [10:10]
         include/curl/typecheck-gcc.h [10:10]
         lib/amigaos.c [8:8]
         lib/asyn-ares.c [8:8]
@@ -132,7 +145,9 @@ BELONGS ya.make
         lib/curl_endian.c [8:8]
         lib/curl_endian.h [10:10]
         lib/curl_get_line.c [8:8]
+        lib/curl_hmac.h [10:10]
         lib/curl_krb5.h [10:10]
+        lib/curl_md5.h [10:10]
         lib/curl_multibyte.c [8:8]
         lib/curl_multibyte.h [10:10]
         lib/curl_ntlm_core.c [8:8]
@@ -144,17 +159,18 @@ BELONGS ya.make
         lib/curl_range.h [10:10]
         lib/curl_setup.h [10:10]
         lib/curl_setup_once.h [10:10]
+        lib/curl_sspi.c [8:8]
         lib/dict.c [8:8]
         lib/easy.c [8:8]
         lib/file.c [8:8]
         lib/formdata.c [8:8]
         lib/formdata.h [10:10]
-        lib/ftp.c [8:8]
         lib/ftp.h [10:10]
         lib/ftplistparser.c [8:8]
         lib/getinfo.c [8:8]
         lib/gopher.c [8:8]
         lib/hash.c [8:8]
+        lib/hash.h [10:10]
         lib/hostasyn.c [8:8]
         lib/hostcheck.c [8:8]
         lib/hostip.c [8:8]
@@ -178,6 +194,7 @@ BELONGS ya.make
         lib/http_ntlm.h [10:10]
         lib/http_proxy.c [8:8]
         lib/http_proxy.h [10:10]
+        lib/if2ip.c [8:8]
         lib/imap.c [8:8]
         lib/ldap.c [8:8]
         lib/llist.c [8:8]
@@ -211,7 +228,6 @@ BELONGS ya.make
         lib/share.h [10:10]
         lib/sigpipe.h [10:10]
         lib/smtp.c [8:8]
-        lib/socks.c [8:8]
         lib/socks.h [10:10]
         lib/strdup.c [8:8]
         lib/strdup.h [10:10]
@@ -220,9 +236,8 @@ BELONGS ya.make
         lib/timeval.c [8:8]
         lib/transfer.c [8:8]
         lib/transfer.h [10:10]
-        lib/url.c [8:8]
         lib/url.h [10:10]
-        lib/urlapi.c [8:8]
+        lib/urlapi-int.h [10:10]
         lib/urldata.h [10:10]
         lib/vauth/cleartext.c [8:8]
         lib/vauth/cram.c [8:8]
@@ -239,9 +254,11 @@ BELONGS ya.make
         lib/vssh/ssh.h [10:10]
         lib/vtls/gskit.c [8:8]
         lib/vtls/gtls.c [8:8]
+        lib/vtls/gtls.h [10:10]
         lib/vtls/mesalink.c [8:9]
         lib/vtls/nss.c [8:8]
         lib/vtls/openssl.c [8:8]
+        lib/vtls/openssl.h [10:10]
         lib/vtls/vtls.c [8:8]
         lib/vtls/vtls.h [10:10]
         lib/vtls/wolfssl.c [8:8]
@@ -358,17 +375,6 @@ BELONGS ya.make
     Files with this license:
         lib/mqtt.h [10:10]
 
-KEEP     COPYRIGHT_SERVICE_LABEL 39ba75e954737dc323f76b8a0b6022f4
-BELONGS ya.make
-    License text:
-        /* Copyright (c) 1996 - 2020 by Internet Software Consortium.
-    Scancode info:
-        Original SPDX id: COPYRIGHT_SERVICE_LABEL
-        Score           : 100.00
-        Match type      : COPYRIGHT
-    Files with this license:
-        lib/inet_pton.c [3:3]
-
 KEEP     COPYRIGHT_SERVICE_LABEL 3ec20bb8e8de4d5335763397e51262f8
 BELONGS ya.make
     License text:
@@ -420,7 +426,6 @@ BELONGS ya.make
         lib/curl_sasl.h [10:10]
         lib/socks_gssapi.c [8:9]
         lib/socks_sspi.c [8:9]
-        lib/vtls/mbedtls.c [8:9]
         lib/vtls/schannel.c [8:10]
         lib/vtls/schannel.h [10:11]
         lib/vtls/schannel_verify.c [8:10]
@@ -511,6 +516,20 @@ BELONGS ya.make
         lib/pop3.h [10:10]
         lib/smtp.h [10:10]
 
+KEEP     COPYRIGHT_SERVICE_LABEL 5f2d9531ef53239121eb36eb3edd99b4
+BELONGS ya.make
+    License text:
+         * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        lib/ftp.c [8:8]
+        lib/socks.c [8:8]
+        lib/url.c [8:8]
+        lib/urlapi.c [8:8]
+
 KEEP     COPYRIGHT_SERVICE_LABEL 67beade75b70a2c2bc8e7b71eb5b5ea3
 BELONGS ya.make
     License text:
@@ -590,7 +609,6 @@ BELONGS ya.make
     Files with this license:
         include/curl/easy.h [10:10]
         include/curl/mprintf.h [10:10]
-        include/curl/multi.h [10:10]
         include/curl/stdcheaders.h [10:10]
         include/curl/system.h [10:10]
         lib/amigaos.h [10:10]
@@ -605,15 +623,12 @@ BELONGS ya.make
         lib/curl_get_line.h [10:10]
         lib/curl_gethostname.c [8:8]
         lib/curl_gethostname.h [10:10]
-        lib/curl_hmac.h [10:10]
         lib/curl_ldap.h [10:10]
         lib/curl_md4.h [10:10]
-        lib/curl_md5.h [10:10]
         lib/curl_memory.h [10:10]
         lib/curl_memrchr.c [8:8]
         lib/curl_memrchr.h [10:10]
         lib/curl_printf.h [10:10]
-        lib/curl_sspi.c [8:8]
         lib/curl_sspi.h [10:10]
         lib/curl_threads.c [8:8]
         lib/curl_threads.h [10:10]
@@ -630,11 +645,9 @@ BELONGS ya.make
         lib/getenv.c [8:8]
         lib/getinfo.h [10:10]
         lib/gopher.h [10:10]
-        lib/hash.h [10:10]
         lib/hmac.c [8:8]
         lib/hostcheck.h [10:10]
         lib/idn_win32.c [8:8]
-        lib/if2ip.c [8:8]
         lib/if2ip.h [10:10]
         lib/inet_ntop.h [10:10]
         lib/inet_pton.h [10:10]
@@ -664,17 +677,14 @@ BELONGS ya.make
         lib/telnet.h [10:10]
         lib/tftp.h [10:10]
         lib/timeval.h [10:10]
-        lib/urlapi-int.h [10:10]
         lib/vauth/digest.h [10:10]
         lib/vauth/ntlm.h [10:10]
         lib/vquic/vquic.c [8:8]
         lib/vtls/gskit.h [10:10]
-        lib/vtls/gtls.h [10:10]
         lib/vtls/keylog.c [8:8]
         lib/vtls/keylog.h [10:10]
         lib/vtls/mesalink.h [10:11]
         lib/vtls/nssg.h [10:10]
-        lib/vtls/openssl.h [10:10]
         lib/vtls/wolfssl.h [10:10]
         lib/wildcard.c [8:8]
 
@@ -764,7 +774,7 @@ BELONGS ya.make
 KEEP     COPYRIGHT_SERVICE_LABEL 9d962b7054a48ee0efeaca166b582707
 BELONGS ya.make
     License text:
-         * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+         * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
          * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
     Scancode info:
         Original SPDX id: COPYRIGHT_SERVICE_LABEL
@@ -783,7 +793,6 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         lib/system_win32.h [10:10]
-        lib/version_win32.h [10:10]
 
 KEEP     COPYRIGHT_SERVICE_LABEL a708a3265e6d737aa48aa8db4c364178
 BELONGS ya.make
@@ -963,6 +972,18 @@ BELONGS ya.make
     Files with this license:
         lib/system_win32.c [8:8]
         lib/version_win32.c [8:8]
+        lib/version_win32.h [10:10]
+
+KEEP     COPYRIGHT_SERVICE_LABEL e0c20beb084ce5dc172fdc6fbf9b54a5
+BELONGS ya.make
+    License text:
+        /* Copyright (c) 1996 - 2021 by Internet Software Consortium.
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        lib/inet_pton.c [3:3]
 
 KEEP     COPYRIGHT_SERVICE_LABEL e0d1701a5a15c429dd6d54ccbadea738
 BELONGS ya.make
@@ -1007,7 +1028,7 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         lib/md4.c [226:231]
-        lib/md5.c [220:225]
+        lib/md5.c [224:229]
 
 KEEP     COPYRIGHT_SERVICE_LABEL f5681c9f9526985592061799304792ee
 BELONGS ya.make

contrib/libs/curl/.yandex_meta/devtools.licenses.report

@@ -38,14 +38,14 @@ BELONGS ya.make
         Match type      : NOTICE
         Links           : http://www.linfo.org/publicdomain.html, https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/public-domain.LICENSE
     Files with this license:
-        lib/md5.c [215:232]
+        lib/md5.c [219:236]
     Scancode info:
         Original SPDX id: LicenseRef-scancode-other-permissive
         Score           : 98.04
         Match type      : NOTICE
         Links           : https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/other-permissive.LICENSE
     Files with this license:
-        lib/md5.c [215:232]
+        lib/md5.c [219:236]
 
 KEEP     Public-Domain        18ed429b519e9abeeb3f768979574386
 BELONGS ya.make
@@ -437,7 +437,7 @@ BELONGS ya.make
         Match type      : TEXT
         Links           : http://www.linfo.org/publicdomain.html, https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/public-domain.LICENSE
     Files with this license:
-        lib/sha256.c [251:252]
+        lib/sha256.c [260:261]
 
 KEEP     ISC                  e6a382fc7564fdd1a5e46b2d97b3221f
 BELONGS ya.make

contrib/libs/curl/.yandex_meta/licenses.list.txt

@@ -59,6 +59,10 @@
  * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
 
 
+====================COPYRIGHT====================
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+
+
 ====================COPYRIGHT====================
  * Copyright (C) 1999 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
 
@@ -117,11 +121,6 @@
  * Copyright (C) 2009, Markus Moeller, <markus_moeller@compuserve.com>
 
 
-====================COPYRIGHT====================
- * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
- * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
-
-
 ====================COPYRIGHT====================
  * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
  * Copyright (C) 2010, Howard Chu, <hyc@highlandsun.com>
@@ -138,6 +137,11 @@
  * Copyright (C) 2012 - 2017, Nick Zitzmann, <nickzman@gmail.com>.
 
 
+====================COPYRIGHT====================
+ * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
+
+
 ====================COPYRIGHT====================
  * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
  * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
@@ -281,7 +285,7 @@
 
 
 ====================COPYRIGHT====================
-/* Copyright (c) 1996 - 2020 by Internet Software Consortium.
+/* Copyright (c) 1996 - 2021 by Internet Software Consortium.
 
 
 ====================COPYRIGHT====================

contrib/libs/curl/CHANGES

@@ -6,8295 +6,7935 @@
 
                                   Changelog
 
-Version 7.80.0 (10 Nov 2021)
+Version 7.81.0 (5 Jan 2022)
 
-Daniel Stenberg (10 Nov 2021)
+Daniel Stenberg (5 Jan 2022)
 - RELEASE-NOTES: synced
   
-  for curl 7.80.0
+  curl 7.81.0 release
 
-- THANKS: add contributors from the 7.80.0 cycle
+- THANKS: add names from 7.81.0 release
 
-- [Tatsuhiro Tsujikawa brought this change]
+- curl_multi_init.3: fix the copyright year range
 
-  ngtcp2: advertise h3 as well as h3-29
+- test719-721: require "proxy" feature present to run
   
-  Advertise h3 as well as h3-29 since some servers out there require h3
-  for QUIC v1.
+  Bug: https://github.com/curl/curl/pull/8223#issuecomment-1005188696
+  Reported-by: Marc Hörsken
   
-  Closes #7979
-
-- [Tatsuhiro Tsujikawa brought this change]
+  Closes #8226
 
-  ngtcp2: use QUIC v1 consistently
+- test719: require ipv6 support to run
   
-  Since we switched to v1 quic_transport_parameters codepoint in #7960
-  with quictls, lets use QUIC v1 consistently.
+  Follow-up to effd2bd7ba2a5fd244
+  Reported-by: Marc Hörsken
+  Bug: https://github.com/curl/curl/pull/8217#issuecomment-1004681145
   
-  Closes #7979
+  Closes #8223
 
-- [Tatsuhiro Tsujikawa brought this change]
+- test719-721: verify SOCKS details
+  
+  Using the new verify/socks details
 
-  ngtcp2: compile with the latest nghttp3
+- runtests: add verify/socks check
   
-  Closes #7978
+  If used, this data is compared with the data in log/socksd-request.log
+  which the socksd server logs.
+  
+  Added to FILEFORMAT.md
 
-Marc Hoersken (9 Nov 2021)
-- tests: add Schannel-specific tests and disable unsupported ones
+- server/socksd: log atyp + address in a separate log
   
-  Adds Schannel variants of SSLpinning tests that include the option
-  --ssl-revoke-best-effort to ignore certificate revocation check
-  failures which is required due to our custom test CA certificate.
+  To allow the test suite to verify that the right data arrived
+
+- socks5: use appropriate ATYP for numerical IP address host names
   
-  Disable the original variants if the Schannel backend is enabled.
+  When not resolving the address locallly (known as socks5h).
   
-  Also skip all IDN tests which are broken while using an msys shell.
+  Add test 719 and 720 to verify.
   
-  This is a step to simplify test exclusions for Windows and MinGW.
+  Reported-by: Peter Piekarski
+  Fixes #8216
+  Closes #8217
+
+Jay Satiro (3 Jan 2022)
+- curl_multi_init.3: fix EXAMPLE formatting
+
+Daniel Stenberg (3 Jan 2022)
+- RELEASE-NOTES: synced
+
+- libtest: avoid "assignment within conditional expression"
   
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Reviewed-by: Daniel Stenberg
-  Closes #7968
+  In lib530, lib540 and lib582
+  
+  Closes #8218
 
-Daniel Stenberg (8 Nov 2021)
-- docs: NAME fixes in easy option man pages
+- ftp: disable warning 4706 in MSVC
   
-  Closes #7975
+  Follow-up to 21248e052d
+  
+  Disabling "assignment within conditional expression" for MSVC needs to
+  be done before the function starts, for it to take effect.
+  
+  Closes #8218
 
-- [Roger Young brought this change]
+- tool_operate: warn if too many output arguments were found
+  
+  More output instructions than URLs is likely a user error.
+  
+  Add test case 371 to verify
+  
+  Closes #8210
 
-  ftp: make the MKD retry to retry once per directory
+- .github/workflows/mbedtls.yml: bump to mbedtls 3.1.0
   
-  Reported-by: Roger Young
-  Fixes #7967
-  Closes #7976
+  Closes #8215
 
-- tool_operate: reorder code to avoid compiler warning
+- zuul: remove the mbedtls jobs
   
-  tool_operate.c(889) : warning C4701: potentially uninitialized local
-  variable 'per' use
+  Now running as github workflows
   
-  Follow-up to cc71d352651a0d95
-  Reported-by: Marc Hörsken
-  Bug: https://github.com/curl/curl/pull/7922#issuecomment-963042676
-  Closes #7971
+  Closes #8215
 
-- curl_easy_perform.3: add a para about recv and send data
+- github/workflows: add mbedtls and mbedtls-clang
   
-  Reported-by: Godwin Stewart
-  Fixes #7973
-  Closes #7974
+  Closes #8215
 
-- tool_operate: fclose stream only if fopened
+- [Valentin Richter brought this change]
+
+  mbedtls: fix private member designations for v3.1.0
   
-  Fixes torture test failures
-  Follow-up to cc71d352651
+  "As a last resort, you can access the field foo of a structure bar by
+  writing bar.MBEDTLS_PRIVATE(foo). Note that you do so at your own risk,
+  since such code is likely to break in a future minor version of Mbed
+  TLS." -
+  https://github.com/ARMmbed/mbedtls/blob/f2d1199edc5834df4297f247f213e614f7782d1d/docs/3.0-migration-guide.md
   
-  Closes #7972
+  That future minor version is v3.1.0. I set the >= to == for the version
+  checks because v3.1.0 is a release, and I am not sure when the private
+  designation was reverted after v3.0.0.
+  
+  Closes #8214
 
-- libcurl-easy.3: language polish
+- [Valentin Richter brought this change]
 
-- limit-rate.d: this is average over several seconds
+  cmake: prevent dev warning due to mismatched arg
   
-  Closes #7970
+  -- curl version=[7.81.0-DEV]
+  CMake Warning (dev) at /usr/share/cmake-3.22.1/Modules/FindPackageHandleStandardArgs.cmake:438 (message):
+    The package name passed to `find_package_handle_standard_args` (MBEDTLS)
+    does not match the name of the calling package (MbedTLS).  This can lead to
+    problems in calling code that expects `find_package` result variables
+    (e.g., `_FOUND`) to follow a certain pattern.
+  Call Stack (most recent call first):
+    deps/curl/CMake/FindMbedTLS.cmake:31 (find_package_handle_standard_args)
+    deps/curl/CMakeLists.txt:473 (find_package)
+  This warning is for project developers.  Use -Wno-dev to suppress it.
+  
+  Closes #8207
 
-- docs: reduce/avoid English contractions
+- urlapi: if possible, shorten given numerical IPv6 addresses
   
-  You're => You are
-  Hasn't => Has not
-  Doesn't => Does not
-  Don't => Do not
-  You'll => You will
-  etc
+  Extended test 1560 to verify
   
-  Closes #7930
+  Closes #8206
 
-- tool_operate: fix torture leaks with etags
-  
-  Spotted by torture testing 343 344 345 347.
+- [Michał Antoniak brought this change]
+
+  url: reduce ssl backend count for CURL_DISABLE_PROXY builds
   
-  Follow-up from cc71d352651a0
-  Pointed-out-by: Dan Fandrich
+  Closes #8212
+
+- KNOWN_BUGS: "Trying local ports fails on Windows"
   
-  Closes #7969
+  Reported-by: gclinch on github
+  Closes #8112
 
-- [Amaury Denoyelle brought this change]
+- misc: update copyright year range
 
-  ngtcp2: support latest QUIC TLS RFC9001
+- zuul: remove the wolfssl even more
   
-  QUIC Transport Parameters Extension has been changed between draft-29
-  and latest RFC9001. Most notably, its identifier has been updated from
-  0xffa5 to 0x0039. The version is selected through the QUIC TLS library
-  via the legacy codepoint.
+  Follow-up to 1914465cf180d32b3d
+
+- examples/multi-single.c: remove WAITMS()
   
-  Disable the usage of legacy codepoint in curl to switch to latest
-  RFC9001. This is required to be able to keep up with latest QUIC
-  implementations.
+  As it isn't used.
   
-  Acked-by: Tatsuhiro Tsujikawa
-  Closes #7960
+  Reported-by: Melroy van den Berg
+  Fixes #8200
+  Closes #8201
 
-- test1173: make manpage-syntax.pl spot \n errors in examples
+- gtls: add gnutls include for the session type
+  
+  Follow-up to 8fbd6feddfa5 to make it build more universally
 
-- man pages: fix backslash-n in examples
+- m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
   
-  ... to be proper backslash-backslash-n sequences to render nicely in man
-  and on website.
+  To hush compiler warnings we don't care for: error: address of function
+  'X' will always evaluate to 'true'
   
-  Follow-up to 24155569d8a
-  Reported-by: Sergey Markelov
+  Fixes #8197
+  Closes #8198
+
+- http_proxy: don't close the socket (too early)
   
-  Fixes https://github.com/curl/curl-www/issues/163
-  Closes #7962
+  ... and double-check in the OpenSSL shutdown that the socket is actually
+  still there before it is used.
+  
+  Fixes #8193
+  Closes #8195
+  
+  Reported-by: Leszek Kubik
 
-- scripts/release-notes.pl: use out of repo links verbatim in refs
+- ngtcp2: verify the server certificate for the gnutls case
+  
+  Closes #8178
 
-- tool_operate: a failed etag save now only fails that transfer
+- ngtcp2: verify the server cert on connect (quictls)
   
-  When failing to create the output file for saving an etag, only fail
-  that particular single transfer and allow others to follow.
+  Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
+  `CURLOPT_SSL_VERIFYHOST`.
   
-  In a serial transfer setup, if no transfer at all is done due to them
-  all being skipped because of this error, curl will output an error
-  message and return exit code 26.
+  The name check now uses a function from lib/vtls/openssl.c which will
+  need attention for when TLS is not done by OpenSSL or is disabled while
+  QUIC is enabled.
   
-  Added test 369 and 370 to verify.
+  Possibly the servercert() function in openssl.c should be adjusted to be
+  able to use for both regular TLS and QUIC.
   
-  Reported-by: Earnestly on github
-  Ref: #7942
-  Closes #7945
+  Ref: #8173
+  Closes #8178
 
-- [Kevin Burke brought this change]
+- zuul: remove the wolfssl build
 
-  .github: retry macos "brew install" command on failure
-  
-  Previously we saw errors attempting to run "brew install", see
-  https://github.com/curl/curl/runs/4095721123?check_suite_focus=true for
-  an example, since this command is idempotent, it is safe to run again.
+- github workflow: add wolfssl
   
-  Closes #7955
+  Closes #8196
 
-- CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred
+- [Nicolas Sterchele brought this change]
+
+  zuul: fix quiche build pointing to wrong Cargo
   
-  Ref: https://github.com/curl/curl/discussions/7954
+  Fixes #8184
+  Closes #8189
+
+- checksrc: detect more kinds of NULL comparisons we avoid
   
-  Closes #7957
+  Co-authored-by: Jay Satiro
+  Closes #8180
 
 - RELEASE-NOTES: synced
 
-- zuul: pin the quiche build to use an older cmake-rs
-  
-  The latest cmake-rs assumes cmake's --parallel works. That was added in
-  cmake 3.12, but a lot of our CI builds run on Ubuntu Bionic which only
-  has cmake 3.10.
+- mesalink: remove the BACKEND define kludge
   
-  Fixes #7927
-  Closes #7952
-
-- [Marc Hoersken brought this change]
+  Closes #8183
 
-  Revert "src/tool_filetime: disable -Wformat on mingw for this file"
-  
-  This reverts commit 7c88fe375b15c44d77bccc9ab733b8069d228e6f.
+- schannel: remove the BACKEND define kludge
   
-  Follow up to #6535 as the pragma is obsolete with warnf
+  Closes #8182
+
+- gtls: check return code for gnutls_alpn_set_protocols
   
-  Closes #7941
+  Closes #8181
 
-Jay Satiro (2 Nov 2021)
-- schannel: fix memory leak due to failed SSL connection
+- [Stefan Huber brought this change]
+
+  README: label the link to the support document
   
-  - Call schannel_shutdown if the SSL connection fails.
+  Closes #8185
+
+- docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
   
-  Prior to this change schannel_shutdown (which shuts down the SSL
-  connection as well as memory cleanup) was not called when the SSL
-  connection failed (eg due to failed handshake).
+  Assisted-by: Matt Holt
   
-  Co-authored-by: Gisle Vanem
+  Closes #8177
+
+- libcurl-multi.3: "SOCKS proxy handshakes" are not blocking
   
-  Fixes https://github.com/curl/curl/issues/7877
-  Closes https://github.com/curl/curl/pull/7878
+  Since 4a4b63daaa0
 
-Daniel Stenberg (2 Nov 2021)
-- Curl_updateconninfo: store addresses for QUIC connections too
+- [Vladimir Panteleev brought this change]
+
+  tests: Add test for CURLOPT_HTTP200ALIASES
+
+- [Vladimir Panteleev brought this change]
+
+  http: Fix CURLOPT_HTTP200ALIASES
   
-  So that CURLINFO_PRIMARY_IP etc work for HTTP/3 like for other HTTP
-  versions.
+  The httpcode < 100 check was also triggered when none of the fields were
+  parsed, thus making the if(!nc) block unreachable.
   
-  Reported-by: Jerome Mao
-  Fixes #7939
-  Closes #7944
+  Closes #8171
 
-- [Sergio Durigan Junior brought this change]
+- RELEASE-NOTES: synced
 
-  curl.1: fix typos in the manpage
+- language: "email"
   
-  s/transfering/transferring/
-  s/transfered/transferred/
+  Missed three occurrences.
   
-  Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
-  Closes #7937
+  Follow-up to 7a92f86
 
-Marc Hoersken (1 Nov 2021)
-- tests/smbserver.py: fix compatibility with impacket 0.9.23+
-  
-  impacket now performs sanity checks if the requested and to
-  be served file path actually is inside the real share path.
+- nss:set_cipher don't clobber the cipher list
   
-  Ref: https://github.com/SecureAuthCorp/impacket/pull/1066
+  The string is set by the user and needs to remain intact for proper
+  connection reuse etc.
   
-  Fixes #7924
-  Closes #7935
+  Reported-by: Eric Musser
+  Fixes #8160
+  Closes #8161
 
-Daniel Stenberg (1 Nov 2021)
-- docs: reduce use of "very"
+- misc: s/e-mail/email
   
-  "Very" should be avoided in most texts. If intensifiers are needed, try
-  find better words instead.
+  Consistency is king. Following the lead in everything curl.
   
-  Closes #7936
+  Closes #8159
 
-- [Tatsuhiro Tsujikawa brought this change]
+- [Tobias Nießen brought this change]
 
-  ngtcp2: specify the missing required callback functions
+  docs: fix typo in OpenSSL 3 build instructions
   
-  Closes #7929
+  Closes #8162
 
-- CURLOPT_[PROXY]_SSL_CIPHER_LIST.3: bold instead of quote
+- linkcheck.yml: add CI job that checks markdown links
   
-  Bold the example ciphers instead of using single quotes, which then also
-  avoids the problem of how to use single quotes when first in a line.
-  
-  Also rephrased the pages a little.
-  
-  Reported-by: Sergio Durigan Junior
-  Ref: #7928
-  Closes #7934
+  Closes #8158
 
-- gen.pl: replace leading single quotes with \(aq
+- RELEASE-PROCEDURE.md: remove ICAL link and old release dates
+
+- BINDINGS.md: "markdown-link-check-disable"
   
-  ... and allow single quotes to be used "normally" in the .d files.
+  It feels a bit unfortunate to litter an ugly tag for this functionality,
+  but if we get link scans of all markdown files, this might be worth the
+  price.
+
+- docs: fix dead links, remove ECH.md
+
+Jay Satiro (16 Dec 2021)
+- openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
   
-  Makes the output curl.1 use better nroff.
+  Prior to this change OpenSSL_version was only detected in configure
+  builds. For other builds the old version parsing code was used which
+  would result in incorrect versioning for OpenSSL 3:
   
-  Reported-by: Sergio Durigan Junior
-  Ref: #7928
-  Closes #7933
-
-Marc Hoersken (1 Nov 2021)
-- tests: kill some test servers afterwards to avoid locked logfiles
+  Before:
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7925
-
-Daniel Stenberg (1 Nov 2021)
-- smooth-gtk-thread.c: enhance the mutex lock use
+  curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.0a zlib/1.2.11
+  WinIDN libssh2/1.9.0
   
-  Reported-by: ryancaicse on github
-  Fixes #7926
-  Closes #7931
-
-Marc Hoersken (31 Oct 2021)
-- CI/runtests.pl: restore -u flag, but remove it from CI runs
+  After:
   
-  This makes it possible to use -u again for local testing,
-  but removes the flag from CI config files and make targets.
+  curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.1 zlib/1.2.11
+  WinIDN libssh2/1.9.0
   
-  Reviewed-by: Daniel Stenberg
+  Reported-by: lllaffer@users.noreply.github.com
   
-  Partially reverts #7841
-  Closes #7921
+  Fixes https://github.com/curl/curl/issues/8154
+  Closes https://github.com/curl/curl/pull/8155
 
-Daniel Stenberg (29 Oct 2021)
-- [Jonathan Cardoso Machado brought this change]
+Daniel Stenberg (16 Dec 2021)
+- [James Fuller brought this change]
 
-  CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required
+  docs: add known bugs list to HTTP3.md
   
-  Closes #7923
+  Closes #8156
 
-- [Axel Morawietz brought this change]
+Dan Fandrich (15 Dec 2021)
+- BINDINGS: add one from Everything curl and update a link
 
-  imap: display quota information
+- libcurl-security.3: mention address and URL mitigations
   
-  Show response to "GETQUOTAROOT INBOX" command.
-  
-  Closes #6973
+  The new CURLOPT_PREREQFUNCTION callback is another way to sanitize
+  addresses.
+  Using the curl_url API is a way to mitigate against attacks relying on
+  URL parsing differences.
 
+Daniel Stenberg (15 Dec 2021)
 - RELEASE-NOTES: synced
 
-- [Boris Rasin brought this change]
-
-  cmake: fix error getting LOCATION property on non-imported target
+- x509asn1: return early on errors
   
-  Closes #7885
+  Overhaul to make sure functions that detect errors bail out early with
+  error rather than trying to continue and risk hiding the problem.
+  
+  Closes #8147
 
-- [x2018 brought this change]
+- [Patrick Monnerat brought this change]
 
-  url: check the return value of curl_url()
+  openldap: several minor improvements
   
-  Closes #7917
+  - Early check proper LDAP URL syntax. Reject URLs with a userinfo part.
+  - Use dynamic memory for ldap_init_fd() URL rather than a
+    stack-allocated buffer.
+  - Never chase referrals: supporting it would require additional parallel
+    connections and alternate authentication credentials.
+  - Do not wait 1 microsecond while polling/reading query response data.
+  - Store last received server code for retrieval with CURLINFO_RESPONSE_CODE.
+  
+  Closes #8140
 
-- [Roy Li brought this change]
+- [Michał Antoniak brought this change]
 
-  configure.ac: replace krb5-config with pkg-config
+  misc: remove unused doh flags when CURL_DISABLE_DOH is defined
   
-  The rationale is that custom *-config tools don't work well when
-  cross-compiling or using sysroots (such as when using Yocto project) and
-  require custom fixing for each of them; pkg-config on the other hand
-  works similarly everywhere.
+  Closes #8148
+
+- mbedtls: fix CURLOPT_SSLCERT_BLOB
   
-  Signed-off-by: Roy Li <rongqing.li@windriver.com>
-  Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+  The memory passed to mbedTLS for this needs to be null terminated.
   
-  Closes #7916
+  Reported-by: Florian Van Heghe
+  Closes #8146
 
-- test1160: edited to work with hyper
+- asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
   
-  Closes #7912
+  Closes #8142
 
-- data/DISABLED: enable tests that now work with hyper
+- mailmap: add Yongkang Huang
   
-  Closes #7911
+  From #8141
 
-- test559: add 'HTTP' in keywords
-  
-  Makes it run fine with hyper
-  
-  Closes #7911
+- [Yongkang Huang brought this change]
 
-- test552: updated to work with hyper
-  
-  Closes #7911
+  check ssl_config when re-use proxy connection
 
-Marc Hoersken (27 Oct 2021)
-- github: fix incomplete permission to label PRs for Hacktoberfest
+- mbedtls: do a separate malloc for ca_info_blob
   
-  Unfortunately the GitHub API requires a token with write permission
-  for both issues and pull-requests to edit labels on even just PRs.
+  Since the mbedTLS API requires the data to the null terminated.
   
-  Follow up to #7897
-
-Daniel Stenberg (27 Oct 2021)
-- opt-manpages: use 'Added in' instead of 'Since'
+  Follow-up to 456c53730d21b1fad0c7f72c1817
   
-  Closes #7913
+  Fixes #8139
+  Closes #8145
 
-Marc Hoersken (27 Oct 2021)
-- github: fix missing permission to label PRs for Hacktoberfest
+Marc Hoersken (14 Dec 2021)
+- CI: build examples for additional code verification
   
-  Follow up to #7897
+  Some CIs already build them, let's do it on more of them.
   
-  Test references to see if permissions are now sufficient:
+  Reviewed-by: Daniel Stenberg
   
-  Closes #7832
-  Closes #7897
+  Follow up to #7690 and 77311f420a541a0de5b3014e0e40ff8b4205d4af
+  Replaces #7591
+  Closes #7922
 
-- CI: more use of test-ci make target and verbose output
+- docs/examples: workaround broken -Wno-pedantic-ms-format
   
-  Replace test-nonflaky with test-ci and enable verbose output
-  in all remaining CIs except Zuul which is customized a lot.
+  Avoid CURL_FORMAT_CURL_OFF_T by using unsigned long instead.
+  Improve size_t to long conversion in imap-append.c example.
   
+  Ref: https://github.com/curl/curl/issues/6079
+  Ref: https://github.com/curl/curl/pull/6082
+  Assisted-by: Jay Satiro
   Reviewed-by: Daniel Stenberg
-  Reviewed-by: Jay Satiro
   
-  Follow up to #7785
-  Closes #7832
+  Preparation of #7922
 
-- github: add support for Hacktoberfest using labels
+- tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
   
-  Automatically add hacktoberfest-accepted label to PRs opened between
-  September 30th and November 1st once a commit with a close reference
-  to it is pushed onto the master branch.
+  Ref: https://www.msys2.org/wiki/Porting/#filesystem-namespaces
   
-  With this workflow we can participate in Hacktoberfest while not
-  relying on GitHub to identify PRs as merged due to our rebasing.
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Jay Satiro
   
-  Requires hacktoberfest-accepted labels to exist for PRs on the
-  participating repository. Also requires hacktoberfest topic on
-  the participating repository to avoid applying to forked repos.
+  Fixes #8084
+  Closes #8138
+
+Daniel Stenberg (13 Dec 2021)
+- [Patrick Monnerat brought this change]
+
+  openldap: simplify ldif generation code
   
-  Reviewed-by: Daniel Stenberg
+  and take care of zero-length values, avoiding conversion to base64
+  and/or trailing spaces.
   
-  Fixes #7865
-  Closes #7897
+  Closes #8136
 
-Daniel Stenberg (27 Oct 2021)
-- http: reject HTTP response codes < 100
-  
-  ... which then also includes negative ones as test 1430 uses.
+- example/progressfunc: remove code for old libcurls
   
-  This makes native + hyper backend act identically on this and therefore
-  test 1430 can now be enabled when building with hyper. Adjust test 1431
-  as well.
+  7.61.0 is over three years old now, remove all #ifdefs for handling
+  ancient libcurl versions so that the example gets easier to read and
+  understand
   
-  Closes #7909
+  Closes #8137
 
-- [Kerem Kat brought this change]
+- [x2018 brought this change]
 
-  docs: fix typo in CURLOPT_TRAILERFUNCTION example
+  sha256/md5: return errors when init fails
   
-  Closes #7910
-
-- docs/HYPER: remove some remaining issues, add HTTP/0.9 limitation
+  Closes #8133
 
-- configure: when hyper is selected, deselect nghttp2
+- TODO: 13.3 Defeat TLS fingerprinting
   
-  Closes #7908
+  Closes #8119
+
+- RELEASE-NOTES: synced
 
 - [Patrick Monnerat brought this change]
 
-  sendf: accept zero-length data in Curl_client_write()
-  
-  Historically, Curl_client_write() used a length value of 0 as a marker
-  for a null-terminated data string. This feature has been removed in
-  commit f4b85d2. To detect leftover uses of the feature, a DEBUGASSERT
-  statement rejecting a length with value 0 was introduced, effectively
-  precluding use of this function with zero-length data.
+  openldap: process search query response messages one by one
   
-  The current commit removes the DEBUGASSERT and makes the function to
-  return immediately if length is 0.
+  Upon receiving large result sets, this reduces memory consumption and
+  allows starting to output results while the transfer is still in
+  progress.
   
-  A direct effect is to fix trying to output a zero-length distinguished
-  name in openldap.
+  Closes #8101
+
+- hash: lazy-alloc the table in Curl_hash_add()
   
-  Another DEBUGASSERT statement is also rephrased for better readability.
+  This makes Curl_hash_init() infallible which saves error paths.
   
-  Closes #7898
+  Closes #8132
 
-- hyper: disable test 1294 since hyper doesn't allow such crazy headers
+- multi: cleanup the socket hash when destroying it
   
-  Closes #7905
+  Since each socket hash entry may themselves have a hash table in them,
+  the destroying of the socket hash needs to make sure all the subhashes
+  are also correctly destroyed to avoid leaking memory.
+  
+  Fixes #8129
+  Closes #8131
 
-- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
+- test1156: fixup the stdout check for Windows
   
-  Verified by the enabled test 1288
+  It is not text mode.
   
-  Closes #7905
+  Follow-up to 6f73e68d182
+  
+  Closes #8134
 
-- test1287: make work on hyper
+- test1528: enable for hyper
   
-  Closes #7905
+  Closes #8128
 
-- test1266/1267: disabled on hyper: no HTTP/0.9 support
+- test1527: enable for hyper
   
-  Closes #7905
+  Closes #8128
 
-Viktor Szakats (25 Oct 2021)
-- Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options
+- test1526: enable for hyper
   
-  Previously, -libssh2/-rtmp options assumed that OpenSSL is also enabled
-  (and then failed with an error when not finding expected OpenSSL headers),
-  but this isn't necessarly true, e.g. when building both libssh2 and curl
-  against Schannel. This patch makes sure to only enable the OpenSSL backend
-  with -libssh2/-rtmp, when there was no SSL option explicitly selected.
+  Closes #8128
+
+- test1525: slightly tweaked for hyper
   
-  - Re-implement the logic as a single block of script.
-  - Also fix an indentation while there.
+  Closes #8128
+
+- test1156: enable for hyper
   
-  Assisted-by: Jay Satiro
+  Minor reorg of the lib1156 code and it works fine for hyper.
   
-  Closes #7895
+  Closes #8127
 
-Daniel Stenberg (25 Oct 2021)
-- docs: consistent use of "Added in"
+- test661: enable for hyper
   
-  Make them all say "Added in [version]" without using 'curl' or 'libcurl'
-  in that phrase.
+  Closes #8126
 
-- man pages: require all to use the same section header order
-  
-  This is the same order we already enforce among the options' man pages:
-  consistency is good. Add lots of previously missing examples.
+- docs: fix proselint nits
   
-  Adjust the manpage-syntax script for this purpose, used in test 1173.
+  - remove a lot of exclamation marks
+  - use consistent spaces (1, not 2)
+  - use better words at some places
   
-  Closes #7904
+  Closes #8123
 
-- [David Hu brought this change]
+- [RekGRpth brought this change]
 
-  docs/HTTP3: improve build instructions
-  
-  1. If writing to a system path if the command is not prefixed with
-  `sudo` it will cause a permission denied error
+  BINDINGS.md: add cURL client for PostgreSQL
   
-  2. The patched OpenSSL branch has been updated to `openssl-3.0.0+quic`
-  to match upstream OpenSSL version.
+  Closes #8125
+
+- [RekGRpth brought this change]
+
+  CURLSHOPT_USERDATA.3: fix copy-paste mistake
   
-  3. We should not disable GnuTLS docs.
+  Closes #8124
+
+- docs: fix minor nroff format nits
   
-  Updated some commands about `make install`
+  Repairs test 1140
   
-  Closes #7842
+  Follow-up to 436cdf82041
 
-- [Ricardo Martins brought this change]
+- docs/URL-SYNTAX.md: space is not fine in a given URL
 
-  CMake: restore support for SecureTransport on iOS
+- curl_multi_perform/socket_action.3: clarify what errors mean
   
-  Restore support for building curl for iOS with SecureTransport enabled.
+  An error returned from one of these funtions mean that ALL still ongoing
+  transfers are to be considered failed.
   
-  Closes #7501
+  Ref: #8114
+  Closes #8120
 
-- tests: enable more tests with hyper
+- libcurl-errors.3: add CURLM_ABORTED_BY_CALLBACK
   
-  Adjusted 1144, 1164 and 1176.
+  Follow-up to #8089 (2b3dd01)
   
-  Closes #7900
+  Closes #8116
 
-- docs: provide "RETURN VALUE" section for more func manpages
+- hash: add asserts to help detect bad usage
   
-  Three were missing, one used a non-standard name for the header.
+  For example trying to add entries after the hash has been "cleaned up"
   
-  Closes #7902
+  Closes #8115
 
-Jay Satiro (25 Oct 2021)
-- curl_multi_socket_action.3: add a "RETURN VALUE" section
+- lib530: abort on curl_multi errors
   
-  .. because it may not be immediately clear to the user what
-  curl_multi_socket_action returns.
+  This makes torture tests run more proper.
   
-  Ref: https://curl.se/mail/lib-2021-10/0035.html
+  Also add an assert to trap situations where it would end up with no
+  sockets to wait for.
   
-  Closes https://github.com/curl/curl/pull/7901
+  Closes #8121
 
-Daniel Stenberg (24 Oct 2021)
-- RELEASE-NOTES: synced
+- FAQ: we never pronounced it "see URL", we say "kurl"
 
-- [Samuel Henrique brought this change]
+- RELEASE-NOTES: synced
 
-  tests: use python3 in test 1451
+- CURLOPT_RESOLVE.3: minor polish
   
-  This is a continuation of commit ec91b5a69000bea0794bbb3 in which
-  changing this test was missed.  There are no other python2 leftovers
-  now.
+  Minor rephrasing for some explanations.
   
-  Based on a Debian patch originally written by Alessandro Ghedini
-  <ghedo@debian.org>
+  Put the format strings in stand-alone lines with .nf/.fi to be easier to spot.
   
-  Closes #7899
+  Move "added in" to AVAILABILITY
+  
+  Closed #8110
 
-- [Eddie Lumpkin brought this change]
+- test1556: adjust for hyper
+  
+  Closes #8105
 
-  lib: fixing comment spelling typos in lib files
+- test1554: adjust for hyper
   
-  Closes #7894
-  Signed-off-by: ewlumpkin <ewlumpkin@gmail.com>
+  Closes #8104
 
-- openssl: if verifypeer is not requested, skip the CA loading
+- retry-all-errors.d: make the example complete
   
-  It was previously done mostly to show a match/non-match in the verbose
-  output even when verification was not asked for. This change skips the
-  loading of the CA certs unless verifypeer is set to save memory and CPU.
+  ... as it needs --retry too to work
+
+- TODO: 5.7 Require HTTP version X or higher
   
-  Closes #7892
+  Closes #7980
 
-- curl-confopts.m4:  remove --enable/disable-hidden-symbols
+- CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
   
-  These configure options have been saying "deprecated" since 9e24b9c7af
-  (April 2012). It was about time we remove them.
+  This is the exact same limitation already documented for
+  CURLOPT_WRITEDATA but should be clarified here. It also has a different
+  work-around.
   
-  Closes #7891
+  Reported-by: Stephane Pellegrino
+  Bug: https://github.com/curl/curl/issues/8102
+  Closes #8103
 
-- c-hyper: don't abort CONNECT responses early when auth-in-progress
+- multi: handle errors returned from socket/timer callbacks
   
-  ... and make sure to stop ignoring the body once the CONNECT is done.
+  The callbacks were partially documented to support this. Now the
+  behavior is documented and returning error from either of these
+  callbacks will effectively kill all currently ongoing transfers.
   
-  This should make test 206 work proper again and not be flaky.
+  Added test 530 to verify
   
-  Closes #7889
+  Reported-by: Marcelo Juchem
+  Fixes #8083
+  Closes #8089
 
-- hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING
+- http2:set_transfer_url() return early on OOM
   
-  Simply because hyper doesn't have this ability. Mentioned in docs now.
+  If curl_url() returns NULL this should return early to avoid mistakes -
+  even if right now the subsequent function invokes are all OK.
   
-  Skip test 326 then
+  Coverity (wrongly) pointed out this as a NULL deref.
   
-  Closes #7889
+  Closes #8100
 
-- test262: don't attempt with hyper
+- tool_parsecfg: use correct free() call to free memory
   
-  This test verifies that curl works with binary zeroes in HTTP response
-  headers and hyper refuses such. They're not kosher http.
+  Detected by Coverity. CID 1494642.
+  Follow-up from 2be1aa619bca
   
-  Closes #7889
+  Closes #8099
 
-- c-hyper: make test 217 run
+- tool_operate: fix potential memory-leak
   
-  Closes #7889
+  A 'CURLU *' would leak if url_proto() is called with no URL.
+  
+  Detected by Coverity. CID 1494643.
+  Follow-up to 18270893abdb19
+  Closes #8098
 
-- DISABLED: enable test 209+213 for hyper
+- [Patrick Monnerat brought this change]
+
+  openldap: implement STARTTLS
   
-  Follow-up to 823d3ab855c
+  As this introduces use of CURLOPT_USE_SSL option for LDAP, also check
+  this option in ldap.c as it is not supported by this backend.
   
-  Closes #7889
+  Closes #8065
 
-- test207: accept a different error code for hyper
+- [Jun Tseng brought this change]
+
+  curl_easy_unescape.3: call curl_easy_cleanup in example
   
-  It returns HYPERE_UNEXPECTED_EOF for this case which we convert to the
-  somewhat generic CURLE_RECV_ERROR.
+  Closes #8097
+
+- [Jun Tseng brought this change]
+
+  curl_easy_escape.3: call curl_easy_cleanup in example
   
-  Closes #7889
+  Closes #8097
 
-- [Érico Nogueira brought this change]
+- tool_listhelp: sync
+  
+  Follow-up to 172068b76f
 
-  INSTALL: update symbol hiding option
+- [Damien Walsh brought this change]
+
+  request.d: refer to 'method' rather than 'command'
   
-  --enable-hidden-symbols was deprecated in
-  9e24b9c7afbcb81120af4cf3f6cdee49a06d8224.
+  Closes #8094
+
+- RELEASE-NOTES: synced
+
+- writeout: fix %{http_version} for HTTP/3
   
-  Closes #7890
+  Output "3" properly when HTTP/3 was used.
+  
+  Reported-by: Bernat Mut
+  Fixes #8072
+  Closes #8092
 
-- http_proxy: multiple CONNECT with hyper done better
+- urlapi: accept port number zero
   
-  Enabled test 206
+  This is a regression since 7.62.0 (fb30ac5a2d).
   
-  Closes #7888
+  Updated test 1560 accordingly
+  
+  Reported-by: Brad Fitzpatrick
+  Fixes #8090
+  Closes #8091
 
-- hyper: pass the CONNECT line to the debug callback
+- [Mark Dodgson brought this change]
+
+  lift: ignore is a deprecated config option, use ignoreRules
   
-  Closes #7887
+  Closes #8082
 
-- mailmap: Malik Idrees Hasan Khan
+- [Alessandro Ghedini brought this change]
 
-Jay Satiro (21 Oct 2021)
-- [Malik Idrees Hasan Khan brought this change]
+  HTTP3: update quiche build instructions
+  
+  The repo repo was re-organized a bit, so the build instructions need to
+  be updated.
+  
+  Closes #8076
 
-  build: fix typos
+- CURLMOPT_TIMERFUNCTION.3: call it expire time, not interval
   
-  Closes https://github.com/curl/curl/pull/7886
+  Since we say it is a non-repating timer
 
-- URL-SYNTAX: add IMAP UID SEARCH example
+- [Florian Van Heghe brought this change]
+
+  mbedTLS: include NULL byte in blob data length for CURLOPT_CAINFO_BLOB
   
-  - Explain the difference between IMAP search via URL (which returns
-    message sequence numbers) and IMAP search via custom request (which
-    can return UID numbers if prefixed with UID, eg "UID SEARCH ...").
+  Fixes #8079
+  Closes #8081
+
+Jay Satiro (2 Dec 2021)
+- [Wyatt O'Day brought this change]
+
+  version_win32: Check build number and platform id
   
-  Bug: https://github.com/curl/curl/issues/7626
-  Reported-by: orycho@users.noreply.github.com
+  Prior to this change the build number was not checked during version
+  comparison, and the platform id was supposed to be checked but wasn't.
   
-  Ref: https://github.com/curl/curl/issues/2789
+  Checking the build number is required for enabling "evergreen"
+  Windows 10/11 features (like TLS 1.3).
   
-  Closes https://github.com/curl/curl/pull/7881
-
-Daniel Stenberg (20 Oct 2021)
-- manpage: adjust the asterisk in some SYNOPSIS sections
+  Ref: https://github.com/curl/curl/pull/7784
   
-  Closes #7884
+  Closes https://github.com/curl/curl/pull/7824
+  Closes https://github.com/curl/curl/pull/7867
 
-- curl_multi_perform.3: polish wording
+- libssh2: fix error message for sha256 mismatch
   
-   - simplify the example by using curl_multi_poll
+  - On mismatch error show sha256 fingerprint in base64 format.
   
-   - mention curl_multi_add_handle in the text
+  Prior to this change the fingerprint was mistakenly printed in binary.
+
+Daniel Stenberg (1 Dec 2021)
+- [x2018 brought this change]
+
+  openssl: check the return value of BIO_new()
   
-   - cut out the description of pre-7.20.0 return code behavior - that version
-     is now more than eleven years old and is basically no longer out there
+  Closes #8078
+
+Dan Fandrich (30 Nov 2021)
+- docs: Update the Reducing Size section
   
-   - adjust the "typical usage" to mention curl_multi_poll
+  Add many more options that can reduce the size of the binary that were
+  added since the last update. Update the sample minimal binary size for
+  version 7.80.0.
+
+- tests: Add some missing keywords to tests
   
-  Closes #7883
+  These are needed to skip some tests when configure options have disabled
+  certain features.
 
-- docs/THANKS: removed on request
+Daniel Stenberg (30 Nov 2021)
+- [Florian Van Heghe brought this change]
 
-- FAQ: polish the explanation of libcurl
+  mbedTLS: add support for CURLOPT_CAINFO_BLOB
+  
+  Closes #8071
 
-- curl_easy_perform.3: minor wording tweak
+- [Glenn Strauss brought this change]
 
-- [Erik Stenlund brought this change]
+  digest: compute user:realm:pass digest w/o userhash
+  
+  https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4
+    ... the client MUST calculate a hash of the username after
+        any other hash calculation ...
+  
+  Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+  Closes #8066
 
-  mime: mention CURL_DISABLE_MIME in comment
+- config.d: update documentation to match the path search
   
-  CURL_DISABLE_MIME is not mentioned in the comment describing the if else
-  preprocessor directive.
+  Assisted-by: Jay Satiro
+
+- tool_findfile: search for a file in the homedir
   
-  Closes #7882
+  The homedir() function is now renamed into findfile() and iterates over
+  all the environment variables trying to access the file in question
+  until it finds it. Last resort is then getpwuid() if
+  available. Previously it would first try to find a home directory and if
+  that was set, insist on checking only that directory for the file. This
+  now returns the full file name it finds.
+  
+  The Windows specific checks are now done differently too and in this
+  order:
+  
+  1 - %USERPROFILE%
+  2 - %APPDATA%
+  3 - %USERPROFILE%\\Application Data
+  
+  The windows order is modified to match how the Windows 10 ssh tool works
+  when it searches for .ssh/known_hosts.
+  
+  Reported-by: jeffrson on github
+  Co-authored-by: Jay Satiro
+  Fixes #8033
+  Closes #8035
 
-- tls: remove newline from three infof() calls
+- docs: consistent manpage SYNOPSIS
   
-  Follow-up to e7416cf
+  Make all libcurl related options use .nf (no fill) for the SYNOPSIS
+  section - for consistent look. roffit then renders that section using
+  <pre> (monospace font) in html for the website.
   
-  Reported-by: billionai on github
-  Fixes #7879
-  Closes #7880
+  Extended manpage-syntax (test 1173) with a basic check for it.
+  
+  Closes #8062
 
 - RELEASE-NOTES: synced
 
-- curl_gssapi: fix build warnings by removing const
+- [Patrick Monnerat brought this change]
+
+  openldap: handle connect phase with a state machine
   
-  Follow-up to 20e980f85b0ea6
+  Closes #8054
+
+- docs: address proselint nits
   
-  In #7875 these inits were modified but I get two warnings that these new
-  typecasts are necessary for.
+  - avoid exclamation marks
+  - use consistent number of spaces after periods: one
+  - avoid clichés
+  - avoid using 'very'
   
-  Closes #7876
+  Closes #8060
 
-- [Bo Anderson brought this change]
+- [Bruno Baguette brought this change]
 
-  curl_gssapi: fix link error on macOS Monterey
+  FAQ: typo fix : "yout" ➤ "your"
   
-  Fixes #7657
-  Closes #7875
+  Closes #8059
 
-- test1185: verify checksrc
-  
-  Closes #7866
+- [Bruno Baguette brought this change]
 
-- checksrc: improve the SPACESEMICOLON error message
+  docs/INSTALL.md: typo fix : added missing "get" verb
   
-  and adjust the MULTISPACE one to use plural
+  Closes #8058
+
+- insecure.d: detail its use for SFTP and SCP as well
   
-  Closes #7866
+  Closes #8056
 
-- url: set "k->size" -1 at start of request
+Viktor Szakats (25 Nov 2021)
+- Makefile.m32: rename -winssl option to -schannel and tidy up
   
-  The size of the transfer is unknown at that point.
+  - accept `-schannel` as an alternative to `CFG` option `-winssl`
+    (latter still accepted, but deprecated)
+  - rename internal variable `WINSSL` to `SCHANNEL`
+  - make the `CFG` option evaluation shorter, without repeating the option
+    name
   
-  Fixes #7871
-  Closes #7872
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Closes #8053
 
-Daniel Gustafsson (18 Oct 2021)
-- doh: remove experimental code for DoH with GET
-  
-  The code for sending DoH requests with GET was never enabled in a way
-  such that it could be used or tested. As there haven't been requests
-  for this feature, and since it at this is effectively dead, remove it
-  and favor reimplementing the feature in case anyone is interested.
+Daniel Stenberg (25 Nov 2021)
+- KNOWN_BUGS: 5.6 make distclean loops forever
   
-  Closes #7870
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reported-by: David Bohman
+  Closes #7716
 
-Daniel Stenberg (18 Oct 2021)
-- cirrus: remove FreeBSD 11.4 from the matrix
+- KNOWN_BUGS: add one, remove one
   
-  It has reached End-Of-Life and causes some LDAP CI issues.
+  - 5.10 SMB tests fail with Python 2
   
-  Closes #7869
-
-- cirrus: switch to openldap24-client
+  Just use python 3.
   
-  ... as it seems openldap-client doesn't exist anymore.
+  + 5.10 curl hangs on SMB upload over stdin
   
-  Reported-by: Jay Satiro
-  Fixes #7868
-  Closes #7869
+  Closes #7896
 
-- checksrc: ignore preprocessor lines
+- urlapi: provide more detailed return codes
   
-  In order to check the actual code better, checksrc now ignores
-  everything that look like preprocessor instructions. It also means
-  that code in macros are now longer checked.
+  Previously, the return code CURLUE_MALFORMED_INPUT was used for almost
+  30 different URL format violations. This made it hard for users to
+  understand why a particular URL was not acceptable. Since the API cannot
+  point out a specific position within the URL for the problem, this now
+  instead introduces a number of additional and more fine-grained error
+  codes to allow the API to return more exactly in what "part" or section
+  of the URL a problem was detected.
   
-  Note that some rules then still don't need to be followed when code is
-  exactly below a cpp instruction.
+  Also bug-fixes curl_url_get() with CURLUPART_ZONEID, which previously
+  returned CURLUE_OK even if no zoneid existed.
   
-  Removes two checksrc exceptions we needed previously because of
-  preprocessor lines being checked.
+  Test cases in 1560 have been adjusted and extended. Tests 1538 and 1559
+  have been updated.
   
-  Reported-by: Marcel Raad
-  Fixes #7863
-  Closes #7864
+  Updated libcurl-errors.3 and curl_url_strerror() accordingly.
+  
+  Closes #8049
 
-- urlapi: skip a strlen(), pass in zero
+- urlapi: make Curl_is_absolute_url always use MAX_SCHEME_LEN
   
-  ... to let curl_easy_escape() itself do the strlen. This avoids a (false
-  positive) Coverity warning and it avoids us having to store the strlen()
-  return value in an int variable.
+  Instad of having all callers pass in the maximum length, always use
+  it. The passed in length is instead used only as the length of the
+  target buffer for to storing the scheme name in, if used.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7862
+  Added the scheme max length restriction to the curl_url_set.3 man page.
+  
+  Follow-up to 45bcb2eaa78c79
+  
+  Closes #8047
 
-- misc: update copyright years
+- [Jay Satiro brought this change]
 
-- examples/htmltidy: correct wrong printf() use
+  cmake: warn on use of the now deprecated symbols
   
-  ... and update the includes to match how current htmltidy wants them
-  used.
+  Follow-up to 9108da2c26d
   
-  Reported-by: Stathis Kapnidis
-  Fixes #7860
-  Closes #7861
+  Closes #8052
 
-Jay Satiro (15 Oct 2021)
-- http: set content length earlier
-  
-  - Make content length (ie download size) accessible to the user in the
-    header callback, but only after all headers have been processed (ie
-    only in the final call to the header callback).
+- [Kevin Burke brought this change]
+
+  tests/CI.md: add more information on CI environments
   
-  Background:
+  Fixes #8012
+  Closes #8022
+
+- cmake: private identifiers use CURL_ instead of CMAKE_ prefix
   
-  For a long time the content length could be retrieved in the header
-  callback via CURLINFO_CONTENT_LENGTH_DOWNLOAD_T as soon as it was parsed
-  by curl.
+  Since the 'CMAKE_' prefix is reserved for cmake's own private use.
+  Ref: https://cmake.org/cmake/help/latest/manual/cmake-variables.7.html
   
-  Changes were made in 8a16e54 (precedes 7.79.0) to ignore content length
-  if any transfer encoding is used. A side effect of that was that
-  content length was not set by libcurl until after the header callback
-  was called the final time, because until all headers are processed it
-  cannot be determined if content length is valid.
+  Reported-by: Boris Rasin
+  Fixes #7988
+  Closes #8044
+
+- urlapi: reject short file URLs
   
-  This change keeps the same intention --all headers must be processed--
-  but now the content length is available before the final call to the
-  header function that indicates all headers have been processed (ie
-  a blank header).
+  file URLs that are 6 bytes or shorter are not complete. Return
+  CURLUE_MALFORMED_INPUT for those. Extended test 1560 to verify.
   
-  Bug: https://github.com/curl/curl/commit/8a16e54#r57374914
-  Reported-by: sergio-nsk@users.noreply.github.com
+  Triggered by #8041
+  Closes #8042
+
+- curl: improve error message for --head with -J
   
-  Co-authored-by: Daniel Stenberg
+  ... it now focuses on the "output of headers" combined with the
+  --remote-header-name option, as that is actually the problem. Both
+  --head and --include can output headers.
   
-  Fixes https://github.com/curl/curl/issues/7804
-  Closes https://github.com/curl/curl/pull/7803
+  Reported-by: nimaje on github
+  Fixes #7987
+  Closes #8045
 
-Daniel Stenberg (15 Oct 2021)
-- [Abhinav Singh brought this change]
+- RELEASE-NOTES: synced
 
-  aws-sigv4: make signature work when post data is binary
+- [Stefan Eissing brought this change]
+
+  urlapi: cleanup scheme parsing
   
-  User sets the post fields size for binary data.  Hence, we should not be
-  using strlen on it.
+  Makea Curl_is_absolute_url() always leave a defined 'buf' and avoids
+  copying on urls that do not start with a scheme.
   
-  Added test 1937 and 1938 to verify.
+  Closes #8043
+
+- tool_operate: only set SSH related libcurl options for SSH URLs
   
-  Closes #7844
+  For example, this avoids trying to find and set the known_hosts file (or
+  warn for its absence) if SFTP or SCP are not used.
+  
+  Closes #8040
 
-- [a1346054 brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  MacOSX-Framework: remove redundant ';'
+  rustls: remove comment about checking handshaking
   
-  Closes #7859
+  The comment is incorrect in two ways:
+   - It says the check needs to be last, but the check is actually first.
+   - is_handshaking actually starts out true.
+  
+  Closes #8038
 
-- RELEASE-NOTES: synced
+Marcel Raad (20 Nov 2021)
+- openssl: use non-deprecated API to read key parameters
+  
+  With OpenSSL 3.0, the parameters are read directly from the `EVP_PKEY`
+  using `EVP_PKEY_get_bn_param`.
+  
+  Closes https://github.com/curl/curl/pull/7893
 
-- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
+- openssl: reduce code duplication
   
-  One reason we know it can fail is if a provider is used that doesn't do
-  a proper job or is wrongly configured.
+  `BN_print`'s `BIGNUM` parameter has been `const` since OpenSSL 0.9.4.
   
-  Reported-by: Michael Baentsch
-  Fixes #7840
-  Closes #7856
+  Closes https://github.com/curl/curl/pull/7893
 
-Marcel Raad (14 Oct 2021)
-- [Ryan Mast brought this change]
+- openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
+  
+  The flag has been deprecated without replacement in OpenSSL 3.0.
+  
+  Closes https://github.com/curl/curl/pull/7893
 
-  cmake: add CURL_ENABLE_SSL option and make CMAKE_USE_* SSL backend options depend on it
+- openssl: remove usage of deprecated `SSL_get_peer_certificate`
   
-  Closes https://github.com/curl/curl/pull/7822
+  The function name was changed to `SSL_get1_peer_certificate` in OpenSSL
+  3.0.
+  
+  Closes https://github.com/curl/curl/pull/7893
 
-Daniel Stenberg (14 Oct 2021)
-- http: remove assert that breaks hyper
+Daniel Stenberg (19 Nov 2021)
+- page-footer: fix typo
   
-  Reported-by: Jay Satiro
-  Fixes #7852
-  Closes #7855
+  Closes #8036
 
-- http_proxy: fix one more result assign for hyper
+- http: enable haproxy support for hyper backend
   
-  and remove the bad assert again, since it was run even with no error!
+  This is done by having native code do the haproxy header output before
+  hyper issues its request. The little downside with this approach is that
+  we need the entire Curl_buffer_send() function built, which is otherwise
+  not used for hyper builds.
   
-  Closes #7854
+  If hyper ends up getting native support for the haproxy protocols we can
+  backpedal on this.
+  
+  Enables test 1455 and 1456
+  
+  Closes #8034
 
-Jay Satiro (14 Oct 2021)
-- sws: fix memory leak on exit
+- [Bernhard Walle brought this change]
+
+  configure: fix runtime-lib detection on macOS
   
-  - Free the allocated http request struct on cleanup.
+  With a non-standard installation of openssl we get this error:
   
-  Prior to this change if sws was built with leak sanitizer it would
-  report a memory leak error during testing.
+      checking run-time libs availability... failed
+      configure: error: one or more libs available at link-time are not available run-time. Libs used at link-time: -lnghttp2 -lssl -lcrypto -lssl -lcrypto -lz
   
-  Closes https://github.com/curl/curl/pull/7849
-
-Daniel Stenberg (14 Oct 2021)
-- c-hyper: make Curl_http propagate errors better
+  There's already code to set LD_LIBRARY_PATH on Linux, so set
+  DYLD_LIBRARY_PATH equivalent on macOS.
   
-  Pass on better return codes when errors occur within Curl_http instead
-  of insisting that CURLE_OUT_OF_MEMORY is the only possible one.
+  Closes #8028
+
+- [Don J Olmstead brought this change]
+
+  cmake: don't set _USRDLL on a static Windows build
   
-  Pointed-out-by: Jay Satiro
-  Closes #7851
+  Closes #8030
 
-- http_proxy: make hyper CONNECT() return the correct error code
+- page-footer: document more environment variables
   
-  For every 'goto error', make sure the result variable holds the error
-  code for what went wrong.
+  ... that curl might use.
   
-  Reported-by: Rafał Mikrut
-  Fixes #7825
-  Closes #7846
+  Closes #8027
 
-- docs/Makefile.am: repair 'make html'
+- netrc.d: edit the .netrc example to look nicer
   
-  by removing index.html which isn't around anymore
+  Works nicely thanks to d1828b470f43d
   
-  Closes #7853
+  Closes #8025
 
-- [Борис Верховский brought this change]
+- tftp: mark protocol as not possible to do over CONNECT
+  
+  ... and make connect_init() refusing trying to tunnel protocols marked
+  as not working. Avoids a double-free.
+  
+  Reported-by: Even Rouault
+  Fixes #8018
+  Closes #8020
 
-  curl: correct grammar in generated libcurl code
+- docs/cmdline-opts: do not say "protocols: all"
   
-  Closes #7802
+  Remove the lines saying "protocols: all". It makes the output in the
+  manpage look funny, and the expectation is probably by default that if
+  not anything is mentioned about protocols the option apply to them all.
+  
+  Closes #8021
 
-- tests: disable test 2043
+- curl.1: require "see also" for every documented option
   
-  It uses revoked.badssl.com which now is expired and therefor this now
-  permafails. We should not use external sites for tests, this test should
-  be converted to use our own infra.
+  gen.pl now generates a warning if the "See Also" field is not filled in for a
+  command line option
   
-  Closes #7845
+  All command line options now provide one or more related options. 167
+  "See alsos" added!
+  
+  Closes #8019
 
-- runtests: split out ignored tests
+- insecure.d: expand and clarify
   
-  Report ignore tests separately from the actual fails.
+  Closes #8017
+
+- gen.pl: improve example output format
   
-  Don't exit non-zero if test servers couldn't get killed.
+  Treat consecutive lines that start with a space to be "examples". They
+  are output enclosed by .nf and .fi
   
-  Assisted-by: Jay Satiro
+  Updated form.d to use this new fanciness
   
-  Fixes #7818
-  Closes #7841
+  Closes #8016
 
-- http2: make getsock not wait for write if there's no remote window
+- Revert "form-escape.d: double the back-slashes for proper man page output"
   
-  While uploading, check for remote window availability in the getsock
-  function so that we don't wait for a writable socket if no data can be
-  sent.
+  This reverts commit a2d8eac04a4eb1d5a98cf24b4e5cec5cec565d27.
   
-  Reported-by: Steini2000 on github
-  Fixes #7821
-  Closes #7839
+  silly me, it was intended to be one backslash!
 
-- test368: verify dash is appended for "-r [num]"
+- form-escape.d: double the back-slashes for proper man page output
+
+- page-footer: add a mention of how to report bugs to the man page
+
+- RELEASE-NOTES: synced
   
-  Follow-up to 8758a26f8878
+  and bump to 7.81.0-DEV
 
-- [Борис Верховский brought this change]
+- [Patrick Monnerat brought this change]
 
-  curl: actually append "-" to --range without number only
+  mime: use percent-escaping for multipart form field and file names
   
-  Closes #7837
+  Until now, form field and file names where escaped using the
+  backslash-escaping algorithm defined for multipart mails. This commit
+  replaces this with the percent-escaping method for URLs.
+  
+  As this may introduce incompatibilities with server-side applications, a
+  new libcurl option CURLOPT_MIME_OPTIONS with bitmask
+  CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of
+  backslash-escaping. This is controlled by new cli tool option
+  --form-escape.
+  
+  New tests and documentation are provided for this feature.
+  
+  Reported by: Ryan Sleevi
+  Fixes #7789
+  Closes #7805
 
-- RELEASE-NOTES: synced
+- [Kevin Burke brought this change]
 
-- urlapi: URL decode percent-encoded host names
+  zuul.d: update rustls-ffi to version 0.8.2
   
-  The host name is stored decoded and can be encoded when used to extract
-  the full URL. By default when extracting the URL, the host name will not
-  be URL encoded to work as similar as possible as before. When not URL
-  encoding the host name, the '%' character will however still be encoded.
+  This version fixes errors with ALPN negotiation in rustls, which is
+  necessary for HTTP/2 support. For more information see the rustls-ffi
+  changelog.
   
-  Getting the URL with the CURLU_URLENCODE flag set will percent encode
-  the host name part.
+  Closes #8013
+
+- configure: better diagnostics if hyper is built wrong
   
-  As a bonus, setting the host name part with curl_url_set() no longer
-  accepts a name that contains space, CR or LF.
+  If hyper is indeed present in the specified directory but couldn't be
+  used to find the correct symbol, then offer a different error message to
+  better help the user understand the issue.
   
-  Test 1560 has been extended to verify percent encodings.
+  Suggested-by: Jacob Hoffman-Andrews
+  Fixes #8001
+  Closes #8005
+
+- test1939: require proxy support to run
   
-  Reported-by: Noam Moshe
-  Reported-by: Sharon Brizinov
-  Reported-by: Raul Onitza-Klugman
-  Reported-by: Kirill Efimov
-  Fixes #7830
-  Closes #7834
+  Follow-up to f0b7099a10d1a
+  
+  Closes #8011
 
-Marc Hoersken (8 Oct 2021)
-- CI/makefiles: introduce dedicated test target
+- test302[12]: run only with the libssh2 backend
   
-  Make it easy to use the same set of test flags
-  throughout all current and future CI builds.
+  ... as the others don't support --hostpubsha256
   
-  Reviewed-by: Jay Satiro
+  Reported-by: Paul Howarth
+  Fixes #8009
+  Closes #8010
+
+- runtests: make the SSH library a testable feature
   
-  Follow up to #7690
-  Closes #7785
+  libssh2, libssh and wolfssh
 
-Daniel Stenberg (8 Oct 2021)
-- maketgz: redirect updatemanpages.pl output to /dev/null
+- [Jacob Hoffman-Andrews brought this change]
 
-- CURLOPT_HTTPHEADER.3: add descripion for specific headers
-  
-  Settting Host: or Transfer-Encoding: chunked actually have special
-  meanings to libcurl. This change tries to document them
+  rustls: read of zero bytes might be okay
   
-  Closes #7829
-
-- c-hyper: use hyper_request_set_uri_parts to make h2 better
+  When we're reading out plaintext from rustls' internal buffers, we might
+  get a read of zero bytes (meaning a clean TCP close, including
+  close_notify). However, we shouldn't return immediately when that
+  happens, since we may have already copied out some plaintext bytes.
+  Break out of the loop when we get a read of zero bytes, and figure out
+  which path we're dealing with.
   
-  and make sure to not send Host: over h2.
+  Acked-by: Kevin Burke
   
-  Fixes #7679
-  Reported-by: David Cook
-  Closes #7827
+  Closes #8003
 
-- [Michael Afanasiev brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  curl-openssl.m4: modify library order for openssl linking
+  rustls: remove incorrect EOF check
   
-  lcrypto may depend on lz, and configure corrently fails with when
-  statically linking as the order is "-lz -lcrypto". This commit switches
-  the order to "-lcrypto -lz".
+  The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify.
+  From the CHANGELOG:
   
-  Closes #7826
-
-Marcel Raad (7 Oct 2021)
-- sha256: use high-level EVP interface for OpenSSL
+  > Handling of unclean close and the close_notify TLS alert. Mirroring
+  > upstream changes, a rustls_connection now tracks TCP closed state like
+  > so: rustls_connection_read_tls considers a 0-length read from its
+  > callback to mean "TCP stream was closed by peer."  If that happens
+  > before the peer sent close_notify, rustls_connection_read will return
+  > RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are
+  > exhausted. This is useful to protect against truncation attacks. Note:
+  > some TLS implementations don't send close_notify. If you are already
+  > getting length information from your protocol (e.g. Content-Length in
+  > HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of
+  > plaintext bytes was as expected.
   
-  Available since OpenSSL 0.9.7. The low-level SHA256 interface is
-  deprecated in OpenSSL v3, and its usage was discouraged even before.
+  That means we don't need to check for unclean EOF in `cr_recv()`,
+  because `process_new_packets()` will give us an error if appropriate.
   
-  Closes https://github.com/curl/curl/pull/7808
+  Closes #8003
 
-- curl_ntlm_core: use OpenSSL only if DES is available
+- lib1939: make it endure torture tests
   
-  This selects another SSL backend then if available, or otherwise at
-  least gives a meaningful error message.
+  Follow-up to f0b7099a10d1a
   
-  Closes https://github.com/curl/curl/pull/7808
+  Closes #8007
 
-- md5: fix compilation with OpenSSL 3.0 API
+- azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
   
-  Only use OpenSSL's MD5 code if it's available.
+  The configure line would previously depend on a configure mistake using
+  --without-openssl that is fixed and now this configure line needs
+  adjusting to use --without-ssl.
   
-  Also fix wolfSSL build with `NO_MD5`, in which case neither the
-  wolfSSL/OpenSSL implementation nor the fallback implementation was
-  used.
+  Follow-up to b589696f0312d
   
-  Closes https://github.com/curl/curl/pull/7808
+  Closes #8006
 
-Daniel Stenberg (7 Oct 2021)
-- print_category: printf %*s needs an int argument
+- [Jacob Hoffman-Andrews brought this change]
+
+  configure: add -lm to configure for rustls build.
   
-  ... not a size_t!
+  Note: The list of libraries that rustc tells us we need to include is
+  longer, but also includes some more platform-specific libraries that I
+  am not sure how to effectively incorporate. Adding just -lm seems to
+  solve an immediate problem, so I'm adding just that.
   
-  Detected by Coverity: CID 1492331.
-  Closes #7823
+  Closes #8002
 
-Jay Satiro (7 Oct 2021)
-- version_win32: use actual version instead of manifested version
-  
-  - Use RtlVerifyVersionInfo instead of VerifyVersionInfo, when possible.
+- curl_share_setopt.3: refer to CURLSHOPT_USERDATA(3) properly
+
+- curl_share_setopt.3: split out options into their own manpages
   
-  Later versions of Windows have normal version functions that compare and
-  return versions based on the way the application is manifested, instead
-  of the actual version of Windows the application is running on. We
-  prefer the actual version of Windows so we'll now call the Rtl variant
-  of version functions (RtlVerifyVersionInfo) which does a proper
-  comparison of the actual version.
+  CURLSHOPT_LOCKFUNC.3
+  CURLSHOPT_SHARE.3
+  CURLSHOPT_UNLOCKFUNC.3
+  CURLSHOPT_UNSHARE.3
+  CURLSHOPT_USERDATA.3
   
-  Reported-by: Wyatt O'Day
+  Closes #7998
+
+- http_proxy: make Curl_connect_done() work for proxy disabled builds
   
-  Ref: https://github.com/curl/curl/pull/7727
+  ... by making it an empty macro then.
   
-  Fixes https://github.com/curl/curl/issues/7742
-  Closes https://github.com/curl/curl/pull/7810
-
-Daniel Stenberg (6 Oct 2021)
-- RELEASE-NOTES: synced
+  Follow-up to f0b7099a10d1a
+  Reported-by: Vincent Grande
+  Fixes #7995
+  Closes #7996
 
-- http: fix Basic auth with empty name field in URL
+- Curl_connect_done: handle being called twice
   
-  Add test 367 to verify.
+  Follow-up to f0b7099a10d1a7c
   
-  Reported-by: Rick Lane
-  Fixes #7819
-  Closes #7820
+  When torture testing 1021, it turns out the Curl_connect_done function
+  might be called twice and that previously then wrongly cleared the HTTP
+  pointer in the second invoke.
+  
+  Closes #7999
 
-- [Jeffrey Tolar brought this change]
+- [Stan Hu brought this change]
 
-  CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
-  
-  ... and close connections that are too old instead of reusing them.
+  configure: don't enable TLS when --without-* flags are used
   
-  By default, this behavior is disabled.
+  Previously specifying `--without-gnutls` would unexpectedly attempt to
+  compile with GnuTLS, effectively interpreting this as
+  `--with-gnutls`. This caused a significant amount of confusion when
+  `libcurl` was built with SSL disabled since GnuTLS wasn't present.
   
-  Bug: https://curl.se/mail/lib-2021-09/0058.html
-  Closes #7751
-
-Daniel Gustafsson (6 Oct 2021)
-- docs/examples: add missing binaries to gitignore
+  68d89f24 dropped the `--without-*` options from the configure help, but
+  `AC_ARG_WITH` still defines these flags automatically. As
+  https://www.gnu.org/software/autoconf/manual/autoconf-2.60/html_node/External-Software.html
+  describes, the `action-if-given` is called when the user specifies
+  `--with-*` or `--without-*` options.
   
-  Commit f65d7889b added getreferrer, and commit ae8e11ed5 multi-legacy,
-  both of which missed adding .gitignore clauses for the built binaries.
+  To prevent this confusion, we make the `--without` flag do the right
+  thing by ignoring the value if it set to "no".
   
-  Closes #7817
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #7994
 
-Daniel Stenberg (5 Oct 2021)
-- [Josip Medved brought this change]
+- [Rikard Falkeborn brought this change]
 
-  HTTP3: fix the HTTP/3 Explained book link
+  docs/checksrc: Add documentation for STRERROR
   
-  Closes #7813
-
-- [Lucas Holt brought this change]
+  Closes #7991
 
-  misc: fix a few issues on MidnightBSD
+- vtls/rustls: adapt to the updated rustls_version proto
   
-  Closes #7812
+  Closes #7956
 
-Daniel Gustafsson (4 Oct 2021)
-- [8U61ife brought this change]
+- [Kevin Burke brought this change]
 
-  tool_main: fix typo in comment
+  vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY
   
-  Closes: #7811
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Previously we'd return CURLE_READ_ERROR if we received this, instead
+  of triggering the error handling logic that's present in the next if
+  block down.
+  
+  After this change, curl requests to https://go.googlesource.com using
+  HTTP/2 complete successfully.
+  
+  Fixes #7949
+  Closes #7948
 
-Daniel Stenberg (4 Oct 2021)
-- [Ryan Mast brought this change]
+- [Kevin Burke brought this change]
 
-  BINDINGS: URL updates
+  zuul: update build environment for rustls-ffi 0.8.0
+
+- [Kevin Burke brought this change]
+
+  vtls/rustls: update to compile with rustls-ffi v0.8.0
   
-  For cpr, BBHTTP, Eiffel, Harbour, Haskell, Mono, and Rust
+  Some method names, as well as the generated library name, were changed
+  in a recent refactoring.
   
-  Closes #7809
-
-- scripts/delta: hide a git error message we don't care about
+  Further, change the default configuration instructions to check for
+  Hyper in either "target/debug" or "target/release" - the latter
+  contains an optimized build configuration.
   
-  fatal: path 'src/tool_listhelp.c' exists on disk, but not in [tag]
+  Fixes #7947
+  Closes #7948
 
-- [Patrick Monnerat brought this change]
+- RELEASE-NOTES: synced
+  
+  and bump the version to 7.80.1
 
-  sasl: binary messages
+- multi: shut down CONNECT in Curl_detach_connnection
   
-  Capabilities of sasl module are extended to exchange messages in binary
-  as an alternative to base64.
+  ... to prevent a lingering pointer that would lead to a double-free.
   
-  If http authentication flags have been set, those are used as sasl
-  default preferred mechanisms.
+  Added test 1939 to verify.
   
-  Closes #6930
+  Reported-by: Stephen M. Coakley
+  Fixes #7982
+  Closes #7986
 
-- [Hayden Roche brought this change]
-
-  wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
+- curl_easy_cleanup.3: remove from multi handle first
   
-  Prior to this commit, OpenSSL could be used for all these functions, but
-  not wolfSSL. This commit makes it so wolfSSL will be used if USE_WOLFSSL
-  is defined.
+  Easy handles that are used by the multi interface should be removed from
+  the multi handle before they are cleaned up.
   
-  Closes #7806
+  Reported-by: Stephen M. Coakley
+  Ref: #7982
+  Closes #7983
 
-- scripts/delta: count command line options in the new file
+- url.c: fix the SIGPIPE comment for Curl_close
   
-  ... which makes the shown delta number wrong until next release.
+  Closes #7984
+
+Version 7.80.0 (10 Nov 2021)
 
+Daniel Stenberg (10 Nov 2021)
 - RELEASE-NOTES: synced
+  
+  for curl 7.80.0
 
-- print_category: print help descriptions aligned
+- THANKS: add contributors from the 7.80.0 cycle
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: advertise h3 as well as h3-29
   
-  Adjust the description position to make an aligned column when doing
-  help listings, which is more pleasing to the eye.
+  Advertise h3 as well as h3-29 since some servers out there require h3
+  for QUIC v1.
   
-  Suggested-by: Gisle Vanem
-  Closes #7792
+  Closes #7979
 
-- lib/mk-ca-bundle.pl: skip certs passed Not Valid After date
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: use QUIC v1 consistently
   
-  With this change applied, the now expired 'DST Root CA X3' cert will no
-  longer be included in the output.
+  Since we switched to v1 quic_transport_parameters codepoint in #7960
+  with quictls, lets use QUIC v1 consistently.
   
-  Details: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
+  Closes #7979
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: compile with the latest nghttp3
   
-  Closes #7801
+  Closes #7978
 
-- tool_listhelp: easier to generate with gen.pl
+Marc Hoersken (9 Nov 2021)
+- tests: add Schannel-specific tests and disable unsupported ones
   
-  tool_listhelp.c is now a separate file with only the command line --help
-  output, exactly as generated by gen.pl. This makes it easier to generate
-  updates according to what's in the docs/cmdline-opts docs.
+  Adds Schannel variants of SSLpinning tests that include the option
+  --ssl-revoke-best-effort to ignore certificate revocation check
+  failures which is required due to our custom test CA certificate.
   
-    cd $srcroot/docs/cmdline-opts
-    ./gen.pl listhelp *.d > $srcroot/src/tool_listhelp.c
+  Disable the original variants if the Schannel backend is enabled.
   
-  With a configure build, this also works:
+  Also skip all IDN tests which are broken while using an msys shell.
   
-    make -C src listhelp
+  This is a step to simplify test exclusions for Windows and MinGW.
   
-  Closes #7787
-
-- [Anthony Hu brought this change]
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Closes #7968
 
-  wolfssl: allow setting of groups/curves
-  
-  In particular, the quantum safe KEM and hybrid curves if wolfSSL is
-  built to support them.
+Daniel Stenberg (8 Nov 2021)
+- docs: NAME fixes in easy option man pages
   
-  Closes #7728
+  Closes #7975
 
-- [Jan Mazur brought this change]
+- [Roger Young brought this change]
 
-  connnect: use sysaddr_un fron sys/un.h or custom-defined for windows
+  ftp: make the MKD retry to retry once per directory
   
-  Closes #7737
-
-Jay Satiro (30 Sep 2021)
-- [Rikard Falkeborn brought this change]
+  Reported-by: Roger Young
+  Fixes #7967
+  Closes #7976
 
-  hostip: Move allocation to clarify there is no memleak
+- tool_operate: reorder code to avoid compiler warning
   
-  By just glancing at the code, it looks like there is a memleak if the
-  call to Curl_inet_pton() fails. Looking closer, it is clear that the
-  call to Curl_inet_pton() can not fail, so the code will never leak
-  memory. However, we can make this obvious by moving the allocation
-  after the if-statement.
+  tool_operate.c(889) : warning C4701: potentially uninitialized local
+  variable 'per' use
   
-  Closes https://github.com/curl/curl/pull/7796
+  Follow-up to cc71d352651a0d95
+  Reported-by: Marc Hörsken
+  Bug: https://github.com/curl/curl/pull/7922#issuecomment-963042676
+  Closes #7971
 
-Daniel Stenberg (30 Sep 2021)
-- gen.pl: make the output date format work better
+- curl_easy_perform.3: add a para about recv and send data
   
-  Follow-up to 15910dfd143dd
+  Reported-by: Godwin Stewart
+  Fixes #7973
+  Closes #7974
+
+- tool_operate: fclose stream only if fopened
   
-  The previous strftime format used didn't work correctly on Windows, so
-  change to %B %d %Y which today looks like "September 29 2021".
+  Fixes torture test failures
+  Follow-up to cc71d352651
   
-  Reported-by: Gisle Vanem
-  Bug: #7782
-  Closes #7793
+  Closes #7972
 
-- typecheck-gcc.h: add CURLOPT_PREREQDATA awareness
+- libcurl-easy.3: language polish
+
+- limit-rate.d: this is average over several seconds
   
-  Follow-up to a517378de58358a
-  
-  To make test 1912 happy again
-  
-  Closes #7799
+  Closes #7970
 
-Marcel Raad (29 Sep 2021)
-- configure: remove `HAVE_WINSOCK_H` definition
+- docs: reduce/avoid English contractions
   
-  It's not used anymore.
+  You're => You are
+  Hasn't => Has not
+  Doesn't => Does not
+  Don't => Do not
+  You'll => You will
+  etc
   
-  Closes https://github.com/curl/curl/pull/7795
+  Closes #7930
 
-- CMake: remove `HAVE_WINSOCK_H` definition
-  
-  It's not used anymore.
+- tool_operate: fix torture leaks with etags
   
-  Closes https://github.com/curl/curl/pull/7795
-
-- config: remove `HAVE_WINSOCK_H` definition
+  Spotted by torture testing 343 344 345 347.
   
-  It's not used anymore.
+  Follow-up from cc71d352651a0
+  Pointed-out-by: Dan Fandrich
   
-  Closes https://github.com/curl/curl/pull/7795
+  Closes #7969
 
-- lib: remove `HAVE_WINSOCK_H` usage
-  
-  WinSock v1 is not supported anymore. Exclusively use `HAVE_WINSOCK2_H`
-  instead.
-  
-  Closes https://github.com/curl/curl/pull/7795
+- [Amaury Denoyelle brought this change]
 
-Daniel Stenberg (29 Sep 2021)
-- easyoptions: add the two new PRE* options
+  ngtcp2: support latest QUIC TLS RFC9001
   
-  Follow-up to a517378de58358a
+  QUIC Transport Parameters Extension has been changed between draft-29
+  and latest RFC9001. Most notably, its identifier has been updated from
+  0xffa5 to 0x0039. The version is selected through the QUIC TLS library
+  via the legacy codepoint.
   
-  Also fix optiontable.pl to do the correct remainder on the entry.
+  Disable the usage of legacy codepoint in curl to switch to latest
+  RFC9001. This is required to be able to keep up with latest QUIC
+  implementations.
   
-  Reported-by: Gisle Vanem
-  Bug: https://github.com/curl/curl/commit/a517378de58358a85b7cfe9efecb56051268f629#commitcomment-57224830
-  Closes #7791
+  Acked-by: Tatsuhiro Tsujikawa
+  Closes #7960
 
-- Revert "build: remove checks for WinSock 1"
+- test1173: make manpage-syntax.pl spot \n errors in examples
+
+- man pages: fix backslash-n in examples
   
-  Due to CI issues
+  ... to be proper backslash-backslash-n sequences to render nicely in man
+  and on website.
   
-  This reverts commit c2ea04f92b00b6271627cb218647527b5a50f2fc.
+  Follow-up to 24155569d8a
+  Reported-by: Sergey Markelov
   
-  Closes #7790
+  Fixes https://github.com/curl/curl-www/issues/163
+  Closes #7962
 
-Daniel Gustafsson (29 Sep 2021)
-- lib: avoid fallthrough cases in switch statements
+- scripts/release-notes.pl: use out of repo links verbatim in refs
+
+- tool_operate: a failed etag save now only fails that transfer
   
-  Commit b5a434f7f0ee4d64857f8592eced5b9007d83620 inhibits the warning
-  on implicit fallthrough cases, since the current coding of indicating
-  fallthrough with comments is falling out of fashion with new compilers.
-  This attempts to make the issue smaller by rewriting fallthroughs to no
-  longer fallthrough, via either breaking the cases or turning switch
-  statements into if statements.
+  When failing to create the output file for saving an etag, only fail
+  that particular single transfer and allow others to follow.
   
-    lib/content_encoding.c: the fallthrough codepath is simply copied
-      into the case as it's a single line.
-    lib/http_ntlm.c: the fallthrough case skips a state in the state-
-      machine and fast-forwards to NTLMSTATE_LAST. Do this before the
-      switch statement instead to set up the states that we actually
-      want.
-    lib/http_proxy.c: the fallthrough is just falling into exiting the
-      switch statement which can be done easily enough in the case.
-    lib/mime.c: switch statement rewritten as if statement.
-    lib/pop3.c: the fallthrough case skips to the next state in the
-      statemachine, do this explicitly instead.
-    lib/urlapi.c: switch statement rewritten as if statement.
-    lib/vssh/wolfssh.c: the fallthrough cases fast-forwards the state
-      machine, do this by running another iteration of the switch
-      statement instead.
-    lib/vtls/gtls.c: switch statement rewritten as if statement.
-    lib/vtls/nss.c: the fallthrough codepath is simply copied into the
-      case as it's a single line. Also twiddle a comment to not be
-      inside a non-brace if statement.
+  In a serial transfer setup, if no transfer at all is done due to them
+  all being skipped because of this error, curl will output an error
+  message and return exit code 26.
   
-  Closes: #7322
-  See-also: #7295
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-
-Marcel Raad (28 Sep 2021)
-- config-win32ce: enable WinSock 2
+  Added test 369 and 370 to verify.
   
-  WinSock 2.2 is supported by Windows CE .NET 4.1 (from 2002, out of
-  support since 2013).
+  Reported-by: Earnestly on github
+  Ref: #7942
+  Closes #7945
+
+- [Kevin Burke brought this change]
+
+  .github: retry macos "brew install" command on failure
   
-  Ref: https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms899586(v=msdn.10)
+  Previously we saw errors attempting to run "brew install", see
+  https://github.com/curl/curl/runs/4095721123?check_suite_focus=true for
+  an example, since this command is idempotent, it is safe to run again.
   
-  Closes https://github.com/curl/curl/pull/7778
+  Closes #7955
 
-- externalsocket: use WinSock 2.2
+- CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred
   
-  That's the only version we support.
+  Ref: https://github.com/curl/curl/discussions/7954
   
-  Closes https://github.com/curl/curl/pull/7778
+  Closes #7957
 
-- build: remove checks for WinSock 1
+- RELEASE-NOTES: synced
+
+- zuul: pin the quiche build to use an older cmake-rs
   
-  It's not supported anymore.
+  The latest cmake-rs assumes cmake's --parallel works. That was added in
+  cmake 3.12, but a lot of our CI builds run on Ubuntu Bionic which only
+  has cmake 3.10.
   
-  Closes https://github.com/curl/curl/pull/7778
+  Fixes #7927
+  Closes #7952
 
-Daniel Stenberg (28 Sep 2021)
-- scripts/copyright: .muse is .lift now
-  
-  And update 5 files with old copyright year range
+- [Marc Hoersken brought this change]
 
-- cmdline-opts: made the 'Added:' field mandatory
+  Revert "src/tool_filetime: disable -Wformat on mingw for this file"
   
-  Since "too old" versions are no longer included in the generated man
-  page, this field is now mandatory so that it won't be forgotten and then
-  not included in the documentation.
+  This reverts commit 7c88fe375b15c44d77bccc9ab733b8069d228e6f.
   
-  Closes #7786
+  Follow up to #6535 as the pragma is obsolete with warnf
+  
+  Closes #7941
 
-- curl.1: remove mentions of really old version changes
+Jay Satiro (2 Nov 2021)
+- schannel: fix memory leak due to failed SSL connection
   
-  To make the man page more readable, this change removes all references
-  to changes in support/versions etc that happened before 7.30.0 from the
-  curl.1 output file. 7.30.0 was released on Apr 12 2013. This particular
-  limit is a bit arbitrary but was fairly easy to grep for.
+  - Call schannel_shutdown if the SSL connection fails.
   
-  It is handled like this: the 'Added' keyword is only used in output if
-  it refers to 7.30.0 or later. All occurances of "(Added in $VERSION)" in
-  description will be stripped out if the mentioned $VERSION is from
-  before 7.30.0. It is therefore important that the "Added in..."
-  references are always written exactly like that - and on a single line,
-  not split over two.
+  Prior to this change schannel_shutdown (which shuts down the SSL
+  connection as well as memory cleanup) was not called when the SSL
+  connection failed (eg due to failed handshake).
   
-  This change removes about 80 version number references from curl.1, down
-  to 138 from 218.
+  Co-authored-by: Gisle Vanem
   
-  Closes #7786
-
-- RELEASE-NOTES: synced
+  Fixes https://github.com/curl/curl/issues/7877
+  Closes https://github.com/curl/curl/pull/7878
 
-- tool_cb_prg: make resumed upload progress bar show better
+Daniel Stenberg (2 Nov 2021)
+- Curl_updateconninfo: store addresses for QUIC connections too
   
-  This is a regression that was *probably* injected in the larger progress
-  bar overhaul in 2018.
+  So that CURLINFO_PRIMARY_IP etc work for HTTP/3 like for other HTTP
+  versions.
   
-  Reported-by: beslick5 on github
-  Fixes #7760
-  Closes #7777
+  Reported-by: Jerome Mao
+  Fixes #7939
+  Closes #7944
 
-- gen.pl: insert the current date and version in generated man page
-  
-  Reported-by: Gisle Vanem
-  Ref: #7780
-  Closes #7782
+- [Sergio Durigan Junior brought this change]
 
-- NTLM: use DES_set_key_unchecked with OpenSSL
+  curl.1: fix typos in the manpage
   
-  ... as the previously used function DES_set_key() will in some cases
-  reject using a key that it deems "weak" which will cause curl to
-  continue using the unitialized buffer content as key instead.
+  s/transfering/transferring/
+  s/transfered/transferred/
   
-  Assisted-by: Harry Sintonen
-  Fixes #7779
-  Closes #7781
+  Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
+  Closes #7937
 
-Marc Hoersken (27 Sep 2021)
-- CI: align make and test flags in various config files
+Marc Hoersken (1 Nov 2021)
+- tests/smbserver.py: fix compatibility with impacket 0.9.23+
   
-  1. Use Makefile target to run tests in autotools builds on AppVeyor.
-  2. Disable testing of SCP protocol on native Windows environments.
-  3. Remove redundant parameters -a -p from target test-nonflaky.
-  4. Don't use -vc parameter which is reserved for debugging.
+  impacket now performs sanity checks if the requested and to
+  be served file path actually is inside the real share path.
   
-  Replaces #7591
-  Closes #7690
+  Ref: https://github.com/SecureAuthCorp/impacket/pull/1066
+  
+  Fixes #7924
+  Closes #7935
 
-Daniel Stenberg (27 Sep 2021)
-- mailmap: unify Max!
+Daniel Stenberg (1 Nov 2021)
+- docs: reduce use of "very"
+  
+  "Very" should be avoided in most texts. If intensifiers are needed, try
+  find better words instead.
+  
+  Closes #7936
 
-- [Max Dymond brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  CURLOPT_PREREQFUNCTION: add new callback
+  ngtcp2: specify the missing required callback functions
   
-  Triggered before a request is made but after a connection is set up
+  Closes #7929
+
+- CURLOPT_[PROXY]_SSL_CIPHER_LIST.3: bold instead of quote
   
-  Changes:
+  Bold the example ciphers instead of using single quotes, which then also
+  avoids the problem of how to use single quotes when first in a line.
   
-  - callback: Update docs and callback for pre-request callback
-  - Add documentation for CURLOPT_PREREQDATA and CURLOPT_PREREQFUNCTION,
-  - Add redirect test and callback failure test
-  - Note that the function may be called multiple times on a redirection
-  - Disable new 2086 test due to Windows weirdness
+  Also rephrased the pages a little.
   
-  Closes #7477
+  Reported-by: Sergio Durigan Junior
+  Ref: #7928
+  Closes #7934
 
-- KNOWN_BUGS: HTTP/2 connections through HTTPS proxy frequently stall
+- gen.pl: replace leading single quotes with \(aq
   
-  Closes #6936
+  ... and allow single quotes to be used "normally" in the .d files.
+  
+  Makes the output curl.1 use better nroff.
+  
+  Reported-by: Sergio Durigan Junior
+  Ref: #7928
+  Closes #7933
 
-- TODO: make configure use --cache-file more and better
+Marc Hoersken (1 Nov 2021)
+- tests: kill some test servers afterwards to avoid locked logfiles
   
-  Closes #7753
+  Reviewed-by: Daniel Stenberg
+  Closes #7925
 
-- [Sergey Markelov brought this change]
+Daniel Stenberg (1 Nov 2021)
+- smooth-gtk-thread.c: enhance the mutex lock use
+  
+  Reported-by: ryancaicse on github
+  Fixes #7926
+  Closes #7931
 
-  urlapi: support UNC paths in file: URLs on Windows
+Marc Hoersken (31 Oct 2021)
+- CI/runtests.pl: restore -u flag, but remove it from CI runs
   
-  - file://host.name/path/file.txt is a valid UNC path
-    \\host.name\path\files.txt to a non-local file transformed into URI
-    (RFC 8089 Appendix E.3)
+  This makes it possible to use -u again for local testing,
+  but removes the flag from CI config files and make targets.
   
-  - UNC paths on other OSs must be smb: URLs
+  Reviewed-by: Daniel Stenberg
   
-  Closes #7366
+  Partially reverts #7841
+  Closes #7921
 
-- [Gleb Ivanovsky brought this change]
+Daniel Stenberg (29 Oct 2021)
+- [Jonathan Cardoso Machado brought this change]
 
-  urlapi: add curl_url_strerror()
+  CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required
   
-  Add curl_url_strerror() to convert CURLUcode into readable string and
-  facilitate easier troubleshooting in programs using URL API.
-  Extend CURLUcode with CURLU_LAST for iteration in unit tests.
-  Update man pages with a mention of new function.
-  Update example code and tests with new functionality where it fits.
+  Closes #7923
+
+- [Axel Morawietz brought this change]
+
+  imap: display quota information
   
-  Closes #7605
+  Show response to "GETQUOTAROOT INBOX" command.
+  
+  Closes #6973
 
 - RELEASE-NOTES: synced
 
-- [Mats Lindestam brought this change]
+- [Boris Rasin brought this change]
 
-  libssh2: add SHA256 fingerprint support
-  
-  Added support for SHA256 fingerprint in command line curl and in
-  libcurl.
+  cmake: fix error getting LOCATION property on non-imported target
   
-  Closes #7646
+  Closes #7885
 
-- libcurl.rc: switch out the copyright symbol for plain ASCII
+- [x2018 brought this change]
+
+  url: check the return value of curl_url()
   
-  Reported-by: Vitaly Varyvdin
-  Assisted-by: Viktor Szakats
-  Fixes #7765
-  Closes #7776
+  Closes #7917
 
-- [Jun-ya Kato brought this change]
+- [Roy Li brought this change]
 
-  ngtcp2: fix QUIC transport parameter version
+  configure.ac: replace krb5-config with pkg-config
   
-  fix inappropriate version setting for QUIC transport parameters.
-  this patch keeps curl with ngtcp2 uses QUIC draft version (h3-29).
+  The rationale is that custom *-config tools don't work well when
+  cross-compiling or using sysroots (such as when using Yocto project) and
+  require custom fixing for each of them; pkg-config on the other hand
+  works similarly everywhere.
   
-  Closes #7771
+  Signed-off-by: Roy Li <rongqing.li@windriver.com>
+  Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+  
+  Closes #7916
 
-- examples/imap-append: fix end-of-data check
+- test1160: edited to work with hyper
   
-  Reported-by: Alexander Chuykov
-  Fixes #7774
-  Closes #7775
+  Closes #7912
 
-Michael Kaufmann (24 Sep 2021)
-- vtls: Fix a memory leak if an SSL session cannot be added to the cache
+- data/DISABLED: enable tests that now work with hyper
   
-  On connection shutdown, a new TLS session ticket may arrive after the
-  SSL session cache has already been destructed. In this case, the new
-  SSL session cannot be added to the SSL session cache.
+  Closes #7911
+
+- test559: add 'HTTP' in keywords
   
-  The callers of Curl_ssl_addsessionid() need to know whether the SSL
-  session has been added to the cache. If it has not been added, the
-  reference counter of the SSL session must not be incremented, or memory
-  used by the SSL session must be freed. This is now possible with the new
-  output parameter "added" of Curl_ssl_addsessionid().
+  Makes it run fine with hyper
   
-  Fixes #7683
-  Closes #7752
+  Closes #7911
 
-Daniel Stenberg (24 Sep 2021)
-- [Momoka Yamamoto brought this change]
+- test552: updated to work with hyper
+  
+  Closes #7911
 
-  HTTP3.md: use 'autoreconf -fi' instead of buildconf
+Marc Hoersken (27 Oct 2021)
+- github: fix incomplete permission to label PRs for Hacktoberfest
   
-  buildconf is not used since #5853
+  Unfortunately the GitHub API requires a token with write permission
+  for both issues and pull-requests to edit labels on even just PRs.
   
-  Closes #7746
-
-- GIT-INFO: rephrase to adapt to s/buildconf/autoreconf
-
-- [h1zzz brought this change]
+  Follow up to #7897
 
-  llist: remove redundant code, branch will not be executed
+Daniel Stenberg (27 Oct 2021)
+- opt-manpages: use 'Added in' instead of 'Since'
   
-  Closes #7770
-
-- [tlahn brought this change]
+  Closes #7913
 
-  HTTP-COOKIES.md: remove duplicate 'each'
+Marc Hoersken (27 Oct 2021)
+- github: fix missing permission to label PRs for Hacktoberfest
   
-  Closes #7772
-
-Jay Satiro (24 Sep 2021)
-- [Joel Depooter brought this change]
-
-  libssh2: Get the version at runtime if possible
+  Follow up to #7897
   
-  Previously this code used a compile time constant, meaning that libcurl
-  always reported the libssh2 version that libcurl was built with. This
-  could differ from the libssh2 version actually being used. The new code
-  uses the CURL_LIBSSH2_VERSION macro, which is defined in ssh.h. The
-  macro calls the libssh2_version function if it is available, otherwise
-  it falls back to the compile time version.
+  Test references to see if permissions are now sufficient:
   
-  Closes https://github.com/curl/curl/pull/7768
-
-- [Joel Depooter brought this change]
+  Closes #7832
+  Closes #7897
 
-  schannel: fix typo
+- CI: more use of test-ci make target and verbose output
   
-  Closes https://github.com/curl/curl/pull/7769
-
-Daniel Stenberg (23 Sep 2021)
-- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
+  Replace test-nonflaky with test-ci and enable verbose output
+  in all remaining CIs except Zuul which is customized a lot.
   
-  To avoid the "... is deprecated" warnings brought by OpenSSL v3.
-  (We need to address the underlying code at some point of course.)
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
   
-  Assisted-by: Jakub Zakrzewski
-  Closes #7767
+  Follow up to #7785
+  Closes #7832
 
-- curl-openssl: pass argument to sed single-quoted
+- github: add support for Hacktoberfest using labels
   
-  ... instead of using an escaped double-quote. This is an attempt to make
-  this work better with ksh that otherwise would insist on a double
-  escape!
+  Automatically add hacktoberfest-accepted label to PRs opened between
+  September 30th and November 1st once a commit with a close reference
+  to it is pushed onto the master branch.
   
-  Reported-by: Randall S. Becker
-  Fixes #7758
-  Closes #7764
-
-- RELEASE-NOTES: synced
+  With this workflow we can participate in Hacktoberfest while not
+  relying on GitHub to identify PRs as merged due to our rebasing.
   
-  Bumped curlver to 7.80.0-dev
-
-- [a1346054 brought this change]
-
-  misc: fix typos in docs and comments
+  Requires hacktoberfest-accepted labels to exist for PRs on the
+  participating repository. Also requires hacktoberfest topic on
+  the participating repository to avoid applying to forked repos.
   
-  No user facing output from curl/libcurl is changed by this, just
-  comments.
+  Reviewed-by: Daniel Stenberg
   
-  Closes #7747
-
-- [Thomas M. DuBuisson brought this change]
+  Fixes #7865
+  Closes #7897
 
-  ci: update Lift config to match requirements of curl build
+Daniel Stenberg (27 Oct 2021)
+- http: reject HTTP response codes < 100
   
-  Also renamed Muse -> Lift, the new tool name.
+  ... which then also includes negative ones as test 1430 uses.
   
-  Closes #7761
+  This makes native + hyper backend act identically on this and therefore
+  test 1430 can now be enabled when building with hyper. Adjust test 1431
+  as well.
+  
+  Closes #7909
 
-- [Rikard Falkeborn brought this change]
+- [Kerem Kat brought this change]
 
-  cleanup: constify unmodified static structs
-  
-  Constify a number of static structs that are never modified. Make them
-  const to show this.
+  docs: fix typo in CURLOPT_TRAILERFUNCTION example
   
-  Closes #7759
+  Closes #7910
 
-Version 7.79.1 (22 Sep 2021)
+- docs/HYPER: remove some remaining issues, add HTTP/0.9 limitation
 
-Daniel Stenberg (22 Sep 2021)
-- RELEASE-NOTES: synced
+- configure: when hyper is selected, deselect nghttp2
   
-  curl 7.79.1 release
+  Closes #7908
 
-- THANKS: added names from the 7.79.1 release
+- [Patrick Monnerat brought this change]
 
-- test897: verify delivery of IMAP post-body header content
+  sendf: accept zero-length data in Curl_client_write()
   
-  The "content" is delivered as "body" by curl, but the envelope continues
-  after the body and the rest of it should be delivered as header.
+  Historically, Curl_client_write() used a length value of 0 as a marker
+  for a null-terminated data string. This feature has been removed in
+  commit f4b85d2. To detect leftover uses of the feature, a DEBUGASSERT
+  statement rejecting a length with value 0 was introduced, effectively
+  precluding use of this function with zero-length data.
   
-  The IMAP server can now get 'POSTFETCH' set to include more data to
-  include after the body and test 897 is done to verify that such "extra"
-  header data is in fact delivered by curl as header.
+  The current commit removes the DEBUGASSERT and makes the function to
+  return immediately if length is 0.
   
-  Ref: #7284 but fails to reproduce the issue
+  A direct effect is to fix trying to output a zero-length distinguished
+  name in openldap.
   
-  Closes #7748
-
-- KNOWN_BUGS: connection migration doesn't work
+  Another DEBUGASSERT statement is also rephrased for better readability.
   
-  Closes #7695
-
-- RELEASE-NOTES: synced
+  Closes #7898
 
-- http: fix the broken >3 digit response code detection
+- hyper: disable test 1294 since hyper doesn't allow such crazy headers
   
-  When the "reason phrase" in the HTTP status line starts with a digit,
-  that was treated as the forth response code digit and curl would claim
-  the response to be non-compliant.
+  Closes #7905
+
+- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
   
-  Added test 1466 to verify this case.
+  Verified by the enabled test 1288
   
-  Regression brought by 5dc594e44f73b17
-  Reported-by: Glenn de boer
-  Fixes #7738
-  Closes #7739
+  Closes #7905
 
-Jay Satiro (17 Sep 2021)
-- strerror: use sys_errlist instead of strerror on Windows
-  
-  - Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
-    retrieve the error message on Windows.
+- test1287: make work on hyper
   
-  Windows' strerror writes to a static buffer and is not thread-safe.
+  Closes #7905
+
+- test1266/1267: disabled on hyper: no HTTP/0.9 support
   
-  Follow-up to 2f0bb86 which removed most instances of strerror in favor
-  of calling Curl_strerror (which calls strerror_r for other platforms).
+  Closes #7905
+
+Viktor Szakats (25 Oct 2021)
+- Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options
   
-  Ref: https://github.com/curl/curl/pull/7685
-  Ref: https://github.com/curl/curl/commit/2f0bb86
+  Previously, -libssh2/-rtmp options assumed that OpenSSL is also enabled
+  (and then failed with an error when not finding expected OpenSSL headers),
+  but this isn't necessarly true, e.g. when building both libssh2 and curl
+  against Schannel. This patch makes sure to only enable the OpenSSL backend
+  with -libssh2/-rtmp, when there was no SSL option explicitly selected.
   
-  Closes https://github.com/curl/curl/pull/7735
-
-Daniel Stenberg (16 Sep 2021)
-- dist: provide lib/.checksrc in the tarball
+  - Re-implement the logic as a single block of script.
+  - Also fix an indentation while there.
   
-  So that debug builds work (checksrc really)
+  Assisted-by: Jay Satiro
   
-  Reported-by: Marcel Raad
-  Reported-by: tawmoto on github
-  Fixes #7733
-  Closes #7734
+  Closes #7895
 
-- TODO: Improve documentation about fork safety
+Daniel Stenberg (25 Oct 2021)
+- docs: consistent use of "Added in"
   
-  Closes #6968
+  Make them all say "Added in [version]" without using 'curl' or 'libcurl'
+  in that phrase.
 
-- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
+- man pages: require all to use the same section header order
   
-  ... and have CURLE_ABORTED_BY_CALLBACK returned.
+  This is the same order we already enforce among the options' man pages:
+  consistency is good. Add lots of previously missing examples.
   
-  Extended test 1915 to verify.
+  Adjust the manpage-syntax script for this purpose, used in test 1173.
   
-  Reported-by: Jonathan Cardoso
-  Fixes #7726
-  Closes #7729
+  Closes #7904
 
-- test1184: disable
-  
-  The test should be fine and it works for me repeated when run manually,
-  but clearly it causes CI failures and it needs more research.
-  
-  Reported-by: RiderALT on github
-  Fixes #7725
-  Closes #7732
+- [David Hu brought this change]
 
-- Curl_http2_setup: don't change connection data on repeat invokes
+  docs/HTTP3: improve build instructions
   
-  Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
-  transfer oriented inits to before the check but also erroneously moved a
-  few connection oriented ones, which causes problems.
+  1. If writing to a system path if the command is not prefixed with
+  `sudo` it will cause a permission denied error
   
-  Reported-by: Evangelos Foutras
-  Fixes #7730
-  Closes #7731
-
-- RELEASE-NOTES: synced
+  2. The patched OpenSSL branch has been updated to `openssl-3.0.0+quic`
+  to match upstream OpenSSL version.
   
-  and bump to 7.79.1
-
-Kamil Dudka (16 Sep 2021)
-- tests/sshserver.pl: make it work with openssh-8.7p1
+  3. We should not disable GnuTLS docs.
   
-  ... by not using options with no argument where an argument is required:
+  Updated some commands about `make install`
   
-  === Start of file tests/log/ssh_server.log
-  curl_sshd_config line 6: no argument after keyword "DenyGroups"
-  curl_sshd_config line 7: no argument after keyword "AllowGroups"
-  curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
-  curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
-  curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
-  curl_sshd_config line 40: Deprecated option RSAAuthentication
-  curl_sshd_config line 41: Deprecated option ServerKeyBits
-  curl_sshd_config line 45: Deprecated option UseLogin
-  curl_sshd_config line 56: no argument after keyword "AcceptEnv"
-  curl_sshd_config: terminating, 3 bad configuration options
-  === End of file tests/log/ssh_server.log
+  Closes #7842
+
+- [Ricardo Martins brought this change]
+
+  CMake: restore support for SecureTransport on iOS
   
-  === Start of file log/sftp_server.log
-  curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
-  curl_sftp_config line 34: Unsupported option "rsaauthentication"
-  curl_sftp_config line 52: no argument after keyword "sendenv"
-  curl_sftp_config: terminating, 1 bad configuration options
-  Connection closed.
-  Connection closed
-  === End of file log/sftp_server.log
+  Restore support for building curl for iOS with SecureTransport enabled.
   
-  Closes #7724
+  Closes #7501
 
-Daniel Stenberg (15 Sep 2021)
-- hsts: handle unlimited expiry
+- tests: enable more tests with hyper
   
-  When setting a blank expire string, meaning unlimited, curl would pass
-  TIME_T_MAX to getime_r() when creating the output, while on 64 bit
-  systems such a large value cannot be convetered to a tm struct making
-  curl to exit the loop with an error instead. It can't be converted
-  because the year it would represent doesn't fit in the 'int tm_year'
-  field!
+  Adjusted 1144, 1164 and 1176.
   
-  Starting now, unlimited expiry is instead handled differently by using a
-  human readable expiry date spelled out as "unlimited" instead of trying
-  to use a distant actual date.
+  Closes #7900
+
+- docs: provide "RETURN VALUE" section for more func manpages
   
-  Test 1660 and 1915 have been updated to help verify this change.
+  Three were missing, one used a non-standard name for the header.
   
-  Reported-by: Jonathan Cardoso
-  Fixes #7720
-  Closes #7721
+  Closes #7902
 
-- curl_multi_fdset: make FD_SET() not operate on sockets out of range
+Jay Satiro (25 Oct 2021)
+- curl_multi_socket_action.3: add a "RETURN VALUE" section
   
-  The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
-  built to use select(), even though the curl_multi_fdset() function
-  always and unconditionally uses FD_SET and needs the check.
+  .. because it may not be immediately clear to the user what
+  curl_multi_socket_action returns.
   
-  Reported-by: 0xee on github
-  Fixes #7718
-  Closes #7719
+  Ref: https://curl.se/mail/lib-2021-10/0035.html
+  
+  Closes https://github.com/curl/curl/pull/7901
 
-- FAQ: add GOPHERS + curl works on data, not files
+Daniel Stenberg (24 Oct 2021)
+- RELEASE-NOTES: synced
 
-Version 7.79.0 (14 Sep 2021)
+- [Samuel Henrique brought this change]
 
-Daniel Stenberg (14 Sep 2021)
-- RELEASE-NOTES: synced
+  tests: use python3 in test 1451
   
-  For the 7.79.0 release
+  This is a continuation of commit ec91b5a69000bea0794bbb3 in which
+  changing this test was missed.  There are no other python2 leftovers
+  now.
+  
+  Based on a Debian patch originally written by Alessandro Ghedini
+  <ghedo@debian.org>
+  
+  Closes #7899
 
-- THANKS: add contributors from 7.79.0 release cycle
+- [Eddie Lumpkin brought this change]
 
-- FAQ: add two dev related questions
-  
-    8.1 Why does curl use C89?
-    8.2 Will curl be rewritten?
+  lib: fixing comment spelling typos in lib files
   
-  Spell-checked-by: Paul Johnson
-  Closes #7715
+  Closes #7894
+  Signed-off-by: ewlumpkin <ewlumpkin@gmail.com>
 
-- zuul.d/jobs: disable three tests for *-openssl-disable-proxy
+- openssl: if verifypeer is not requested, skip the CA loading
   
-  ... as they mysteriously seem to permfail without being related to
-  proxy.
+  It was previously done mostly to show a match/non-match in the verbose
+  output even when verification was not asked for. This change skips the
+  loading of the CA certs unless verifypeer is set to save memory and CPU.
   
-  Closes #7714
-
-- [Patrick Monnerat brought this change]
+  Closes #7892
 
-  ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
+- curl-confopts.m4:  remove --enable/disable-hidden-symbols
   
-  If a server pipelines future responses within the STARTTLS response, the
-  former are preserved in the pingpong cache across TLS negotiation and
-  used as responses to the encrypted commands.
+  These configure options have been saying "deprecated" since 9e24b9c7af
+  (April 2012). It was about time we remove them.
   
-  This fix detects pipelined STARTTLS responses and rejects them with an
-  error.
+  Closes #7891
+
+- c-hyper: don't abort CONNECT responses early when auth-in-progress
   
-  CVE-2021-22947
+  ... and make sure to stop ignoring the body once the CONNECT is done.
   
-  Bug: https://curl.se/docs/CVE-2021-22947.html
-
-- [Patrick Monnerat brought this change]
+  This should make test 206 work proper again and not be flaky.
+  
+  Closes #7889
 
-  ftp,imap,pop3: do not ignore --ssl-reqd
+- hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING
   
-  In imap and pop3, check if TLS is required even when capabilities
-  request has failed.
+  Simply because hyper doesn't have this ability. Mentioned in docs now.
   
-  In ftp, ignore preauthentication (230 status of server greeting) if TLS
-  is required.
+  Skip test 326 then
   
-  Bug: https://curl.se/docs/CVE-2021-22946.html
+  Closes #7889
+
+- test262: don't attempt with hyper
   
-  CVE-2021-22946
+  This test verifies that curl works with binary zeroes in HTTP response
+  headers and hyper refuses such. They're not kosher http.
+  
+  Closes #7889
 
-- [z2_ on hackerone brought this change]
+- c-hyper: make test 217 run
+  
+  Closes #7889
 
-  mqtt: clear the leftovers pointer when sending succeeds
+- DISABLED: enable test 209+213 for hyper
   
-  CVE-2021-22945
+  Follow-up to 823d3ab855c
   
-  Bug: https://curl.se/docs/CVE-2021-22945.html
+  Closes #7889
 
-- zuul: bump the rustls job to use v0.7.2
+- test207: accept a different error code for hyper
   
-  ... and add -lm when using a rust library.
+  It returns HYPERE_UNEXPECTED_EOF for this case which we convert to the
+  somewhat generic CURLE_RECV_ERROR.
   
-  Closes #7701
+  Closes #7889
 
-- RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023
+- [Érico Nogueira brought this change]
 
-- SECURITY-PROCESS: tweak a little to match current practices
+  INSTALL: update symbol hiding option
   
-  Closes #7713
-
-- http_proxy: fix the User-Agent inclusion in CONNECT
+  --enable-hidden-symbols was deprecated in
+  9e24b9c7afbcb81120af4cf3f6cdee49a06d8224.
   
-  It should not refer to the uagent string that is allocated and created
-  for the end server http request, as that pointer may be cleared on
-  subsequent CONNECT requests.
+  Closes #7890
+
+- http_proxy: multiple CONNECT with hyper done better
   
-  Added test case 1184 to verify.
+  Enabled test 206
   
-  Reported-by: T200proX7 on github
-  Fixes #7705
-  Closes #7707
+  Closes #7888
 
-- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
+- hyper: pass the CONNECT line to the debug callback
   
-  Reported-by: Jonathan Cardoso
-  Fixes #7710
-  Closes #7711
+  Closes #7887
 
-- [Tatsuhiro Tsujikawa brought this change]
+- mailmap: Malik Idrees Hasan Khan
 
-  ngtcp2: fix build with ngtcp2 and nghttp3
-  
-  ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
-  Check the wrapped functions instead.
-  
-  ngtcp2_stream_close callback now takes flags parameter.
-  
-  Closes #7709
+Jay Satiro (21 Oct 2021)
+- [Malik Idrees Hasan Khan brought this change]
 
-- write-out.d: clarify size_download/upload
+  build: fix typos
   
-  They show the number of "body" bytes transfered.
-  Fixes #7702
-  Closes #7706
+  Closes https://github.com/curl/curl/pull/7886
 
-- http2: Curl_http2_setup needs to init stream data in all invokes
+- URL-SYNTAX: add IMAP UID SEARCH example
   
-  Thus function was written to avoid doing multiple connection data
-  initializations, which is fine, but since it also initiates stream
-  related data it is crucial that it doesn't skip those even if called
-  again for the same connection. Solved by moving the stream
-  initializations before the "doing-it-again" check.
+  - Explain the difference between IMAP search via URL (which returns
+    message sequence numbers) and IMAP search via custom request (which
+    can return UID numbers if prefixed with UID, eg "UID SEARCH ...").
   
-  Reported-by: Inho Oh
-  Fixes #7630
-  Closes #7692
-
-- url: fix compiler warning in no-verbose builds
+  Bug: https://github.com/curl/curl/issues/7626
+  Reported-by: orycho@users.noreply.github.com
   
-  Follow-up from 2f0bb864c12
+  Ref: https://github.com/curl/curl/issues/2789
   
-  Closes #7700
+  Closes https://github.com/curl/curl/pull/7881
 
-- non-ascii: fix build errors from strerror fix
-  
-  Follow-up to 2f0bb864c12
+Daniel Stenberg (20 Oct 2021)
+- manpage: adjust the asterisk in some SYNOPSIS sections
   
-  Closes #7697
+  Closes #7884
 
-- parse_args: redo the warnings for --remote-header-name combos
+- curl_multi_perform.3: polish wording
   
-  ... to avoid the memory leak risk pointed out by scan-build.
+   - simplify the example by using curl_multi_poll
   
-  Follow-up from 7a3e981781d6c18a
+   - mention curl_multi_add_handle in the text
   
-  Closes #7698
-
-- ngtcp2: adapt to new size defintions upstream
+   - cut out the description of pre-7.20.0 return code behavior - that version
+     is now more than eleven years old and is basically no longer out there
   
-  Reviewed-by: Tatsuhiro Tsujikawa
-  Closes #7699
-
-- rustls: add strerror.h include
+   - adjust the "typical usage" to mention curl_multi_poll
   
-  Follow-up to 2f0bb864c12
+  Closes #7883
 
-- docs: the security list is reached at security at curl.se now
-  
-  Also update the FAQ section a bit to encourage users to rather submit
-  security issues on hackerone than sending email.
-  
-  Closes #7689
+- docs/THANKS: removed on request
 
-Marc Hoersken (9 Sep 2021)
-- runtests: add option -u to error on server unexpectedly alive
-  
-  Let's try to actually handle the server unexpectedly alive
-  case by first making them visible on CI builds as failures.
-  
-  This is needed to detect issues with killing of the test
-  servers completely including nested process chains with
-  multiple PIDs per test server (including bash and perl).
-  
-  On Windows/cygwin platforms this is especially helpful with
-  debugging PID mixups due to cygwin using its own PID space.
-  
-  Reviewed-by: Daniel Stenberg
-  Closes #7180
+- FAQ: polish the explanation of libcurl
 
-Daniel Stenberg (9 Sep 2021)
-- opts docs: unify phrasing in NAME header
-  
-  - avoid writing "set ..." or "enable/disable ..." or "specify ..."
-    *All* options for curl_easy_setopt() are about setting or enabling
-    things and most of the existing options didn't use that way of
-    description.
-  
-  - start with lowercase letter, unless abbreviation. For consistency.
-  
-  - Some additional touch-ups
-  
-  Closes #7688
+- curl_easy_perform.3: minor wording tweak
 
-- strerror.h: remove the #include from files not using it
+- [Erik Stenlund brought this change]
 
-- lib: don't use strerror()
-  
-  We have and provide Curl_strerror() internally for a reason: strerror()
-  is not necessarily thread-safe so we should always try to avoid it.
+  mime: mention CURL_DISABLE_MIME in comment
   
-  Extended checksrc to warn for this, but feature the check disabled by
-  default and only enable it in lib/
+  CURL_DISABLE_MIME is not mentioned in the comment describing the if else
+  preprocessor directive.
   
-  Closes #7685
+  Closes #7882
 
-Daniel Gustafsson (8 Sep 2021)
-- cirrus: Add FreeBSD 13.0 job and disable sanitizer build
-  
-  As alluded to the in the now removed comment, a 13.0 image became
-  available and is now ready to be used.
+- tls: remove newline from three infof() calls
   
-  The sanitizer builds were running on the 12.1 image which since has
-  been removed from the config, leaving the builds not running at all.
-  When enabled it turns out that they don't actually work due to very
-  long timeouts in executing the tests, so keep the disabled for now
-  but a bit more controlled.
+  Follow-up to e7416cf
   
-  Closes #7592
-
-Daniel Stenberg (8 Sep 2021)
-- copyrights: update copyright year ranges
+  Reported-by: billionai on github
+  Fixes #7879
+  Closes #7880
 
 - RELEASE-NOTES: synced
 
-- INTERNALS: c-ares has a new home: c-ares.org
-
-- docs: remove experimental mentions from HSTS and MQTT
+- curl_gssapi: fix build warnings by removing const
   
-  Reported-by: Jonathan Cardoso
-  Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
-  Closes #7681
-
-- [Cao ZhenXiang brought this change]
-
-  curl: add warning for incompatible parameters usage
+  Follow-up to 20e980f85b0ea6
   
-  --continue-at - and --remote-header-name are known incompatible parameters
+  In #7875 these inits were modified but I get two warnings that these new
+  typecasts are necessary for.
   
-  Closes #7674
+  Closes #7876
 
-- [git-bruh brought this change]
+- [Bo Anderson brought this change]
 
-  examples/*hiperfifo.c: fix calloc arguments to match function proto
+  curl_gssapi: fix link error on macOS Monterey
   
-  Closes #7678
+  Fixes #7657
+  Closes #7875
 
-- INTERNALS: bump c-ares requirement to 1.16.0
+- test1185: verify checksrc
   
-  Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0
+  Closes #7866
 
-- curl: stop retry if Retry-After: is longer than allowed
-  
-  If Retry-After: specifies a period that is longer than what fits within
-  --retry-max-time, then stop retrying immediately.
+- checksrc: improve the SPACESEMICOLON error message
   
-  Added test 366 to verify.
+  and adjust the MULTISPACE one to use plural
   
-  Reported-by: Kari Pahula
-  Fixes #7675
-  Closes #7676
-
-- [Michał Antoniak brought this change]
+  Closes #7866
 
-  mbedtls: avoid using a large buffer on the stack
+- url: set "k->size" -1 at start of request
   
-  Use dynamic memory allocation for the buffer used in checking "pinned
-  public key". The PUB_DER_MAX_BYTES parameter with default settings is
-  set to a value greater than 2kB.
+  The size of the transfer is unknown at that point.
   
-  Co-authored-by: Daniel Stenberg
-  Closes #7586
+  Fixes #7871
+  Closes #7872
 
-- configure: make --disable-hsts work
+Daniel Gustafsson (18 Oct 2021)
+- doh: remove experimental code for DoH with GET
   
-  The AC_ARG_ENABLE() macro itself uses a variable called
-  'enable_[option]', so when our script also used a variable with that
-  name for the purpose of storing what the user wants, it also
-  accidentally made it impossible to switch off the feature with
-  --disable-hsts. Fix this by renaming our variable.
+  The code for sending DoH requests with GET was never enabled in a way
+  such that it could be used or tested. As there haven't been requests
+  for this feature, and since it at this is effectively dead, remove it
+  and favor reimplementing the feature in case anyone is interested.
   
-  Reported-by: Michał Antoniak
-  Fixes #7669
-  Closes #7672
+  Closes #7870
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-Jay Satiro (5 Sep 2021)
-- config.d: note that curlrc is used even when --config
+Daniel Stenberg (18 Oct 2021)
+- cirrus: remove FreeBSD 11.4 from the matrix
   
-  Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751
-  Reported-by: Viktor Szakats
+  It has reached End-Of-Life and causes some LDAP CI issues.
   
-  Closes https://github.com/curl/curl/pull/7667
-
-Daniel Stenberg (4 Sep 2021)
-- RELEASE-NOTES: synced
+  Closes #7869
 
-- test1173: check references to libcurl options
+- cirrus: switch to openldap24-client
   
-  ... that they refer to actual existing libcurl options.
+  ... as it seems openldap-client doesn't exist anymore.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7656
+  Reported-by: Jay Satiro
+  Fixes #7868
+  Closes #7869
 
-- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
+- checksrc: ignore preprocessor lines
   
-  Closes #7656
-
-- opt-docs: verify man page sections + order
-  
-  In every libcurl option man page there are now 8 mandatory sections that
-  must use the right name in the correct order and test 1173 verifies
-  this. Only 14 man pages needed adjustments.
+  In order to check the actual code better, checksrc now ignores
+  everything that look like preprocessor instructions. It also means
+  that code in macros are now longer checked.
   
-  The sections and the order is as follows:
+  Note that some rules then still don't need to be followed when code is
+  exactly below a cpp instruction.
   
-   - NAME
-   - SYNOPSIS
-   - DESCRIPTION
-   - PROTOCOLS
-   - EXAMPLE
-   - AVAILABILITY
-   - RETURN VALUE
-   - SEE ALSO
+  Removes two checksrc exceptions we needed previously because of
+  preprocessor lines being checked.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7656
+  Reported-by: Marcel Raad
+  Fixes #7863
+  Closes #7864
 
-- opt-docs: make sure all man pages have examples
+- urlapi: skip a strlen(), pass in zero
   
-  Extended manpage-syntax.pl (run by test 1173) to check that every man
-  page for a libcurl option has an EXAMPLE section that is more than two
-  lines. Then fixed all errors it found and added examples.
+  ... to let curl_easy_escape() itself do the strlen. This avoids a (false
+  positive) Coverity warning and it avoids us having to store the strlen()
+  return value in an int variable.
   
   Reviewed-by: Daniel Gustafsson
-  Closes #7656
-
-- get.d: provide more useful examples
-  
-  Closes #7668
-
-- page-header: add GOPHERS, simplify wording in the 1st para
-  
-  Closes #7665
+  Closes #7862
 
-- connect: get local port + ip also when reusing connections
-  
-  Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage
-  (connection + easy handle), so this info needs be extracted again even
-  for re-used connections.
-  
-  Add test 435 to verify
-  
-  Reported-by: Max Dymond
-  Fixes #7660
-  Closes #7662
+- misc: update copyright years
 
-Marcel Raad (2 Sep 2021)
-- multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
+- examples/htmltidy: correct wrong printf() use
   
-  `use_wakeup` is unused in this case.
+  ... and update the includes to match how current htmltidy wants them
+  used.
   
-  Closes https://github.com/curl/curl/pull/7661
+  Reported-by: Stathis Kapnidis
+  Fixes #7860
+  Closes #7861
 
-Daniel Stenberg (1 Sep 2021)
-- tests: adjust the tftpd output to work with hyper mode
+Jay Satiro (15 Oct 2021)
+- http: set content length earlier
   
-  By making them look less like http headers, the hyper mode "tweak"
-  doesn't interfere.
+  - Make content length (ie download size) accessible to the user in the
+    header callback, but only after all headers have been processed (ie
+    only in the final call to the header callback).
   
-  Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated
-  but should be enabled).
+  Background:
   
-  Closes #7658
-
-Daniel Gustafsson (1 Sep 2021)
-- [Gisle Vanem brought this change]
-
-  openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
+  For a long time the content length could be retrieved in the header
+  callback via CURLINFO_CONTENT_LENGTH_DOWNLOAD_T as soon as it was parsed
+  by curl.
   
-  This adds support for the previously unhandled supplemental data which
-  in -v output was printed like:
+  Changes were made in 8a16e54 (precedes 7.79.0) to ignore content length
+  if any transfer encoding is used. A side effect of that was that
+  content length was not set by libcurl until after the header callback
+  was called the final time, because until all headers are processed it
+  cannot be determined if content length is valid.
   
-      TLSv1.2 (IN), TLS header, Unknown (23):
+  This change keeps the same intention --all headers must be processed--
+  but now the content length is available before the final call to the
+  header function that indicates all headers have been processed (ie
+  a blank header).
   
-  These will now be printed with proper annotation:
+  Bug: https://github.com/curl/curl/commit/8a16e54#r57374914
+  Reported-by: sergio-nsk@users.noreply.github.com
   
-      TLSv1.2 (OUT), TLS header, Supplemental data (23):
+  Co-authored-by: Daniel Stenberg
   
-  Closes #7652
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Fixes https://github.com/curl/curl/issues/7804
+  Closes https://github.com/curl/curl/pull/7803
 
-Daniel Stenberg (1 Sep 2021)
-- curl.1: provide examples for each option
-  
-  The file format for each option now features a "Example:" header that
-  can provide one or more examples that get rendered appropriately in the
-  output. All options MUST have at least one example or gen.pl complains
-  at build-time.
-  
-  This fix also does a few other minor format and consistency cleanups.
-  
-  Closes #7654
+Daniel Stenberg (15 Oct 2021)
+- [Abhinav Singh brought this change]
 
-- progress: make trspeed avoid floats
+  aws-sigv4: make signature work when post data is binary
   
-  and compiler warnings for data conversions.
+  User sets the post fields size for binary data.  Hence, we should not be
+  using strlen on it.
   
-  Reported-by: Michał Antoniak
-  Fixes #7645
-  Closes #7653
+  Added test 1937 and 1938 to verify.
+  
+  Closes #7844
 
-- test365: verify response with chunked AND Content-Length headers
+- [a1346054 brought this change]
 
-- http: ignore content-length if any transfer-encoding is used
+  MacOSX-Framework: remove redundant ';'
   
-  Fixes #7643
-  Closes #7649
+  Closes #7859
 
 - RELEASE-NOTES: synced
 
-- Revert "http2: skip immediate parsing of payload following protocol switch"
+- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
   
-  This reverts commit 455a63c66f188598275e87d32de2c4e8e26b80cb.
+  One reason we know it can fail is if a provider is used that doesn't do
+  a proper job or is wrongly configured.
   
-  Reported-by: Tk Xiong
-  Fixes #7633
-  Closes #7648
+  Reported-by: Michael Baentsch
+  Fixes #7840
+  Closes #7856
 
-- KNOWN_BUGS: HTTP/3 doesn't support client certs
-  
-  Closes #7625
+Marcel Raad (14 Oct 2021)
+- [Ryan Mast brought this change]
 
-- mailing lists: move from cool.haxx.se to lists.haxx.se
+  cmake: add CURL_ENABLE_SSL option and make CMAKE_USE_* SSL backend options depend on it
+  
+  Closes https://github.com/curl/curl/pull/7822
 
-- http_proxy: only wait for writable socket while sending request
+Daniel Stenberg (14 Oct 2021)
+- http: remove assert that breaks hyper
   
-  Otherwise it would wait socket writability even after the entire CONNECT
-  request has sent and make curl basically busy-loop while waiting for a
-  response to come back.
+  Reported-by: Jay Satiro
+  Fixes #7852
+  Closes #7855
+
+- http_proxy: fix one more result assign for hyper
   
-  The previous fix attempt in #7484 (c27a70a591a4) was inadequate.
+  and remove the bad assert again, since it was run even with no error!
   
-  Reported-by: zloi-user on github
-  Reported-by: Oleguer Llopart
-  Fixes #7589
-  Closes #7647
+  Closes #7854
 
-- http: disallow >3-digit response codes
+Jay Satiro (14 Oct 2021)
+- sws: fix memory leak on exit
   
-  Make the built-in HTTP parser behave similar to hyper and reject any
-  HTTP response using more than 3 digits for the response code.
+  - Free the allocated http request struct on cleanup.
   
-  Updated test 1432 accordingly.
-  Enabled test 1432 in the hyper builds.
+  Prior to this change if sws was built with leak sanitizer it would
+  report a memory leak error during testing.
   
-  Closes #7641
-
-- [Tatsuhiro Tsujikawa brought this change]
+  Closes https://github.com/curl/curl/pull/7849
 
-  ngtcp2: stop buffering crypto data
+Daniel Stenberg (14 Oct 2021)
+- c-hyper: make Curl_http propagate errors better
   
-  Stop buffering crypto data because libngtcp2 now buffers submitted
-  crypto data.
+  Pass on better return codes when errors occur within Curl_http instead
+  of insisting that CURLE_OUT_OF_MEMORY is the only possible one.
   
-  Closes #7637
+  Pointed-out-by: Jay Satiro
+  Closes #7851
 
-- test1280: CRLFify the response to please hyper
+- http_proxy: make hyper CONNECT() return the correct error code
   
-  Closes #7639
-
-- tests: enable test 1129 for hyper builds
+  For every 'goto error', make sure the result variable holds the error
+  code for what went wrong.
   
-  Closes #7638
+  Reported-by: Rafał Mikrut
+  Fixes #7825
+  Closes #7846
 
-- curl: better error message when -O fails to get a good name
-  
-  Due to how this currently works internally, it needs a working initial
-  file name to store contents in, so it may still fail even with -J is
-  used (and thus accepting a name from content-disposition:) if the file
-  name part of the URL isn't "good enough".
+- docs/Makefile.am: repair 'make html'
   
-  Fixes #7628
-  Closes #7635
-
-- curl_easy_setopt: tweak the string copy wording
+  by removing index.html which isn't around anymore
   
-  Reported-by: Yaobin Wen
-  Fixes #7632
-  Closes #7634
-
-- RELEASE-NOTES: synced
+  Closes #7853
 
-- [Don J Olmstead brought this change]
+- [Борис Верховский brought this change]
 
-  cmake: sync CURL_DISABLE options
+  curl: correct grammar in generated libcurl code
   
-  Adds the full listing of CURL_DISABLE options to the CMake build. Moves
-  all option code, except for CURL_DISABLE_OPENSSL_AUTO_LOA_CONFIG which
-  resides near OpenSSL configuration, to the same block of code. Also
-  sorts the options here and in the cmake config header.
+  Closes #7802
+
+- tests: disable test 2043
   
-  Additionally sorted the CURL-DISABLE listing and fixed the
-  CURL_DISABLE_POP3 option.
+  It uses revoked.badssl.com which now is expired and therefor this now
+  permafails. We should not use external sites for tests, this test should
+  be converted to use our own infra.
   
-  Closes #7624
+  Closes #7845
 
-Jay Satiro (25 Aug 2021)
-- KNOWN_BUGS: FTPS upload data loss with TLS 1.3
+- runtests: split out ignored tests
   
-  Bug: https://github.com/curl/curl/issues/6149
-  Reported-by: Bylon2@users.noreply.github.com
+  Report ignore tests separately from the actual fails.
   
-  Closes https://github.com/curl/curl/pull/7623
-
-Daniel Stenberg (24 Aug 2021)
-- cmake: avoid poll() on macOS
+  Don't exit non-zero if test servers couldn't get killed.
   
-  ... like we do in configure builds. Since poll() on macOS is not
-  reliable enough.
+  Assisted-by: Jay Satiro
   
-  Reported-by: marc-groundctl
-  Fixes #7595
-  Closes #7619
+  Fixes #7818
+  Closes #7841
 
-- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
+- http2: make getsock not wait for write if there's no remote window
   
-  Enable test 1074
+  While uploading, check for remote window availability in the getsock
+  function so that we don't wait for a writable socket if no data can be
+  sent.
   
-  Closes #7617
+  Reported-by: Steini2000 on github
+  Fixes #7821
+  Closes #7839
 
-- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
-  
-  Enable test 1130 and 1131
+- test368: verify dash is appended for "-r [num]"
   
-  Closes #7616
+  Follow-up to 8758a26f8878
 
-- [a1346054 brought this change]
+- [Борис Верховский brought this change]
 
-  tests: be explicit about using 'python3' instead of 'python'
-  
-  This fixes running tests in virtualenvs (or on distros) that no longer
-  have a symlink from python to python2 or python3.
+  curl: actually append "-" to --range without number only
   
-  Closes #7602
-
-- [a1346054 brought this change]
+  Closes #7837
 
-  scripts: invoke interpreters through /usr/bin/env
-  
-  Closes #7602
+- RELEASE-NOTES: synced
 
-- DISABLED: enable 11 more tests for hyper builds
+- urlapi: URL decode percent-encoded host names
   
-  Closes #7612
-
-- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
+  The host name is stored decoded and can be encoded when used to extract
+  the full URL. By default when extracting the URL, the host name will not
+  be URL encoded to work as similar as possible as before. When not URL
+  encoding the host name, the '%' character will however still be encoded.
   
-  Since this option is also used for FTP, it needs to work to set for
-  applications even if hyper doesn't support it for HTTP. Verified by test
-  1137.
+  Getting the URL with the CURLU_URLENCODE flag set will percent encode
+  the host name part.
   
-  Updated docs to specify that the option doesn't work for HTTP when using
-  the hyper backend.
+  As a bonus, setting the host name part with curl_url_set() no longer
+  accepts a name that contains space, CR or LF.
   
-  Closes #7614
-
-- test1138: remove trailing space to make work with hyper
+  Test 1560 has been extended to verify percent encodings.
   
-  Closes #7613
+  Reported-by: Noam Moshe
+  Reported-by: Sharon Brizinov
+  Reported-by: Raul Onitza-Klugman
+  Reported-by: Kirill Efimov
+  Fixes #7830
+  Closes #7834
 
-- libcurl-errors.3: clarify two CURLUcode errors
+Marc Hoersken (8 Oct 2021)
+- CI/makefiles: introduce dedicated test target
   
-  CURLUE_BAD_HANDLE and CURLUE_BAD_PARTPOINTER should be for "bad" or
-  wrong pointers in a generic sense, not just for NULL pointers.
+  Make it easy to use the same set of test flags
+  throughout all current and future CI builds.
   
   Reviewed-by: Jay Satiro
   
-  Ref: #7605
-  Closes #7611
+  Follow up to #7690
+  Closes #7785
 
-Jay Satiro (23 Aug 2021)
-- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
-  
-  ... and also change the 'Removed' column name to 'Last' since that
-  column is for the last version to contain the symbol.
-  
-  Closes https://github.com/curl/curl/pull/7609
+Daniel Stenberg (8 Oct 2021)
+- maketgz: redirect updatemanpages.pl output to /dev/null
 
-Daniel Stenberg (23 Aug 2021)
-- urlapi.c:seturl: assert URL instead of using if-check
+- CURLOPT_HTTPHEADER.3: add descripion for specific headers
   
-  There's no code flow possible where this can happen. The assert makes
-  sure it also won't be introduced undetected in the future.
+  Settting Host: or Transfer-Encoding: chunked actually have special
+  meanings to libcurl. This change tries to document them
   
-  Closes #7610
+  Closes #7829
 
-- curl-openssl.m4: show correct output for OpenSSL v3
+- c-hyper: use hyper_request_set_uri_parts to make h2 better
   
-  Using 3.0.0 versions configure should now show this:
+  and make sure to not send Host: over h2.
   
-  checking for OpenSSL headers version... 3.0.0 - 0x300
-  checking for OpenSSL library version... 3.0.0
-  checking for OpenSSL headers and library versions matching... yes
+  Fixes #7679
+  Reported-by: David Cook
+  Closes #7827
+
+- [Michael Afanasiev brought this change]
+
+  curl-openssl.m4: modify library order for openssl linking
   
-  This output doesn't actually change what configure generates but is only
-  "cosmetic".
+  lcrypto may depend on lz, and configure corrently fails with when
+  statically linking as the order is "-lz -lcrypto". This commit switches
+  the order to "-lcrypto -lz".
   
-  Reported-by: Randall S. Becker
-  Fixes #7606
-  Closes #7608
+  Closes #7826
 
-Jay Satiro (22 Aug 2021)
-- mksymbolsmanpage.pl: Fix showing symbol's last used version
+Marcel Raad (7 Oct 2021)
+- sha256: use high-level EVP interface for OpenSSL
   
-  Prior to this change the symbol's deprecated version was erroneously
-  shown as its last used version.
+  Available since OpenSSL 0.9.7. The low-level SHA256 interface is
+  deprecated in OpenSSL v3, and its usage was discouraged even before.
   
-  Bug: https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509
-  Reported-by: i-ky@users.noreply.github.com
+  Closes https://github.com/curl/curl/pull/7808
 
-Daniel Stenberg (21 Aug 2021)
-- mksymbolsmanpage.pl: match symbols case insenitively
+- curl_ntlm_core: use OpenSSL only if DES is available
   
-  Follow-up to 4e53b9430c750 which made this bug show.
+  This selects another SSL backend then if available, or otherwise at
+  least gives a meaningful error message.
   
-  Reported-by: i-ky
-  Bug: https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253
-  Closes #7607
+  Closes https://github.com/curl/curl/pull/7808
 
-- asyn-ares: call ares_freeaddrinfo() to clean up addrinfo results
+- md5: fix compilation with OpenSSL 3.0 API
   
-  As this leaks memory otherwise
+  Only use OpenSSL's MD5 code if it's available.
   
-  Follow-up to ba904db0705c931
+  Also fix wolfSSL build with `NO_MD5`, in which case neither the
+  wolfSSL/OpenSSL implementation nor the fallback implementation was
+  used.
   
-  Closes #7599
-
-- [Ehren Bendler brought this change]
+  Closes https://github.com/curl/curl/pull/7808
 
-  wolfssl: clean up wolfcrypt error queue
+Daniel Stenberg (7 Oct 2021)
+- print_category: printf %*s needs an int argument
   
-  If wolfSSL is built in certain ways (OPENSSL_EXTRA or Debug), the error
-  queue gets added on to for each session and never freed. Fix it by
-  calling ERR_clear_error() like in vtls/openssl when needed. This func is
-  a no-op in wolfcrypt if the error queue is not enabled.
+  ... not a size_t!
   
-  Closes #7594
+  Detected by Coverity: CID 1492331.
+  Closes #7823
 
-- man pages: remove trailing whitespaces
+Jay Satiro (7 Oct 2021)
+- version_win32: use actual version instead of manifested version
   
-  Extended test 1173 (via the manpage-syntax.pl script) to detect and warn
-  for them.
+  - Use RtlVerifyVersionInfo instead of VerifyVersionInfo, when possible.
   
-  Ref: #7602
-  Reported-by: a1346054 on github
-  Closes #7604
-
-- mailmap: add Gleb Ivanovsky
-
-- config.d: escape the backslash properly
+  Later versions of Windows have normal version functions that compare and
+  return versions based on the way the application is manifested, instead
+  of the actual version of Windows the application is running on. We
+  prefer the actual version of Windows so we'll now call the Rtl variant
+  of version functions (RtlVerifyVersionInfo) which does a proper
+  comparison of the actual version.
   
-  Closes #7603
+  Reported-by: Wyatt O'Day
+  
+  Ref: https://github.com/curl/curl/pull/7727
+  
+  Fixes https://github.com/curl/curl/issues/7742
+  Closes https://github.com/curl/curl/pull/7810
 
-- [Don J Olmstead brought this change]
+Daniel Stenberg (6 Oct 2021)
+- RELEASE-NOTES: synced
 
-  curl_setup.h: sync values for HTTP_ONLY
+- http: fix Basic auth with empty name field in URL
   
-  The values for HTTP_ONLY differed between CMakeLists.txt and
-  curl_setup.h. Sync them and sort the values in curl_setup.h to make it
-  easier to spot differences.
+  Add test 367 to verify.
   
-  Closes #7601
+  Reported-by: Rick Lane
+  Fixes #7819
+  Closes #7820
 
-Jay Satiro (21 Aug 2021)
-- configure: set classic mingw minimum OS version to XP
-  
-  - If the user has not specified a minimum OS version (via WINVER or
-    _WIN32_WINNT macros) then set it to Windows XP.
+- [Jeffrey Tolar brought this change]
+
+  CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
   
-  Prior to this change classic MinGW defaulted the minimum OS version
-  to Windows NT 4.0 which is way too old. At least Windows XP is needed
-  for getaddrinfo (which resolves hostnames to IPv6 addresses).
+  ... and close connections that are too old instead of reusing them.
   
-  Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
+  By default, this behavior is disabled.
   
-  Closes https://github.com/curl/curl/pull/7581
+  Bug: https://curl.se/mail/lib-2021-09/0058.html
+  Closes #7751
 
-- schannel: Work around typo in classic mingw macro
-  
-  - Define ALG_CLASS_DHASH (the typo from the include) to ALG_CLASS_HASH.
-  
-  Prior to this change there was an incomplete fix to ignore the
-  CALG_TLS1PRF macro on those versions of MinGW where it uses the
-  ALG_CLASS_DHASH typoed macro.
+Daniel Gustafsson (6 Oct 2021)
+- docs/examples: add missing binaries to gitignore
   
-  Ref: 48cf45c
-  Ref: https://osdn.net/projects/mingw/ticket/38391
-  Ref: https://github.com/curl/curl/issues/2924
+  Commit f65d7889b added getreferrer, and commit ae8e11ed5 multi-legacy,
+  both of which missed adding .gitignore clauses for the built binaries.
   
-  Closes https://github.com/curl/curl/pull/7580
+  Closes #7817
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-Daniel Stenberg (20 Aug 2021)
-- RELEASE-NOTES: synced
+Daniel Stenberg (5 Oct 2021)
+- [Josip Medved brought this change]
 
-- http_proxy: fix user-agent and custom headers for CONNECT with hyper
-  
-  Enable test 287
+  HTTP3: fix the HTTP/3 Explained book link
   
-  Closes #7598
+  Closes #7813
 
-- c-hyper: initial support for "dumping" 1xx HTTP responses
+- [Lucas Holt brought this change]
+
+  misc: fix a few issues on MidnightBSD
   
-  With the use hyper_request_on_informational()
-  
-  Enable test 155 and 158
-  
-  Closes #7597
+  Closes #7812
 
-Marc Hoersken (18 Aug 2021)
-- tests/*server.pl: flush output before executing subprocess
-  
-  Also avoid shell processes staying around by using exec.
-  This is necessary to avoid output data being buffering
-  inside the process chain of Perl, Bash/Shell and our
-  test server binaries. On non-Windows systems the exec
-  will also make the subprocess replace the intermediate
-  shell, but on Windows it will at least bind the processes
-  together since there is no real fork or exec available.
-  
-  See: https://cygwin.com/cygwin-ug-net/highlights.html
-  and: https://docs.microsoft.com/cpp/c-runtime-library/exec-wexec-functions
-  Ref: https://github.com/curl/curl/pull/7530#issuecomment-900949010
-  
-  Reviewed-by: Daniel Stenberg
-  Reviewed-by: Jay Satiro
-  Closes #7530
+Daniel Gustafsson (4 Oct 2021)
+- [8U61ife brought this change]
 
-- CI: use GitHub Container Registry instead of Docker Hub
-  
-  Avoid limits on Docker Hub and improve image pull/download speed.
+  tool_main: fix typo in comment
   
-  Closes #7587
+  Closes: #7811
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-Daniel Stenberg (18 Aug 2021)
-- openssl: when creating a new context, there cannot be an old one
+Daniel Stenberg (4 Oct 2021)
+- [Ryan Mast brought this change]
+
+  BINDINGS: URL updates
   
-  Remove the previous handling that would call SSL_CTX_free(), and instead
-  add an assert that halts a debug build if there ever is a context
-  already set at this point.
+  For cpr, BBHTTP, Eiffel, Harbour, Haskell, Mono, and Rust
   
-  Closes #7585
+  Closes #7809
 
-Jay Satiro (18 Aug 2021)
-- KNOWN_BUGS: Renegotiate from server may cause hang for OpenSSL backend
+- scripts/delta: hide a git error message we don't care about
   
-  Closes https://github.com/curl/curl/issues/6785
+  fatal: path 'src/tool_listhelp.c' exists on disk, but not in [tag]
 
-Viktor Szakats (17 Aug 2021)
-- docs/BINDINGS: URL update
+- [Patrick Monnerat brought this change]
 
-Marc Hoersken (17 Aug 2021)
-- tests/server/*.c: align handling of portfile argument and file
+  sasl: binary messages
   
-  1. Call the internal variable portname (like pidname) everywhere.
-  2. Have a variable wroteportfile (like wrotepidfile) everywhere.
-  3. Make sure the file is cleaned up on exit (like pidfile).
-  4. Add parameter --portfile to usage outputs everywhere.
+  Capabilities of sasl module are extended to exchange messages in binary
+  as an alternative to base64.
   
-  Reviewed-by: Daniel Stenberg
+  If http authentication flags have been set, those are used as sasl
+  default preferred mechanisms.
   
-  Replaces #7523
-  Closes #7574
+  Closes #6930
 
-Daniel Gustafsson (17 Aug 2021)
-- KNOWN_BUGS: Fix a number of typos in KNOWN_BUGS
-  
-  Fixes a set of typos found in section 11.3.
+- [Hayden Roche brought this change]
 
-Daniel Stenberg (17 Aug 2021)
-- getparameter: fix the --local-port number parser
+  wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
   
-  It could previously get tricked into parsing the uninitialized stack
-  based buffer.
+  Prior to this commit, OpenSSL could be used for all these functions, but
+  not wolfSSL. This commit makes it so wolfSSL will be used if USE_WOLFSSL
+  is defined.
   
-  Reported-by: Brian Carpenter
-  Closes #7582
+  Closes #7806
 
-- KNOWN_BUGS: Can't use Secure Transport with Crypto Token Kit
+- scripts/delta: count command line options in the new file
   
-  Closes #7048
+  ... which makes the shown delta number wrong until next release.
 
-- [Jan Verbeek brought this change]
+- RELEASE-NOTES: synced
 
-  curl: add warning for ignored data after quoted form parameter
+- print_category: print help descriptions aligned
   
-  In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc`
-  is ignored. This adds a warning if the ignored data isn't all
-  whitespace.
+  Adjust the description position to make an aligned column when doing
+  help listings, which is more pleasing to the eye.
   
-  Closes #7394
+  Suggested-by: Gisle Vanem
+  Closes #7792
 
-Jay Satiro (17 Aug 2021)
-- codeql: fix error "Resource not accessible by integration"
-  
-  - Enable codeql writing security-events.
+- lib/mk-ca-bundle.pl: skip certs passed Not Valid After date
   
-  GitHub set the default permissions to read, apparently since earlier
-  this year.
+  With this change applied, the now expired 'DST Root CA X3' cert will no
+  longer be included in the output.
   
-  Ref: https://github.com/github/codeql-action/issues/464
-  Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+  Details: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
   
-  Fixes https://github.com/curl/curl/issues/7575
-  Closes https://github.com/curl/curl/pull/7576
+  Closes #7801
 
-- tool_operate: Fix --fail-early with parallel transfers
+- tool_listhelp: easier to generate with gen.pl
   
-  - Abort via progress callback to fail early during parallel transfers.
+  tool_listhelp.c is now a separate file with only the command line --help
+  output, exactly as generated by gen.pl. This makes it easier to generate
+  updates according to what's in the docs/cmdline-opts docs.
   
-  When a critical error occurs during a transfer (eg --fail-early
-  constraint) then other running transfers will be aborted via progress
-  callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this
-  case, the callback error does not become the most recent error and a
-  custom error message is used for those transfers:
+    cd $srcroot/docs/cmdline-opts
+    ./gen.pl listhelp *.d > $srcroot/src/tool_listhelp.c
   
-  curld --fail --fail-early --parallel
-  https://httpbin.org/status/404 https://httpbin.org/delay/10
+  With a configure build, this also works:
   
-  curl: (22) The requested URL returned error: 404
-  curl: (42) Transfer aborted due to critical error in another transfer
+    make -C src listhelp
   
-  > echo %ERRORLEVEL%
-  22
+  Closes #7787
+
+- [Anthony Hu brought this change]
+
+  wolfssl: allow setting of groups/curves
   
-  Fixes https://github.com/curl/curl/issues/6939
-  Closes https://github.com/curl/curl/pull/6984
+  In particular, the quantum safe KEM and hybrid curves if wolfSSL is
+  built to support them.
+  
+  Closes #7728
 
-Daniel Stenberg (17 Aug 2021)
-- [Sergey Markelov brought this change]
+- [Jan Mazur brought this change]
 
-  sectransp: support CURLINFO_CERTINFO
+  connnect: use sysaddr_un fron sys/un.h or custom-defined for windows
   
-  Fixes #4130
-  Closes #7372
+  Closes #7737
 
-- ngtcp2: remove the acked_crypto_offset struct field init
+Jay Satiro (30 Sep 2021)
+- [Rikard Falkeborn brought this change]
+
+  hostip: Move allocation to clarify there is no memleak
   
-  ... as it is gone from the API upstream.
+  By just glancing at the code, it looks like there is a memleak if the
+  call to Curl_inet_pton() fails. Looking closer, it is clear that the
+  call to Curl_inet_pton() can not fail, so the code will never leak
+  memory. However, we can make this obvious by moving the allocation
+  after the if-statement.
   
-  Closes #7578
+  Closes https://github.com/curl/curl/pull/7796
 
-- misc: update incorrect copyright year ranges
+Daniel Stenberg (30 Sep 2021)
+- gen.pl: make the output date format work better
   
-  Closes #7577
-
-- KNOWN_BUGS: HTTP/3 quiche upload large file fails
+  Follow-up to 15910dfd143dd
   
-  Closes #7532
-
-- KNOWN_BUGS: CMake build with MIT Kerberos does not work
+  The previous strftime format used didn't work correctly on Windows, so
+  change to %B %d %Y which today looks like "September 29 2021".
   
-  Closes #6904
+  Reported-by: Gisle Vanem
+  Bug: #7782
+  Closes #7793
 
-- TODO: add asynch getaddrinfo support
+- typecheck-gcc.h: add CURLOPT_PREREQDATA awareness
   
-  Closes #6746
-
-- RELEASE-NOTES: synced
-
-- [Artur Sinila brought this change]
-
-  http2: revert call the handle-closed function correctly on closed stream
+  Follow-up to a517378de58358a
   
-  Reverts 252790c5335a221
+  To make test 1912 happy again
   
-  Assisted-by: Gergely Nagy
-  Fixes #7400
-  Closes #7525
-
-- [Patrick Monnerat brought this change]
+  Closes #7799
 
-  auth: do not append zero-terminator to authorisation id in kerberos
+Marcel Raad (29 Sep 2021)
+- configure: remove `HAVE_WINSOCK_H` definition
   
-  RFC4752 Section 3.1 states "The authorization identity is not terminated
-  with a zero-valued (%x00) octet". Although a comment in code said it may
-  be needed anyway, nothing confirms it. In addition, servers may consider
-  it as part of the identity, causing a failure.
+  It's not used anymore.
   
-  Closes #7008
-
-- [Patrick Monnerat brought this change]
+  Closes https://github.com/curl/curl/pull/7795
 
-  auth: use sasl authzid option in kerberos
+- CMake: remove `HAVE_WINSOCK_H` definition
   
-  ... instead of deriving it from active ticket.
-  Closes #7008
-
-- [Patrick Monnerat brought this change]
-
-  auth: we do not support a security layer after kerberos authentication
+  It's not used anymore.
   
-  Closes #7008
-
-- [Patrick Monnerat brought this change]
+  Closes https://github.com/curl/curl/pull/7795
 
-  auth: properly handle byte order in kerberos security message
+- config: remove `HAVE_WINSOCK_H` definition
   
-  Closes #7008
-
-- [z2_ brought this change]
-
-  x509asn1: fix heap over-read when parsing x509 certificates
+  It's not used anymore.
   
-  Assisted-by: Patrick Monnerat
-  Closes #7536
+  Closes https://github.com/curl/curl/pull/7795
 
-- KNOWN_BUGS: Disconnects don't do verbose
+- lib: remove `HAVE_WINSOCK_H` usage
   
-  Closes #6995
-
-- mailmap: fixup Michał Antoniak
-
-- [Michał Antoniak brought this change]
+  WinSock v1 is not supported anymore. Exclusively use `HAVE_WINSOCK2_H`
+  instead.
+  
+  Closes https://github.com/curl/curl/pull/7795
 
-  build: fix compiler warnings
+Daniel Stenberg (29 Sep 2021)
+- easyoptions: add the two new PRE* options
   
-  For when CURL_DISABLE_VERBOSE_STRINGS and DEBUGBUILD flags are both
-  active.
+  Follow-up to a517378de58358a
   
-  - socks.c : warning C4100: 'lineno': unreferenced formal parameter
-    (co-authored by Daniel Stenberg)
+  Also fix optiontable.pl to do the correct remainder on the entry.
   
-  - mbedtls.c: warning C4189: 'port': local variable is initialized but
-    not referenced
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/a517378de58358a85b7cfe9efecb56051268f629#commitcomment-57224830
+  Closes #7791
+
+- Revert "build: remove checks for WinSock 1"
   
-  - schannel.c: warning C4189: 'hostname': local variable is initialized
-    but not referenced
+  Due to CI issues
   
-  Cloes #7528
-
-- [Gleb Ivanovsky brought this change]
+  This reverts commit c2ea04f92b00b6271627cb218647527b5a50f2fc.
+  
+  Closes #7790
 
-  CODE_STYLE-md: fix bold font style
+Daniel Gustafsson (29 Sep 2021)
+- lib: avoid fallthrough cases in switch statements
   
-  Markdown gets confused with abundance of asterisks, so use underscores
-  instead.
+  Commit b5a434f7f0ee4d64857f8592eced5b9007d83620 inhibits the warning
+  on implicit fallthrough cases, since the current coding of indicating
+  fallthrough with comments is falling out of fashion with new compilers.
+  This attempts to make the issue smaller by rewriting fallthroughs to no
+  longer fallthrough, via either breaking the cases or turning switch
+  statements into if statements.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7569
-
-- [Gleb Ivanovsky brought this change]
-
-  CODE_STYLE-md: add missing comma
+    lib/content_encoding.c: the fallthrough codepath is simply copied
+      into the case as it's a single line.
+    lib/http_ntlm.c: the fallthrough case skips a state in the state-
+      machine and fast-forwards to NTLMSTATE_LAST. Do this before the
+      switch statement instead to set up the states that we actually
+      want.
+    lib/http_proxy.c: the fallthrough is just falling into exiting the
+      switch statement which can be done easily enough in the case.
+    lib/mime.c: switch statement rewritten as if statement.
+    lib/pop3.c: the fallthrough case skips to the next state in the
+      statemachine, do this explicitly instead.
+    lib/urlapi.c: switch statement rewritten as if statement.
+    lib/vssh/wolfssh.c: the fallthrough cases fast-forwards the state
+      machine, do this by running another iteration of the switch
+      statement instead.
+    lib/vtls/gtls.c: switch statement rewritten as if statement.
+    lib/vtls/nss.c: the fallthrough codepath is simply copied into the
+      case as it's a single line. Also twiddle a comment to not be
+      inside a non-brace if statement.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7570
-
-- [Daniel Gustafsson brought this change]
+  Closes: #7322
+  See-also: #7295
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  examples/ephiperfifo.c: simplify signal handler
+Marcel Raad (28 Sep 2021)
+- config-win32ce: enable WinSock 2
   
-  The signal handler registered for SIGINT is only handling SIGINT
-  so there isn't much need for inspecting the signo.  While there,
-  rename the handler to be more specific.
+  WinSock 2.2 is supported by Windows CE .NET 4.1 (from 2002, out of
+  support since 2013).
   
-  g_should_exit should really be of sig_atomic_t type, but relying
-  on autoconf in the examples seems like a bad idea so keep that
-  for now.
+  Ref: https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms899586(v=msdn.10)
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7310
+  Closes https://github.com/curl/curl/pull/7778
 
-- c-hyper: initial step for 100-continue support
+- externalsocket: use WinSock 2.2
   
-  Enabled test 154
+  That's the only version we support.
   
-  Closes #7568
-
-- [Ikko Ashimine brought this change]
+  Closes https://github.com/curl/curl/pull/7778
 
-  vtls: fix typo in schannel_verify.c
+- build: remove checks for WinSock 1
   
-  occurence -> occurrence
+  It's not supported anymore.
   
-  Closes #7566
+  Closes https://github.com/curl/curl/pull/7778
 
-- [Emil Engler brought this change]
+Daniel Stenberg (28 Sep 2021)
+- scripts/copyright: .muse is .lift now
+  
+  And update 5 files with old copyright year range
 
-  curl_url_get.3: clarify about path and query
+- cmdline-opts: made the 'Added:' field mandatory
   
-  The current man-page lacks some details regarding the obtained path and
-  query.
+  Since "too old" versions are no longer included in the generated man
+  page, this field is now mandatory so that it won't be forgotten and then
+  not included in the documentation.
   
-  Closes #7563
+  Closes #7786
 
-- c-hyper: fix header value passed to debug callback
+- curl.1: remove mentions of really old version changes
   
-  Closes #7567
-
-Viktor Szakats (12 Aug 2021)
-- cleanup: URL updates
+  To make the man page more readable, this change removes all references
+  to changes in support/versions etc that happened before 7.30.0 from the
+  curl.1 output file. 7.30.0 was released on Apr 12 2013. This particular
+  limit is a bit arbitrary but was fairly easy to grep for.
   
-  - replace broken URL with the one it was most probably pointing to
-    when added (lib/tftp.c)
-  - replace broken URL with archive.org link (lib/curl_ntlm_wb.c)
-  - delete unnecessary protocol designator from archive.org URL
-    (docs/BINDINGS.md)
+  It is handled like this: the 'Added' keyword is only used in output if
+  it refers to 7.30.0 or later. All occurances of "(Added in $VERSION)" in
+  description will be stripped out if the mentioned $VERSION is from
+  before 7.30.0. It is therefore important that the "Added in..."
+  references are always written exactly like that - and on a single line,
+  not split over two.
   
-  Closes #7562
+  This change removes about 80 version number references from curl.1, down
+  to 138 from 218.
+  
+  Closes #7786
 
-Daniel Stenberg (12 Aug 2021)
-- [April King brought this change]
+- RELEASE-NOTES: synced
 
-  DEPRECATE.md: linkify curl-library mailing list
+- tool_cb_prg: make resumed upload progress bar show better
   
-  Closes #7561
+  This is a regression that was *probably* injected in the larger progress
+  bar overhaul in 2018.
+  
+  Reported-by: beslick5 on github
+  Fixes #7760
+  Closes #7777
 
-- [Barry Pollard brought this change]
+- gen.pl: insert the current date and version in generated man page
+  
+  Reported-by: Gisle Vanem
+  Ref: #7780
+  Closes #7782
 
-  output.d: add method to suppress response bodies
+- NTLM: use DES_set_key_unchecked with OpenSSL
   
-  Closes #7560
+  ... as the previously used function DES_set_key() will in some cases
+  reject using a key that it deems "weak" which will cause curl to
+  continue using the unitialized buffer content as key instead.
+  
+  Assisted-by: Harry Sintonen
+  Fixes #7779
+  Closes #7781
 
-- TODO: remove 'c-ares deviates on http://1346569778'
+Marc Hoersken (27 Sep 2021)
+- CI: align make and test flags in various config files
   
-  Fixed since 56a037cc0ad1b2 (7.77.0)
+  1. Use Makefile target to run tests in autotools builds on AppVeyor.
+  2. Disable testing of SCP protocol on native Windows environments.
+  3. Remove redundant parameters -a -p from target test-nonflaky.
+  4. Don't use -vc parameter which is reserved for debugging.
+  
+  Replaces #7591
+  Closes #7690
 
-- [Colin O'Dell brought this change]
+Daniel Stenberg (27 Sep 2021)
+- mailmap: unify Max!
 
-  BINDINGS.md: update links to use https where available
-  
-  Closes #7558
+- [Max Dymond brought this change]
 
-- asyn-ares.c: move all version number checks to the top
+  CURLOPT_PREREQFUNCTION: add new callback
   
-  ... and use #ifdef [feature] in the code as per our guidelines.
-
-- ares: use ares_getaddrinfo()
+  Triggered before a request is made but after a connection is set up
   
-  ares_getaddrinfo() is the getaddrinfo() cloned provided by c-ares, introduced
-  in version 1.16.0.
+  Changes:
   
-  With older c-ares versions, curl invokes ares_gethostbyname() twice - once for
-  IPv4 and once for IPv6 to resolve both addresses, and then combines the
-  returned results.
+  - callback: Update docs and callback for pre-request callback
+  - Add documentation for CURLOPT_PREREQDATA and CURLOPT_PREREQFUNCTION,
+  - Add redirect test and callback failure test
+  - Note that the function may be called multiple times on a redirection
+  - Disable new 2086 test due to Windows weirdness
   
-  Reported-by: jjandesmet
-  Fixes #7364
-  Closes #7552
+  Closes #7477
 
-- [Tatsuhiro Tsujikawa brought this change]
+- KNOWN_BUGS: HTTP/2 connections through HTTPS proxy frequently stall
+  
+  Closes #6936
 
-  ngtcp2: utilize crypto API functions to simplify
+- TODO: make configure use --cache-file more and better
   
-  Closes #7551
+  Closes #7753
 
-- [megatronking brought this change]
+- [Sergey Markelov brought this change]
 
-  ngtcp2: reset the oustanding send buffer again when drained
+  urlapi: support UNC paths in file: URLs on Windows
   
-  Closes #7538
+  - file://host.name/path/file.txt is a valid UNC path
+    \\host.name\path\files.txt to a non-local file transformed into URI
+    (RFC 8089 Appendix E.3)
+  
+  - UNC paths on other OSs must be smb: URLs
+  
+  Closes #7366
 
-Michael Kaufmann (10 Aug 2021)
-- progress: fix a compile warning on some systems
+- [Gleb Ivanovsky brought this change]
+
+  urlapi: add curl_url_strerror()
   
-  lib/progress.c:380:40: warning: conversion to 'long double' from
-  'curl_off_t {aka long long int}' may alter its value [-Wconversion]
+  Add curl_url_strerror() to convert CURLUcode into readable string and
+  facilitate easier troubleshooting in programs using URL API.
+  Extend CURLUcode with CURLU_LAST for iteration in unit tests.
+  Update man pages with a mention of new function.
+  Update example code and tests with new functionality where it fits.
   
-  Closes #7549
+  Closes #7605
 
-Daniel Stenberg (10 Aug 2021)
 - RELEASE-NOTES: synced
 
-- http: consider cookies over localhost to be secure
+- [Mats Lindestam brought this change]
+
+  libssh2: add SHA256 fingerprint support
   
-  Updated test31.
-  Added test 392 to verify secure cookies used for http://localhost
+  Added support for SHA256 fingerprint in command line curl and in
+  libcurl.
   
-  Reviewed-by: Daniel Gustafsson
-  Fixes #6733
-  Closes #7263
+  Closes #7646
 
-- TODO: erase secrets from heap/stack after use
+- libcurl.rc: switch out the copyright symbol for plain ASCII
   
-  Closes #7268
+  Reported-by: Vitaly Varyvdin
+  Assisted-by: Viktor Szakats
+  Fixes #7765
+  Closes #7776
 
-Jay Satiro (10 Aug 2021)
-- hostip: Make Curl_ipv6works function independent of getaddrinfo
+- [Jun-ya Kato brought this change]
+
+  ngtcp2: fix QUIC transport parameter version
   
-  - Do not assume IPv6 is not working when getaddrinfo is not present.
+  fix inappropriate version setting for QUIC transport parameters.
+  this patch keeps curl with ngtcp2 uses QUIC draft version (h3-29).
   
-  The check to see if IPv6 actually works is now independent of whether
-  there is any resolver that can potentially resolve a hostname to IPv6.
+  Closes #7771
+
+- examples/imap-append: fix end-of-data check
   
-  Prior to this change if getaddrinfo() was not found at compile time then
-  Curl_ipv6works() would be defined as a macro that returns FALSE.
+  Reported-by: Alexander Chuykov
+  Fixes #7774
+  Closes #7775
+
+Michael Kaufmann (24 Sep 2021)
+- vtls: Fix a memory leak if an SSL session cannot be added to the cache
   
-  When getaddrinfo is not found then libcurl is built with CURLRES_IPV4
-  defined instead of CURLRES_IPV6, meaning that it cannot do IPv6 lookups
-  in the traditional way. With this commit if libcurl is built with IPv6
-  support (ENABLE_IPV6) but without getaddrinfo (CURLRES_IPV6), and the
-  IPv6 stack is actually working, then it is possible for libcurl to
-  resolve IPv6 addresses by using DoH.
+  On connection shutdown, a new TLS session ticket may arrive after the
+  SSL session cache has already been destructed. In this case, the new
+  SSL session cannot be added to the SSL session cache.
   
-  Ref: https://github.com/curl/curl/issues/7483#issuecomment-890765378
+  The callers of Curl_ssl_addsessionid() need to know whether the SSL
+  session has been added to the cache. If it has not been added, the
+  reference counter of the SSL session must not be incremented, or memory
+  used by the SSL session must be freed. This is now possible with the new
+  output parameter "added" of Curl_ssl_addsessionid().
   
-  Closes https://github.com/curl/curl/pull/7529
+  Fixes #7683
+  Closes #7752
 
-- test1565: fix windows build errors
-  
-  - Use our wait_ms() instead of sleep() since Windows doesn't have the
-    latter.
-  
-  - Use a separate variable to keep track of whether the pthread_t thread
-    id is valid.
+Daniel Stenberg (24 Sep 2021)
+- [Momoka Yamamoto brought this change]
+
+  HTTP3.md: use 'autoreconf -fi' instead of buildconf
   
-  On Windows pthread_t is not an integer type. pthread offers no macro for
-  invalid pthread_t thread id, so validity is kept track of separately.
+  buildconf is not used since #5853
   
-  Closes https://github.com/curl/curl/pull/7527
+  Closes #7746
 
-- [Jeremy Falcon brought this change]
+- GIT-INFO: rephrase to adapt to s/buildconf/autoreconf
 
-  winbuild/README.md: clarify GEN_PDB option
-  
-  - Document that GEN_PDB option creates an external database.
+- [h1zzz brought this change]
+
+  llist: remove redundant code, branch will not be executed
   
-  Ref: https://github.com/curl/curl/issues/7502
+  Closes #7770
 
-Daniel Stenberg (9 Aug 2021)
-- [Tatsuhiro Tsujikawa brought this change]
+- [tlahn brought this change]
 
-  ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
+  HTTP-COOKIES.md: remove duplicate 'each'
   
-  Closes #7546
+  Closes #7772
 
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (24 Sep 2021)
+- [Joel Depooter brought this change]
 
-  ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
+  libssh2: Get the version at runtime if possible
   
-  Rework the return value handling of ngtcp2_conn_writev_stream and treat
-  NGTCP2_ERR_STREAM_SHUT_WR separately.
+  Previously this code used a compile time constant, meaning that libcurl
+  always reported the libssh2 version that libcurl was built with. This
+  could differ from the libssh2 version actually being used. The new code
+  uses the CURL_LIBSSH2_VERSION macro, which is defined in ssh.h. The
+  macro calls the libssh2_version function if it is available, otherwise
+  it falls back to the compile time version.
   
-  Closes #7546
+  Closes https://github.com/curl/curl/pull/7768
 
-- configure: error out if both ngtcp2 and quiche are specified
+- [Joel Depooter brought this change]
+
+  schannel: fix typo
   
-  Reported-by: Vincent Grande
-  See #7539
-  Closes #7545
+  Closes https://github.com/curl/curl/pull/7769
 
-- [Jeff Mears brought this change]
+Daniel Stenberg (23 Sep 2021)
+- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
+  
+  To avoid the "... is deprecated" warnings brought by OpenSSL v3.
+  (We need to address the underlying code at some point of course.)
+  
+  Assisted-by: Jakub Zakrzewski
+  Closes #7767
 
-  easy: use a custom implementation of wcsdup on Windows
+- curl-openssl: pass argument to sed single-quoted
   
-  ... so that malloc/free overrides from curl_global_init are used for
-  wcsdup correctly.
+  ... instead of using an escaped double-quote. This is an attempt to make
+  this work better with ksh that otherwise would insist on a double
+  escape!
   
-  Closes #7540
+  Reported-by: Randall S. Becker
+  Fixes #7758
+  Closes #7764
 
-- zuul: add an mbedtls3 CI job
+- RELEASE-NOTES: synced
   
-  Closes #7544
+  Bumped curlver to 7.80.0-dev
 
-- [Benau brought this change]
+- [a1346054 brought this change]
 
-  mbedTLS: initial 3.0.0 support
+  misc: fix typos in docs and comments
   
-  Closes #7428
+  No user facing output from curl/libcurl is changed by this, just
+  comments.
+  
+  Closes #7747
 
-- RELEASE-NOTES: synced
+- [Thomas M. DuBuisson brought this change]
 
-- configure.ac: revert bad nghttp2 library detection improvements
-  
-  This reverts commit b4b34db65f9f8, 673753344c5f and 29c7cf79e8b.
+  ci: update Lift config to match requirements of curl build
   
-  The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
-  nothing else.
+  Also renamed Muse -> Lift, the new tool name.
   
-  Reported-by: Rui Pinheiro
-  Reported-by: Alex Crichton
-  Fixes #7514
-  Closes #7515
+  Closes #7761
 
-- happy-eyeballs-timeout-ms.d: polish the wording
+- [Rikard Falkeborn brought this change]
+
+  cleanup: constify unmodified static structs
   
-  Reported-by: Josh Soref
-  Fixes #7433
-  Closes #7542
+  Constify a number of static structs that are never modified. Make them
+  const to show this.
+  
+  Closes #7759
 
-- [modbw brought this change]
+Version 7.79.1 (22 Sep 2021)
 
-  mbedtls_threadlock: fix unused variable warning
+Daniel Stenberg (22 Sep 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7393
+  curl 7.79.1 release
 
-- [Tatsuhiro Tsujikawa brought this change]
+- THANKS: added names from the 7.79.1 release
 
-  ngtcp2: compile with the latest ngtcp2 and nghttp3
+- test897: verify delivery of IMAP post-body header content
   
-  Closes #7541
-
-Marc Hoersken (31 Jul 2021)
-- CI/cirrus: reduce compile time with increased parallism
+  The "content" is delivered as "body" by curl, but the envelope continues
+  after the body and the rest of it should be delivered as header.
   
-  Cirrus CI VMs have 2 CPUs, let's use them also for Windows builds.
+  The IMAP server can now get 'POSTFETCH' set to include more data to
+  include after the body and test 897 is done to verify that such "extra"
+  header data is in fact delivered by curl as header.
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7505
+  Ref: #7284 but fails to reproduce the issue
+  
+  Closes #7748
 
-Daniel Stenberg (30 Jul 2021)
-- [Bin Lan brought this change]
+- KNOWN_BUGS: connection migration doesn't work
+  
+  Closes #7695
 
-  tool/tests: fix potential year 2038 issues
+- RELEASE-NOTES: synced
+
+- http: fix the broken >3 digit response code detection
   
-  The length of 'long' in a 32-bit system is 32 bits, which cannot be used
-  to save timestamps after 2038. Most operating systems have extended
-  time_t to 64 bits.
+  When the "reason phrase" in the HTTP status line starts with a digit,
+  that was treated as the forth response code digit and curl would claim
+  the response to be non-compliant.
   
-  Remove the castings to long.
+  Added test 1466 to verify this case.
   
-  Closes #7466
+  Regression brought by 5dc594e44f73b17
+  Reported-by: Glenn de boer
+  Fixes #7738
+  Closes #7739
 
-- compressed.d: it's a request, not an order
+Jay Satiro (17 Sep 2021)
+- strerror: use sys_errlist instead of strerror on Windows
   
-  Clarified
+  - Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
+    retrieve the error message on Windows.
   
-  Reported-by: Dan Jacobson
-  Reviewed-by: Daniel Gustafsson
-  Fixes #7516
-  Closes #7517
-
-- [Bernhard M. Wiedemann brought this change]
-
-  tests: make three tests pass until 2037
+  Windows' strerror writes to a static buffer and is not thread-safe.
   
-  after 2038 something in test1915 fails on 32-bit OSes
+  Follow-up to 2f0bb86 which removed most instances of strerror in favor
+  of calling Curl_strerror (which calls strerror_r for other platforms).
   
-  Closes #7512
+  Ref: https://github.com/curl/curl/pull/7685
+  Ref: https://github.com/curl/curl/commit/2f0bb86
+  
+  Closes https://github.com/curl/curl/pull/7735
 
-Daniel Gustafsson (30 Jul 2021)
-- connect: remove superfluous conditional
+Daniel Stenberg (16 Sep 2021)
+- dist: provide lib/.checksrc in the tarball
   
-  Commit dbd16c3e2 cleaned up the logic for traversing the addrinfos,
-  but the move left a conditional on ai which no longer is needed as
-  the while loop reevaluation will cover it.
+  So that debug builds work (checksrc really)
   
-  Closes #7511
-  Reviewed-by: Carlo Marcelo Arenas Belón
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reported-by: Marcel Raad
+  Reported-by: tawmoto on github
+  Fixes #7733
+  Closes #7734
 
-Daniel Stenberg (29 Jul 2021)
-- RELEASE-NOTES: synced
+- TODO: Improve documentation about fork safety
   
-  and bump curlver to 7.79.0 for next release
+  Closes #6968
 
-Marc Hoersken (29 Jul 2021)
-- tests/*server.py: remove pidfile on server termination
+- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
   
-  Avoid pidfile leaking/laying around after server already exited.
+  ... and have CURLE_ABORTED_BY_CALLBACK returned.
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7506
-
-Daniel Gustafsson (27 Jul 2021)
-- tool_main: fix typo in comment
+  Extended test 1915 to verify.
   
-  The referred to library is NSPR, so fix the switched around characters.
+  Reported-by: Jonathan Cardoso
+  Fixes #7726
+  Closes #7729
 
-Daniel Stenberg (28 Jul 2021)
-- [Aleksandr Krotov brought this change]
-
-  bearssl: support CURLOPT_CAINFO_BLOB
+- test1184: disable
   
-  Closes #7468
+  The test should be fine and it works for me repeated when run manually,
+  but clearly it causes CI failures and it needs more research.
+  
+  Reported-by: RiderALT on github
+  Fixes #7725
+  Closes #7732
 
-- curl.1: mention "global" flags
+- Curl_http2_setup: don't change connection data on repeat invokes
   
-  Mention options that are "global". A global command line option is one
-  that doesn't get reset at --next uses and therefore don't need to be
-  used again.
+  Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
+  transfer oriented inits to before the check but also erroneously moved a
+  few connection oriented ones, which causes problems.
   
-  Reported-by: Josh Soref
+  Reported-by: Evangelos Foutras
+  Fixes #7730
+  Closes #7731
+
+- RELEASE-NOTES: synced
   
-  Fixes #7457
-  Closes #7510
+  and bump to 7.79.1
 
-- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
+Kamil Dudka (16 Sep 2021)
+- tests/sshserver.pl: make it work with openssh-8.7p1
   
-  Reported-by: Daniel Woelfel
-  Fixes #7441
-  Closes #7509
+  ... by not using options with no argument where an argument is required:
+  
+  === Start of file tests/log/ssh_server.log
+  curl_sshd_config line 6: no argument after keyword "DenyGroups"
+  curl_sshd_config line 7: no argument after keyword "AllowGroups"
+  curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
+  curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
+  curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
+  curl_sshd_config line 40: Deprecated option RSAAuthentication
+  curl_sshd_config line 41: Deprecated option ServerKeyBits
+  curl_sshd_config line 45: Deprecated option UseLogin
+  curl_sshd_config line 56: no argument after keyword "AcceptEnv"
+  curl_sshd_config: terminating, 3 bad configuration options
+  === End of file tests/log/ssh_server.log
+  
+  === Start of file log/sftp_server.log
+  curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
+  curl_sftp_config line 34: Unsupported option "rsaauthentication"
+  curl_sftp_config line 52: no argument after keyword "sendenv"
+  curl_sftp_config: terminating, 1 bad configuration options
+  Connection closed.
+  Connection closed
+  === End of file log/sftp_server.log
+  
+  Closes #7724
 
-- KNOWN_BUGS: add more HTTP/3 problems
+Daniel Stenberg (15 Sep 2021)
+- hsts: handle unlimited expiry
   
-  Closes #7351
-  Closes #7339
-  Closes #7125
+  When setting a blank expire string, meaning unlimited, curl would pass
+  TIME_T_MAX to getime_r() when creating the output, while on 64 bit
+  systems such a large value cannot be convetered to a tm struct making
+  curl to exit the loop with an error instead. It can't be converted
+  because the year it would represent doesn't fit in the 'int tm_year'
+  field!
+  
+  Starting now, unlimited expiry is instead handled differently by using a
+  human readable expiry date spelled out as "unlimited" instead of trying
+  to use a distant actual date.
+  
+  Test 1660 and 1915 have been updated to help verify this change.
+  
+  Reported-by: Jonathan Cardoso
+  Fixes #7720
+  Closes #7721
 
-Marc Hoersken (27 Jul 2021)
-- CI/azure: reduce compile time with increased parallism
+- curl_multi_fdset: make FD_SET() not operate on sockets out of range
   
-  Azure Pipelines CI VMs have 2 CPUs, let's use them.
+  The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
+  built to use select(), even though the curl_multi_fdset() function
+  always and unconditionally uses FD_SET and needs the check.
   
-  Closes #7489
+  Reported-by: 0xee on github
+  Fixes #7718
+  Closes #7719
 
-Jay Satiro (27 Jul 2021)
-- [Josh Soref brought this change]
+- FAQ: add GOPHERS + curl works on data, not files
 
-  docs: fix grammar
+Version 7.79.0 (14 Sep 2021)
+
+Daniel Stenberg (14 Sep 2021)
+- RELEASE-NOTES: synced
   
-  Fixes https://github.com/curl/curl/issues/7444
-  Fixes https://github.com/curl/curl/issues/7451
-  Fixes https://github.com/curl/curl/issues/7465
-  Closes https://github.com/curl/curl/pull/7495
+  For the 7.79.0 release
 
-- mail-rcpt.d: fix grammar
+- THANKS: add contributors from 7.79.0 release cycle
+
+- FAQ: add two dev related questions
   
-  Remove confusing sentence that says to specify an e-mail address for
-  mail transfer, since that's implied.
+    8.1 Why does curl use C89?
+    8.2 Will curl be rewritten?
   
-  Reported-by: Josh Soref
+  Spell-checked-by: Paul Johnson
+  Closes #7715
+
+- zuul.d/jobs: disable three tests for *-openssl-disable-proxy
   
-  Fixes https://github.com/curl/curl/issues/7452
-  Closes https://github.com/curl/curl/pull/7495
+  ... as they mysteriously seem to permfail without being related to
+  proxy.
+  
+  Closes #7714
 
-Daniel Stenberg (27 Jul 2021)
-- c-hyper: remove the hyper_executor_poll() loop from Curl_http
+- [Patrick Monnerat brought this change]
+
+  ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
   
-  1. it's superfluous
-  2. it didn't work identically to the Curl_hyper_stream one which could
-     cause problems like #7486
+  If a server pipelines future responses within the STARTTLS response, the
+  former are preserved in the pingpong cache across TLS negotiation and
+  used as responses to the encrypted commands.
   
-  Pointed-out-by: David Cook
-  Closes #7499
+  This fix detects pipelined STARTTLS responses and rejects them with an
+  error.
+  
+  CVE-2021-22947
+  
+  Bug: https://curl.se/docs/CVE-2021-22947.html
 
-- curl-openssl.m4: check lib64 for the pkg-config file
+- [Patrick Monnerat brought this change]
+
+  ftp,imap,pop3: do not ignore --ssl-reqd
   
-  OpenSSL recently started putting the libs in $prefix/lib64 on 'make
-  install', so we check that directory for pkg-config data if the 'lib'
-  check fails.
+  In imap and pop3, check if TLS is required even when capabilities
+  request has failed.
   
-  Closes #7503
+  In ftp, ignore preauthentication (230 status of server greeting) if TLS
+  is required.
+  
+  Bug: https://curl.se/docs/CVE-2021-22946.html
+  
+  CVE-2021-22946
 
-- CURLOPT_SSL_CTX_*.3: tidy up the example
+- [z2_ on hackerone brought this change]
+
+  mqtt: clear the leftovers pointer when sending succeeds
   
-  Use the proper code style. Don't store return codes that aren't read.
-  Copy the same example into CURLOPT_SSL_CTX_FUNCTION.3 as well.
+  CVE-2021-22945
   
-  Closes #7500
+  Bug: https://curl.se/docs/CVE-2021-22945.html
 
-- example/cookie_interface: fix scan-build printf warning
+- zuul: bump the rustls job to use v0.7.2
   
-  Follow-up to 4b79c4fb565
+  ... and add -lm when using a rust library.
   
-  Fixes #7497
-  Closes #7498
+  Closes #7701
 
-- [Josh Soref brought this change]
+- RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023
 
-  limit-rate.d: clarify base unit
+- SECURITY-PROCESS: tweak a little to match current practices
   
-  Fixes #7439
-  Closes #7494
-
-- [Carlo Marcelo Arenas Belón brought this change]
+  Closes #7713
 
-  examples/cookie_interface: avoid printfing time_t directly
+- http_proxy: fix the User-Agent inclusion in CONNECT
   
-  time_t representation is undefined and varies on bitsize and signedness,
-  and as of C11 could be even non integer.
+  It should not refer to the uagent string that is allocated and created
+  for the end server http request, as that pointer may be cleared on
+  subsequent CONNECT requests.
   
-  instead of casting to unsigned long (which would truncate in systems
-  with a 32bit long after 2106) use difftime to get the elapsed time as a
-  double and print that (without decimals) instead.
+  Added test case 1184 to verify.
   
-  alternatively a cast to curl_off_t and its corresponding print
-  formatting could have been used (at least in POSIX) but portability and
-  curl agnostic code was prioritized.
+  Reported-by: T200proX7 on github
+  Fixes #7705
+  Closes #7707
+
+- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
   
-  Closes #7490
+  Reported-by: Jonathan Cardoso
+  Fixes #7710
+  Closes #7711
 
-Marc Hoersken (25 Jul 2021)
-- tests/servers: remove obsolete pid variable
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: fix build with ngtcp2 and nghttp3
   
-  Variable is not used since pidfile handling moved to util.[ch]
+  ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
+  Check the wrapped functions instead.
   
-  Reviewed-by: Jay Satiro
-  Closes #7482
+  ngtcp2_stream_close callback now takes flags parameter.
+  
+  Closes #7709
 
-- tests/servers: use our platform-aware pid for server verification
+- write-out.d: clarify size_download/upload
   
-  The pid used for server verification is later stored as pid2 in
-  the hash of running test servers and therefore used for shutdown.
+  They show the number of "body" bytes transfered.
+  Fixes #7702
+  Closes #7706
+
+- http2: Curl_http2_setup needs to init stream data in all invokes
   
-  The pid used for shutdown must be the platform-aware (Win32) pid
-  to avoid leaking test servers while running them using Cygwin/msys.
+  Thus function was written to avoid doing multiple connection data
+  initializations, which is fine, but since it also initiates stream
+  related data it is crucial that it doesn't skip those even if called
+  again for the same connection. Solved by moving the stream
+  initializations before the "doing-it-again" check.
   
-  Reviewed-by: Jay Satiro
-  Closes #7481
+  Reported-by: Inho Oh
+  Fixes #7630
+  Closes #7692
 
-- tests/runtests.pl: cleanup copy&paste mistakes and unused code
+- url: fix compiler warning in no-verbose builds
   
-  Reviewed-by: Jay Satiro
-  Part of #7481
+  Follow-up from 2f0bb864c12
+  
+  Closes #7700
 
-Daniel Stenberg (25 Jul 2021)
-- RELEASE-NOTES: synced
+- non-ascii: fix build errors from strerror fix
   
-  bumped to 7.78.1 for next release
+  Follow-up to 2f0bb864c12
+  
+  Closes #7697
 
-- http_proxy: clear 'sending' when the outgoing request is sent
+- parse_args: redo the warnings for --remote-header-name combos
   
-  ... so that Curl_connect_getsock() will know how to wait for the socket
-  to become readable and not writable after the entire CONNECT request has
-  been issued.
+  ... to avoid the memory leak risk pointed out by scan-build.
   
-  Regression added in 7.77.0
+  Follow-up from 7a3e981781d6c18a
   
-  Reported-by: zloi-user on github
-  Assisted-by: Jay Satiro
-  Fixes #7155
-  Closes #7484
-
-Jay Satiro (25 Jul 2021)
-- [Josh Soref brought this change]
+  Closes #7698
 
-  openssl: fix grammar
+- ngtcp2: adapt to new size defintions upstream
   
-  Closes https://github.com/curl/curl/pull/7480
+  Reviewed-by: Tatsuhiro Tsujikawa
+  Closes #7699
 
-- configure.ac: tweak nghttp2 library name fix again
+- rustls: add strerror.h include
   
-  - Change extraction to handle multiple library names returned by
-    pkg-config (eg a possible scenario with pkg-config --static).
+  Follow-up to 2f0bb864c12
+
+- docs: the security list is reached at security at curl.se now
   
-  Ref: https://github.com/curl/curl/pull/7472
+  Also update the FAQ section a bit to encourage users to rather submit
+  security issues on hackerone than sending email.
   
-  Closes https://github.com/curl/curl/pull/7485
+  Closes #7689
 
-Dan Fandrich (23 Jul 2021)
-- Get rid of the unused HAVE_SIG_ATOMIC_T et. al.
+Marc Hoersken (9 Sep 2021)
+- runtests: add option -u to error on server unexpectedly alive
   
-  It was added in 2006 but I see no evidence it was ever used.
-
-Jay Satiro (23 Jul 2021)
-- docs: change max-filesize caveat again
+  Let's try to actually handle the server unexpectedly alive
+  case by first making them visible on CI builds as failures.
   
-  - Add protocols field to max-filesize.d.
+  This is needed to detect issues with killing of the test
+  servers completely including nested process chains with
+  multiple PIDs per test server (including bash and perl).
   
-  - Revert wording on unknown file size caveat and do not discuss specific
-    protocols in that section.
+  On Windows/cygwin platforms this is especially helpful with
+  debugging PID mixups due to cygwin using its own PID space.
   
-  Partial revert of ecf0225. All max-filesize options now have the list of
-  protocols and it's clearer just to have that list without discussing
-  specific protocols in the caveat.
+  Reviewed-by: Daniel Stenberg
+  Closes #7180
+
+Daniel Stenberg (9 Sep 2021)
+- opts docs: unify phrasing in NAME header
   
-  Reported-by: Josh Soref
+  - avoid writing "set ..." or "enable/disable ..." or "specify ..."
+    *All* options for curl_easy_setopt() are about setting or enabling
+    things and most of the existing options didn't use that way of
+    description.
   
-  Ref: https://github.com/curl/curl/issues/7453#issuecomment-884128762
+  - start with lowercase letter, unless abbreviation. For consistency.
+  
+  - Some additional touch-ups
+  
+  Closes #7688
 
-Daniel Stenberg (22 Jul 2021)
-- [Christian Weisgerber brought this change]
+- strerror.h: remove the #include from files not using it
 
-  configure: tweak nghttp2 library name fix
+- lib: don't use strerror()
   
-  commit 29c7cf79e8b44cf (shipped in 7.78.0) introduced a problem by
-  assuming that LIB_H2 does not have any leading whitespace.  At least
-  OpenBSD's native pkg-config can produce such whitespace, though:
+  We have and provide Curl_strerror() internally for a reason: strerror()
+  is not necessarily thread-safe so we should always try to avoid it.
   
-      $ pkg-config --libs-only-l libnghttp2
-       -lnghttp2
+  Extended checksrc to warn for this, but feature the check disabled by
+  default and only enable it in lib/
   
-  As a result, the configure check for libnghttp2 will erroneously fail.
+  Closes #7685
+
+Daniel Gustafsson (8 Sep 2021)
+- cirrus: Add FreeBSD 13.0 job and disable sanitizer build
   
-  Bug: https://curl.se/mail/lib-2021-07/0050.html
-  Closes #7472
+  As alluded to the in the now removed comment, a 13.0 image became
+  available and is now ready to be used.
+  
+  The sanitizer builds were running on the 12.1 image which since has
+  been removed from the config, leaving the builds not running at all.
+  When enabled it turns out that they don't actually work due to very
+  long timeouts in executing the tests, so keep the disabled for now
+  but a bit more controlled.
+  
+  Closes #7592
 
-- [Bastian Krause brought this change]
+Daniel Stenberg (8 Sep 2021)
+- copyrights: update copyright year ranges
 
-  docs/MQTT: update state of username/password support
+- RELEASE-NOTES: synced
+
+- INTERNALS: c-ares has a new home: c-ares.org
+
+- docs: remove experimental mentions from HSTS and MQTT
   
-  PR #7243 implemented username/password support for MQTT, so let's drop
-  these items from the caveats.
+  Reported-by: Jonathan Cardoso
+  Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
+  Closes #7681
+
+- [Cao ZhenXiang brought this change]
+
+  curl: add warning for incompatible parameters usage
   
-  Signed-off-by: Bastian Krause <bst@pengutronix.de>
+  --continue-at - and --remote-header-name are known incompatible parameters
   
-  Closes #7474
+  Closes #7674
 
-- [Oleg Pudeyev brought this change]
+- [git-bruh brought this change]
 
-  CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
+  examples/*hiperfifo.c: fix calloc arguments to match function proto
   
-  Closes #7470
+  Closes #7678
 
-Version 7.78.0 (21 Jul 2021)
+- INTERNALS: bump c-ares requirement to 1.16.0
+  
+  Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0
 
-Daniel Stenberg (21 Jul 2021)
-- RELEASE-NOTES: synced
+- curl: stop retry if Retry-After: is longer than allowed
   
-  curl 7.78.0 release
+  If Retry-After: specifies a period that is longer than what fits within
+  --retry-max-time, then stop retrying immediately.
+  
+  Added test 366 to verify.
+  
+  Reported-by: Kari Pahula
+  Fixes #7675
+  Closes #7676
 
-- winbuild/MakefileBuild.vc: bump copyright year
+- [Michał Antoniak brought this change]
 
-Jay Satiro (21 Jul 2021)
-- docs: mention max-filesize options also apply to MQTT transfers
+  mbedtls: avoid using a large buffer on the stack
   
-  Also make it clearer that the caveat 'if the file size is unknown it
-  the option will have no effect' may apply to protocols other than FTP
-  and HTTP.
+  Use dynamic memory allocation for the buffer used in checking "pinned
+  public key". The PUB_DER_MAX_BYTES parameter with default settings is
+  set to a value greater than 2kB.
   
-  Reported-by: Josh Soref
+  Co-authored-by: Daniel Stenberg
+  Closes #7586
+
+- configure: make --disable-hsts work
   
-  Fixes https://github.com/curl/curl/issues/7453
+  The AC_ARG_ENABLE() macro itself uses a variable called
+  'enable_[option]', so when our script also used a variable with that
+  name for the purpose of storing what the user wants, it also
+  accidentally made it impossible to switch off the feature with
+  --disable-hsts. Fix this by renaming our variable.
+  
+  Reported-by: Michał Antoniak
+  Fixes #7669
+  Closes #7672
 
-- [Josh Soref brought this change]
+Jay Satiro (5 Sep 2021)
+- config.d: note that curlrc is used even when --config
+  
+  Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751
+  Reported-by: Viktor Szakats
+  
+  Closes https://github.com/curl/curl/pull/7667
 
-  docs/cmdline: fix grammar and typos
+Daniel Stenberg (4 Sep 2021)
+- RELEASE-NOTES: synced
 
-- [Josh Soref brought this change]
+- test1173: check references to libcurl options
+  
+  ... that they refer to actual existing libcurl options.
+  
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-  dump-header.d: Drop suggestion to use for cookie storage
+- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
   
-  Since --cookie-jar is the preferred way to store cookies, no longer
-  suggest using --dump-header to do so.
+  Closes #7656
+
+- opt-docs: verify man page sections + order
   
-  Co-authored-by: Daniel Stenberg
+  In every libcurl option man page there are now 8 mandatory sections that
+  must use the right name in the correct order and test 1173 verifies
+  this. Only 14 man pages needed adjustments.
   
-  Closes https://github.com/curl/curl/issues/7414
+  The sections and the order is as follows:
+  
+   - NAME
+   - SYNOPSIS
+   - DESCRIPTION
+   - PROTOCOLS
+   - EXAMPLE
+   - AVAILABILITY
+   - RETURN VALUE
+   - SEE ALSO
+  
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-- [Josh Soref brought this change]
+- opt-docs: make sure all man pages have examples
+  
+  Extended manpage-syntax.pl (run by test 1173) to check that every man
+  page for a libcurl option has an EXAMPLE section that is more than two
+  lines. Then fixed all errors it found and added examples.
+  
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-  doc/cmdline: fix grammar and typos
+- get.d: provide more useful examples
   
-  Closes https://github.com/curl/curl/pull/7454
-  Closes https://github.com/curl/curl/pull/7455
-  Closes https://github.com/curl/curl/pull/7456
-  Closes https://github.com/curl/curl/pull/7459
-  Closes https://github.com/curl/curl/pull/7460
-  Closes https://github.com/curl/curl/pull/7461
-  Closes https://github.com/curl/curl/pull/7462
-  Closes https://github.com/curl/curl/pull/7463
+  Closes #7668
+
+- page-header: add GOPHERS, simplify wording in the 1st para
+  
+  Closes #7665
+
+- connect: get local port + ip also when reusing connections
+  
+  Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage
+  (connection + easy handle), so this info needs be extracted again even
+  for re-used connections.
+  
+  Add test 435 to verify
+  
+  Reported-by: Max Dymond
+  Fixes #7660
+  Closes #7662
 
-Daniel Stenberg (20 Jul 2021)
-- vtls: fix connection reuse checks for issuer cert and case sensitivity
+Marcel Raad (2 Sep 2021)
+- multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
   
-  CVE-2021-22924
+  `use_wakeup` is unused in this case.
   
-  Reported-by: Harry Sintonen
-  Bug: https://curl.se/docs/CVE-2021-22924.html
+  Closes https://github.com/curl/curl/pull/7661
 
-- sectransp: check for client certs by name first, then file
+Daniel Stenberg (1 Sep 2021)
+- tests: adjust the tftpd output to work with hyper mode
   
-  CVE-2021-22926
+  By making them look less like http headers, the hyper mode "tweak"
+  doesn't interfere.
   
-  Bug: https://curl.se/docs/CVE-2021-22926.html
+  Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated
+  but should be enabled).
   
-  Assisted-by: Daniel Gustafsson
-  Reported-by: Harry Sintonen
+  Closes #7658
 
-- telnet: fix option parser to not send uninitialized contents
-  
-  CVS-2021-22925
-  
-  Reported-by: Red Hat Product Security
-  Bug: https://curl.se/docs/CVE-2021-22925.html
+Daniel Gustafsson (1 Sep 2021)
+- [Gisle Vanem brought this change]
 
-Jay Satiro (20 Jul 2021)
-- connect: fix wrong format specifier in connect error string
+  openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
   
-  0842175 (not in any release) used the wrong format specifier (long int)
-  for timediff_t. On an OS such as Windows libcurl's timediff_t (usually
-  64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the
-  upper 32-bits of the timediff_t were erroneously then used by the next
-  format specifier. Usually since the timeout isn't larger than 32-bits
-  this would result in null as a pointer to the string with the reason for
-  the connection failing. On other OSes or maybe other compilers it could
-  probably result in garbage values (ie crash on deref).
+  This adds support for the previously unhandled supplemental data which
+  in -v output was printed like:
   
-  Before:
-  Failed to connect to localhost port 12345 after 1201 ms: (nil)
+      TLSv1.2 (IN), TLS header, Unknown (23):
   
-  After:
-  Failed to connect to localhost port 12345 after 1203 ms: Connection refused
+  These will now be printed with proper annotation:
   
-  Closes https://github.com/curl/curl/pull/7449
+      TLSv1.2 (OUT), TLS header, Supplemental data (23):
+  
+  Closes #7652
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- winbuild: support alternate nghttp2 static lib name
+Daniel Stenberg (1 Sep 2021)
+- curl.1: provide examples for each option
   
-  - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2.
+  The file format for each option now features a "Example:" header that
+  can provide one or more examples that get rendered appropriately in the
+  output. All options MUST have at least one example or gen.pl complains
+  at build-time.
   
-  nghttp2 briefly changed its static lib name to nghttp2_static, but then
-  made the _static suffix optional.
+  This fix also does a few other minor format and consistency cleanups.
   
-  Ref: https://github.com/nghttp2/nghttp2/pull/1394
-  Ref: https://github.com/nghttp2/nghttp2/pull/1418
-  Ref: https://github.com/nghttp2/nghttp2/issues/1466
+  Closes #7654
+
+- progress: make trspeed avoid floats
   
-  Reported-by: Pierre Yager
+  and compiler warnings for data conversions.
   
-  Fixes https://github.com/curl/curl/issues/7446
-  Closes https://github.com/curl/curl/pull/7447
+  Reported-by: Michał Antoniak
+  Fixes #7645
+  Closes #7653
 
-- [Josh Soref brought this change]
+- test365: verify response with chunked AND Content-Length headers
 
-  docs/cmdline: fix grammar and typos
+- http: ignore content-length if any transfer-encoding is used
   
-  Closes https://github.com/curl/curl/pull/7432
-  Closes https://github.com/curl/curl/pull/7436
-  Closes https://github.com/curl/curl/pull/7438
-  Closes https://github.com/curl/curl/pull/7440
-  Closes https://github.com/curl/curl/pull/7445
+  Fixes #7643
+  Closes #7649
 
-- [Josh Soref brought this change]
+- RELEASE-NOTES: synced
 
-  delegation.d: mention what happens when used multiple times
+- Revert "http2: skip immediate parsing of payload following protocol switch"
   
-  Closes https://github.com/curl/curl/pull/7408
-
-- [Josh Soref brought this change]
-
-  create-file-mode.d: mention what happens when used multiple times
+  This reverts commit 455a63c66f188598275e87d32de2c4e8e26b80cb.
   
-  Closes https://github.com/curl/curl/pull/7407
-
-- [Josh Soref brought this change]
+  Reported-by: Tk Xiong
+  Fixes #7633
+  Closes #7648
 
-  config.d: split comments and option-per line
+- KNOWN_BUGS: HTTP/3 doesn't support client certs
   
-  Closes https://github.com/curl/curl/pull/7405
-
-Daniel Stenberg (19 Jul 2021)
-- misc: copyright year range updates
-
-- mailmap: add Tobias and Timur
+  Closes #7625
 
-Daniel Gustafsson (18 Jul 2021)
-- [Josh Soref brought this change]
+- mailing lists: move from cool.haxx.se to lists.haxx.se
 
-  docs: spell out directories instead of dirs in create-dirs
-  
-  Write out directories rather than using the dirs abbrevation. Also
-  use plural form consistently, even if the code in the end might just
-  create a single directory.
+- http_proxy: only wait for writable socket while sending request
   
-  Closes #7406
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Tobias Nyholm brought this change]
-
-  docs: correct spelling errors and a broken link
+  Otherwise it would wait socket writability even after the entire CONNECT
+  request has sent and make curl basically busy-loop while waiting for a
+  response to come back.
   
-  Update grammar and spelling in docs and source code comments.
+  The previous fix attempt in #7484 (c27a70a591a4) was inadequate.
   
-  Closes: #7427
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reported-by: zloi-user on github
+  Reported-by: Oleguer Llopart
+  Fixes #7589
+  Closes #7647
 
-Marc Hoersken (18 Jul 2021)
-- CI/cirrus: install impacket from PyPI instead of FreeBSD packages
-  
-  Availability of impacket as FreeBSD package is too flaky.
+- http: disallow >3-digit response codes
   
-  Stick to legacy version of cryptography which still
-  supports OpenSSL version 1.0.2 due to FreeBSD 11.
+  Make the built-in HTTP parser behave similar to hyper and reject any
+  HTTP response using more than 3 digits for the response code.
   
-  Reviewed-by: Daniel Stenberg
+  Updated test 1432 accordingly.
+  Enabled test 1432 in the hyper builds.
   
-  Closes #7418
+  Closes #7641
 
-Daniel Stenberg (18 Jul 2021)
-- [Josh Soref brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  docs/cmdline: mention what happens when used multiple times
+  ngtcp2: stop buffering crypto data
   
-  For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers
+  Stop buffering crypto data because libngtcp2 now buffers submitted
+  crypto data.
   
-  Closes #7410
-  Closes #7411
-  Closes #7412
+  Closes #7637
 
-- [Michał Antoniak brought this change]
+- test1280: CRLFify the response to please hyper
+  
+  Closes #7639
 
-  lib: fix compiler warnings with CURL_DISABLE_NETRC
+- tests: enable test 1129 for hyper builds
   
-  warning C4189: 'netrc_user_changed': local variable is initialized but
-  not referenced
+  Closes #7638
+
+- curl: better error message when -O fails to get a good name
   
-  warning C4189: 'netrc_passwd_changed': local variable is initialized but
-  not referenced
+  Due to how this currently works internally, it needs a working initial
+  file name to store contents in, so it may still fail even with -J is
+  used (and thus accepting a name from content-disposition:) if the file
+  name part of the URL isn't "good enough".
   
-  Closes #7423
+  Fixes #7628
+  Closes #7635
 
-- disable-epsv.d: remove duplicate "(FTP)"
+- curl_easy_setopt: tweak the string copy wording
   
-  ... since the tooling adds that to the output based on the "Protocols:"
-  tag.
+  Reported-by: Yaobin Wen
+  Fixes #7632
+  Closes #7634
 
-- [Max Zettlmeißl brought this change]
+- RELEASE-NOTES: synced
 
-  docs: make the documentation for --etag-save match the program behaviour
-  
-  When using curl with the option `--etag-save` I expected it to save the
-  ETag without its surrounding quotes, as stated by the documentation in
-  the repository and by the generated man pages.
+- [Don J Olmstead brought this change]
+
+  cmake: sync CURL_DISABLE options
   
-  My first endeavour was to fix the program, but while investigating the
-  history of the relevant parts, I discovered that curl once saved the
-  ETag without the quotes.  This was undone by Daniel Stenberg in commit
-  `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in
-  this case the documentation should be adjusted to match the behaviour of
-  curl.
+  Adds the full listing of CURL_DISABLE options to the CMake build. Moves
+  all option code, except for CURL_DISABLE_OPENSSL_AUTO_LOA_CONFIG which
+  resides near OpenSSL configuration, to the same block of code. Also
+  sorts the options here and in the cmake config header.
   
-  The changed save behaviour also made parts of the `--etag-compare`
-  documentation wrong or superfluous, so I adjusted those accordingly.
+  Additionally sorted the CURL-DISABLE listing and fixed the
+  CURL_DISABLE_POP3 option.
   
-  Closes #7429
-
-- [Josh Soref brought this change]
+  Closes #7624
 
-  write-out.d: add missing periods
+Jay Satiro (25 Aug 2021)
+- KNOWN_BUGS: FTPS upload data loss with TLS 1.3
   
-  Closes #7404
-
-- [Josie Huddleston brought this change]
-
-  easy: during upkeep, attach Curl_easy to connections in the cache
+  Bug: https://github.com/curl/curl/issues/6149
+  Reported-by: Bylon2@users.noreply.github.com
   
-  During the protocol-specific parts of connection upkeep, some code
-  assumes that the data->conn pointer already is set correctly.  However,
-  there's currently no guarantee of that in the code.
+  Closes https://github.com/curl/curl/pull/7623
+
+Daniel Stenberg (24 Aug 2021)
+- cmake: avoid poll() on macOS
   
-  This fix temporarily attaches each connection to the Curl_easy object
-  before performing the protocol-specific connection check on it, in a
-  similar manner to the connection checking in extract_if_dead().
+  ... like we do in configure builds. Since poll() on macOS is not
+  reliable enough.
   
-  Fixes #7386
-  Closes #7387
-  Reported-by: Josie Huddleston
+  Reported-by: marc-groundctl
+  Fixes #7595
+  Closes #7619
 
-- [Josh Soref brought this change]
+- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
+  
+  Enable test 1074
+  
+  Closes #7617
 
-  cleanup: spell DoH with a lowercase o
+- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
   
-  Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
+  Enable test 1130 and 1131
   
-  Closes #7413
+  Closes #7616
 
-- [Josh Soref brought this change]
+- [a1346054 brought this change]
 
-  TheArtOfHttpScripting: polish
-  
-  - add missing backticks and comma
-  
-  - fix proxy description:
+  tests: be explicit about using 'python3' instead of 'python'
   
-  * example proxy isn't local
-  * locally doesn't really make sense
+  This fixes running tests in virtualenvs (or on distros) that no longer
+  have a symlink from python to python2 or python3.
   
-  Closes #7416
+  Closes #7602
 
-- [Josh Soref brought this change]
+- [a1346054 brought this change]
 
-  form.d: add examples of `,`/`;` for file[name]
+  scripts: invoke interpreters through /usr/bin/env
   
-  Fixes #7415
-  Closes #7417
+  Closes #7602
 
-- [Michał Antoniak brought this change]
+- DISABLED: enable 11 more tests for hyper builds
+  
+  Closes #7612
 
-  mbedtls: Remove unnecessary include
+- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
   
-  - curl_setup.h: all references to mbedtls_md4* functions and structures
-    are in the md4.c. This file already includes the <mbedtls/md4.h> file
-    along with the file existence control (defined (MBEDTLS_MD4_C))
+  Since this option is also used for FTP, it needs to work to set for
+  applications even if hyper doesn't support it for HTTP. Verified by test
+  1137.
   
-  - curl_ntlm_core.c: unnecessary include - repeated below
+  Updated docs to specify that the option doesn't work for HTTP when using
+  the hyper backend.
   
-  Closes #7419
-
-- RELEASE-NOTES: synced
+  Closes #7614
 
-Jay Satiro (16 Jul 2021)
-- [User Sg brought this change]
+- test1138: remove trailing space to make work with hyper
+  
+  Closes #7613
 
-  multi: fix crash in curl_multi_wait / curl_multi_poll
+- libcurl-errors.3: clarify two CURLUcode errors
   
-  Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a
-  VALID_SOCK check to one of the loops through the sockets but not the
-  other.
+  CURLUE_BAD_HANDLE and CURLUE_BAD_PARTPOINTER should be for "bad" or
+  wrong pointers in a generic sense, not just for NULL pointers.
   
-  Reported-by: sylgal@users.noreply.github.com
-  Authored-by: sylgal@users.noreply.github.com
+  Reviewed-by: Jay Satiro
   
-  Fixes https://github.com/curl/curl/issues/7379
-  Closes https://github.com/curl/curl/pull/7389
-
-- [Daniel Gustafsson brought this change]
+  Ref: #7605
+  Closes #7611
 
-  tool_help: remove unused define
+Jay Satiro (23 Aug 2021)
+- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
   
-  The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
-  cleaned out but one occurrence remained.
+  ... and also change the 'Removed' column name to 'Last' since that
+  column is for the last version to contain the symbol.
   
-  Closes https://github.com/curl/curl/pull/7380
-
-- [Sergey Markelov brought this change]
+  Closes https://github.com/curl/curl/pull/7609
 
-  build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
+Daniel Stenberg (23 Aug 2021)
+- urlapi.c:seturl: assert URL instead of using if-check
   
-  fix compiler warnings about unused variables and parameters when
-  built with --disable-verbose.
+  There's no code flow possible where this can happen. The assert makes
+  sure it also won't be introduced undetected in the future.
   
-  Closes https://github.com/curl/curl/pull/7377
-
-- [Andrea Pappacoda brought this change]
+  Closes #7610
 
-  build: fix IoctlSocket FIONBIO check
+- curl-openssl.m4: show correct output for OpenSSL v3
   
-  Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked
-  for (lowercase) ioctlsocket when it should have checked for IoctlSocket.
+  Using 3.0.0 versions configure should now show this:
   
-  Closes https://github.com/curl/curl/pull/7375
-
-- [Timur Artikov brought this change]
-
-  configure: fix nghttp2 library name for static builds
+  checking for OpenSSL headers version... 3.0.0 - 0x300
+  checking for OpenSSL library version... 3.0.0
+  checking for OpenSSL headers and library versions matching... yes
   
-  Don't hardcode the nghttp2 library name,
-  because it can vary, be "nghttp2_static" for example.
+  This output doesn't actually change what configure generates but is only
+  "cosmetic".
   
-  Fixes https://github.com/curl/curl/issues/7367
-  Closes https://github.com/curl/curl/pull/7368
-
-Gisle Vanem (16 Jul 2021)
-- [PellesC] fix _lseeki64() macro
+  Reported-by: Randall S. Becker
+  Fixes #7606
+  Closes #7608
 
-- [SChannel] Use '_tcsncmp()' instead
-  
-  Revert previous change for PellesC.
+Jay Satiro (22 Aug 2021)
+- mksymbolsmanpage.pl: Fix showing symbol's last used version
   
-  Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`.
-
-- [PellesC] missing '_tcsnccmp'
+  Prior to this change the symbol's deprecated version was erroneously
+  shown as its last used version.
   
-  PellesC compiler does not have this macro in it's `<tchar.h>`
+  Bug: https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509
+  Reported-by: i-ky@users.noreply.github.com
 
-Daniel Gustafsson (14 Jul 2021)
-- TODO: add mention of mbedTLS 3 incompatibilities
+Daniel Stenberg (21 Aug 2021)
+- mksymbolsmanpage.pl: match symbols case insenitively
   
-  Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
-  and curl no longer builds with it. Document the need to fix our support
-  until so has been done.
+  Follow-up to 4e53b9430c750 which made this bug show.
   
-  Closes #7390
-  Fixes #7385
-  Reported-by: Wyatt OʼDay
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+  Reported-by: i-ky
+  Bug: https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253
+  Closes #7607
 
-- docs: fix inconsistencies in EGDSOCKET documentation
+- asyn-ares: call ares_freeaddrinfo() to clean up addrinfo results
   
-  Only the OpenSSL backend actually use the EGDSOCKET, and also use
-  TLS consistently rather than mixing SSL and TLS. While there, also
-  fix a minor spelling nit.
+  As this leaks memory otherwise
   
-  Closes: #7391
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+  Follow-up to ba904db0705c931
+  
+  Closes #7599
 
-- [Борис Верховский brought this change]
+- [Ehren Bendler brought this change]
 
-  docs: document missing arguments to commands
+  wolfssl: clean up wolfcrypt error queue
   
-  This is a followup to commit f410b9e538129e77607fef1 fixing a few
-  more commands which takes arguments.
+  If wolfSSL is built in certain ways (OPENSSL_EXTRA or Debug), the error
+  queue gets added on to for each session and never freed. Fix it by
+  calling ERR_clear_error() like in vtls/openssl when needed. This func is
+  a no-op in wolfcrypt if the error queue is not enabled.
   
-  Closes #7382
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Randolf J brought this change]
+  Closes #7594
 
-  docs: fix incorrect argument name reference
+- man pages: remove trailing whitespaces
   
-  The documentation for the read callback was erroneously referencing
-  the nitems argument by nmemb.  The error was introduced in commit
-  ce0881edee3c7.
+  Extended test 1173 (via the manpage-syntax.pl script) to detect and warn
+  for them.
   
-  Closes #7383
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Борис Верховский brought this change]
+  Ref: #7602
+  Reported-by: a1346054 on github
+  Closes #7604
 
-  tool_help: Document that --tlspassword takes a password
-  
-  Closes #7378
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+- mailmap: add Gleb Ivanovsky
 
-- scripts: Fix typo in release-notes instructions
+- config.d: escape the backslash properly
   
-  The command to run had a typo in the pathname which prevented copy
-  pasting it to work, which has annoyed me enough to fix this now.
+  Closes #7603
 
-- RELEASE-NOTES: synced
+- [Don J Olmstead brought this change]
 
-Jay Satiro (10 Jul 2021)
-- write-out.d: Clarify urlnum is not unique for de-globbed URLs
+  curl_setup.h: sync values for HTTP_ONLY
   
-  Reported-by: Коваленко Анатолий Викторович
+  The values for HTTP_ONLY differed between CMakeLists.txt and
+  curl_setup.h. Sync them and sort the values in curl_setup.h to make it
+  easier to spot differences.
   
-  Fixes https://github.com/curl/curl/issues/7342
-  Closes https://github.com/curl/curl/pull/7369
-
-Daniel Gustafsson (3 Jul 2021)
-- [William Desportes brought this change]
+  Closes #7601
 
-  docs: Fix typos
+Jay Satiro (21 Aug 2021)
+- configure: set classic mingw minimum OS version to XP
   
-  Closes: #7370
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-Daniel Stenberg (8 Jul 2021)
-- [Jonathan Wernberg brought this change]
-
-  Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
+  - If the user has not specified a minimum OS version (via WINVER or
+    _WIN32_WINNT macros) then set it to Windows XP.
   
-  The reverted commit introduced a logic error in code that was
-  correct.
+  Prior to this change classic MinGW defaulted the minimum OS version
+  to Windows NT 4.0 which is way too old. At least Windows XP is needed
+  for getaddrinfo (which resolves hostnames to IPv6 addresses).
   
-  The client using libcurl would notice the error since FTP file
-  uploads in active transfer mode would somtimes complete with
-  success despite no transfer having been performed and the
-  "uploaded" file thus not being on the remote server afterwards.
+  Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
   
-  The FTP server would notice the error because it receives a
-  RST on the data connection it has established with the client
-  before any data was transferred at all.
+  Closes https://github.com/curl/curl/pull/7581
+
+- schannel: Work around typo in classic mingw macro
   
-  The logic error happens if the STOR response from the server have
-  arrived by the time ftp_multi_statemach() in the affected code path
-  is called, but the incoming data connection have not arrived yet.
-  In that case, the processing of the STOR response will cause
-  'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
-  in the code. Since 'complete' will also be set, later logic would
-  believe the transfer was done.
+  - Define ALG_CLASS_DHASH (the typo from the include) to ALG_CLASS_HASH.
   
-  In most cases, the STOR response will not have arrived yet when
-  the affected code path is executed, or the incoming connection will
-  also have arrived, and thus the error would not express itself.
-  But if the speed difference of the device using libcurl and the
-  FTP server is exactly right, the error may happen as often as in
-  one out of hundred file transfers.
+  Prior to this change there was an incomplete fix to ignore the
+  CALG_TLS1PRF macro on those versions of MinGW where it uses the
+  ALG_CLASS_DHASH typoed macro.
+  
+  Ref: 48cf45c
+  Ref: https://osdn.net/projects/mingw/ticket/38391
+  Ref: https://github.com/curl/curl/issues/2924
   
-  This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
+  Closes https://github.com/curl/curl/pull/7580
+
+Daniel Stenberg (20 Aug 2021)
+- RELEASE-NOTES: synced
+
+- http_proxy: fix user-agent and custom headers for CONNECT with hyper
   
-  Bug: https://curl.se/mail/lib-2021-07/0025.html
-  Closes #7362
+  Enable test 287
+  
+  Closes #7598
 
-- msnprintf: return number of printed characters excluding null byte
+- c-hyper: initial support for "dumping" 1xx HTTP responses
   
-  ... even when the output is "capped" by the maximum length argument.
+  With the use hyper_request_on_informational()
   
-  Clarified in the docs.
+  Enable test 155 and 158
   
-  Closes #7361
+  Closes #7597
 
-- infof: remove newline from format strings, always append it
-  
-  - the data needs to be "line-based" anyway since it's also passed to the
-    debug callback/application
+Marc Hoersken (18 Aug 2021)
+- tests/*server.pl: flush output before executing subprocess
   
-  - it makes infof() work like failf() and consistency is good
+  Also avoid shell processes staying around by using exec.
+  This is necessary to avoid output data being buffering
+  inside the process chain of Perl, Bash/Shell and our
+  test server binaries. On non-Windows systems the exec
+  will also make the subprocess replace the intermediate
+  shell, but on Windows it will at least bind the processes
+  together since there is no real fork or exec available.
   
-  - there's an assert that triggers on newlines in the format string
+  See: https://cygwin.com/cygwin-ug-net/highlights.html
+  and: https://docs.microsoft.com/cpp/c-runtime-library/exec-wexec-functions
+  Ref: https://github.com/curl/curl/pull/7530#issuecomment-900949010
   
-  - Also removes a few instances of "..."
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  Closes #7530
+
+- CI: use GitHub Container Registry instead of Docker Hub
   
-  - Removes the code that would append "..." to the end of the data *iff*
-    it was truncated in infof()
+  Avoid limits on Docker Hub and improve image pull/download speed.
   
-  Closes #7357
+  Closes #7587
 
-- examples/multi-single: fix scan-build warning
+Daniel Stenberg (18 Aug 2021)
+- openssl: when creating a new context, there cannot be an old one
   
-  warning: Value stored to 'mc' during its initialization is never read
+  Remove the previous handling that would call SSL_CTX_free(), and instead
+  add an assert that halts a debug build if there ever is a context
+  already set at this point.
   
-  Follow-up to ae8e11ed5fd2ce
+  Closes #7585
+
+Jay Satiro (18 Aug 2021)
+- KNOWN_BUGS: Renegotiate from server may cause hang for OpenSSL backend
   
-  Closes #7360
+  Closes https://github.com/curl/curl/issues/6785
 
-- wolfssl: failing to set a session id is not reason to error out
+Viktor Szakats (17 Aug 2021)
+- docs/BINDINGS: URL update
+
+Marc Hoersken (17 Aug 2021)
+- tests/server/*.c: align handling of portfile argument and file
   
-  ... as it is *probably* just timed out.
+  1. Call the internal variable portname (like pidname) everywhere.
+  2. Have a variable wroteportfile (like wrotepidfile) everywhere.
+  3. Make sure the file is cleaned up on exit (like pidfile).
+  4. Add parameter --portfile to usage outputs everywhere.
   
-  Reported-by: Francisco Munoz
+  Reviewed-by: Daniel Stenberg
   
-  Closes #7358
+  Replaces #7523
+  Closes #7574
 
-- docs/examples: use curl_multi_poll() in multi examples
-  
-  The API is soon two years old and deserves being shown as the primary
-  way to drive multi code as it makes it much easier to write code.
+Daniel Gustafsson (17 Aug 2021)
+- KNOWN_BUGS: Fix a number of typos in KNOWN_BUGS
   
-  multi-poll: removed
+  Fixes a set of typos found in section 11.3.
+
+Daniel Stenberg (17 Aug 2021)
+- getparameter: fix the --local-port number parser
   
-  multi-legacy: add to show how we did multi API use before
-  curl_multi_wait/poll.
+  It could previously get tricked into parsing the uninitialized stack
+  based buffer.
   
-  Closes #7352
+  Reported-by: Brian Carpenter
+  Closes #7582
 
-- KNOWN_BUGS: flaky Windows CI builds
+- KNOWN_BUGS: Can't use Secure Transport with Crypto Token Kit
   
-  Closes #6972
+  Closes #7048
 
-- RELEASE-NOTES: synced
+- [Jan Verbeek brought this change]
 
-- test1147: hyper doesn't allow "crazy" request headers like built-in
+  curl: add warning for ignored data after quoted form parameter
   
-  ... so strip that from the test.
+  In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc`
+  is ignored. This adds a warning if the ignored data isn't all
+  whitespace.
   
-  Closes #7349
+  Closes #7394
 
-- c-hyper: bail on too long response headers
+Jay Satiro (17 Aug 2021)
+- codeql: fix error "Resource not accessible by integration"
   
-  To match with built-in behaviors. Makes test 1154 work.
+  - Enable codeql writing security-events.
   
-  Closes #7350
-
-- test1151: added missing CRLF to work with hyper
+  GitHub set the default permissions to read, apparently since earlier
+  this year.
   
-  Closes #7350
-
-- c-hyper: add support for transfer-encoding in the request
+  Ref: https://github.com/github/codeql-action/issues/464
+  Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
   
-  Closes #7348
-
-- [Andrea Pappacoda brought this change]
+  Fixes https://github.com/curl/curl/issues/7575
+  Closes https://github.com/curl/curl/pull/7576
 
-  cmake: remove libssh2 feature checks
+- tool_operate: Fix --fail-early with parallel transfers
   
-  libssh2 features are detected based on version since commit
-  9dbbba997608f7c3c5de1c627c77c8cd2aa85b73
+  - Abort via progress callback to fail early during parallel transfers.
   
-  Closes #7343
+  When a critical error occurs during a transfer (eg --fail-early
+  constraint) then other running transfers will be aborted via progress
+  callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this
+  case, the callback error does not become the most recent error and a
+  custom error message is used for those transfers:
+  
+  curld --fail --fail-early --parallel
+  https://httpbin.org/status/404 https://httpbin.org/delay/10
+  
+  curl: (22) The requested URL returned error: 404
+  curl: (42) Transfer aborted due to critical error in another transfer
+  
+  > echo %ERRORLEVEL%
+  22
+  
+  Fixes https://github.com/curl/curl/issues/6939
+  Closes https://github.com/curl/curl/pull/6984
 
-- test1116: hyper doesn't pass through "surprise-trailers"
+Daniel Stenberg (17 Aug 2021)
+- [Sergey Markelov brought this change]
+
+  sectransp: support CURLINFO_CERTINFO
   
-  Closes #7344
+  Fixes #4130
+  Closes #7372
 
-- socks4: scan for the IPv4 address in resolve results
+- ngtcp2: remove the acked_crypto_offset struct field init
   
-  Follow-up to 84d2839740 which changed the resolving to always resolve
-  both address families, but since SOCKS4 only supports IPv4 it should
-  scan for and use the first available IPv4 address.
+  ... as it is gone from the API upstream.
   
-  Reported-by: shithappens2016 on github
-  Fixes #7345
-  Closes #7346
+  Closes #7578
 
-Jay Satiro (5 Jul 2021)
-- proto.d: fix formatting for paragraphs after margin changes
+- misc: update incorrect copyright year ranges
   
-  Closes https://github.com/curl/curl/pull/7341
+  Closes #7577
 
-- pinnedpubkey.d: fix formatting for version support lists
+- KNOWN_BUGS: HTTP/3 quiche upload large file fails
   
-  Closes https://github.com/curl/curl/pull/7340
+  Closes #7532
 
-Daniel Stenberg (2 Jul 2021)
-- TODO: "Support in-memory certs/ca certs/keys" done
+- KNOWN_BUGS: CMake build with MIT Kerberos does not work
   
-  Has been suppored for a while now with the *BLOB options.
+  Closes #6904
 
-- examples: safer and more proper read callback logic
+- TODO: add asynch getaddrinfo support
   
-  The same callback code is used in:
+  Closes #6746
+
+- RELEASE-NOTES: synced
+
+- [Artur Sinila brought this change]
+
+  http2: revert call the handle-closed function correctly on closed stream
   
-   imap-append.c
-   smtp-authzid.c
-   smtp-mail.c
-   smtp-multi.c
-   smtp-ssl.c
-   smtp-tls.c
+  Reverts 252790c5335a221
   
-  It should not assume that it can copy full lines into the buffer as it
-  will encourage sloppy coding practices. Instead use byte-wise logic and
-  check/acknowledge the buffer size appropriately.
+  Assisted-by: Gergely Nagy
+  Fixes #7400
+  Closes #7525
+
+- [Patrick Monnerat brought this change]
+
+  auth: do not append zero-terminator to authorisation id in kerberos
   
-  Reported-by: Harry Sintonen
-  Fixes #7330
-  Closes #7331
+  RFC4752 Section 3.1 states "The authorization identity is not terminated
+  with a zero-valued (%x00) octet". Although a comment in code said it may
+  be needed anyway, nothing confirms it. In addition, servers may consider
+  it as part of the identity, causing a failure.
+  
+  Closes #7008
 
-- test1519: adjusted to work with hyper
+- [Patrick Monnerat brought this change]
+
+  auth: use sasl authzid option in kerberos
   
-  Closes #7333
+  ... instead of deriving it from active ticket.
+  Closes #7008
 
-- test1518: adjusted to work with hyper
+- [Patrick Monnerat brought this change]
+
+  auth: we do not support a security layer after kerberos authentication
   
-  ... by making sure the stdout output doesn't look like HTTP headers.
+  Closes #7008
+
+- [Patrick Monnerat brought this change]
+
+  auth: properly handle byte order in kerberos security message
   
-  Closes #7333
+  Closes #7008
 
-- test1514: add a CRLF to the response to make it correct
+- [z2_ brought this change]
+
+  x509asn1: fix heap over-read when parsing x509 certificates
   
-  Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on
-  us.
+  Assisted-by: Patrick Monnerat
+  Closes #7536
+
+- KNOWN_BUGS: Disconnects don't do verbose
   
-  Closes #7334
+  Closes #6995
+
+- mailmap: fixup Michał Antoniak
+
+- [Michał Antoniak brought this change]
 
-- formdata: avoid "Argument cannot be negative" warning
+  build: fix compiler warnings
   
-  ... when converting a curl_off_t to size_t, by using
-  CURL_ZERO_TERMINATED before passing the argument to the function.
+  For when CURL_DISABLE_VERBOSE_STRINGS and DEBUGBUILD flags are both
+  active.
   
-  Detected by Coverity CID 1486590.
+  - socks.c : warning C4100: 'lineno': unreferenced formal parameter
+    (co-authored by Daniel Stenberg)
   
-  Closes #7328
-  Assisted-by: Daniel Gustafsson
-
-- lib: more %u for port and int for %*s fixes
+  - mbedtls.c: warning C4189: 'port': local variable is initialized but
+    not referenced
   
-  Detected by Coverity
+  - schannel.c: warning C4189: 'hostname': local variable is initialized
+    but not referenced
   
-  Closes #7329
+  Cloes #7528
 
-- doh: (void)-prefix call to curl_easy_setopt
+- [Gleb Ivanovsky brought this change]
 
-- lib: fix type of len passed to *printf's %*s
+  CODE_STYLE-md: fix bold font style
   
-  ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc)
+  Markdown gets confused with abundance of asterisks, so use underscores
+  instead.
   
-  Closes #7326
+  Reviewed-by: Daniel Gustafsson
+  Closes #7569
 
-- lib: use %u instead of %ld for port number printf
-  
-  Follow-up to 764c6bd3bf which changed the type of some port number
-  fields. Detected by Coverity (CID 1486624) etc.
-  
-  Closes #7325
+- [Gleb Ivanovsky brought this change]
 
-- version: turn version number functions into returning void
-  
-  ... as we never use the return codes from them.
+  CODE_STYLE-md: add missing comma
   
   Reviewed-by: Daniel Gustafsson
-  Closes #7319
+  Closes #7570
 
-- mqtt: extend the error message for no topic
-  
-  ... and mention that it needs URL encoding.
-  
-  Reported-by: Peter Körner
-  Fixes #7316
-  Closes #7317
+- [Daniel Gustafsson brought this change]
 
-- formdata: correct typecast in curl_mime_data call
-  
-  Coverity pointed out it the mismatch. CID 1486590
+  examples/ephiperfifo.c: simplify signal handler
   
-  Closes #7327
-
-- url: (void)-prefix a curl_url_get() call
+  The signal handler registered for SIGINT is only handling SIGINT
+  so there isn't much need for inspecting the signo.  While there,
+  rename the handler to be more specific.
   
-  Coverity (CID 1486645) pointed out a use of curl_url_get() in the
-  parse_proxy function where the return code wasn't checked. A
-  (void)-prefix makes the intention obvious.
+  g_should_exit should really be of sig_atomic_t type, but relying
+  on autoconf in the examples seems like a bad idea so keep that
+  for now.
   
-  Closes #7320
+  Reviewed-by: Daniel Stenberg
+  Closes #7310
 
-- glob: pass an 'int' as len when using printf's %*s
+- c-hyper: initial step for 100-continue support
   
-  Detected by Coverity CID 1486629.
+  Enabled test 154
   
-  Closes #7324
+  Closes #7568
 
-- vtls: use free() not curl_free()
-  
-  curl_free() is provided for users of the API to free returned data,
-  there's no need to use it internally.
-  
-  Closes #7318
+- [Ikko Ashimine brought this change]
 
-- zuul: use the new rustls directory name
-  
-  Follow-up to 6d972c8b1cbb3 which missed updating this directory name.
+  vtls: fix typo in schannel_verify.c
   
-  Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1
+  occurence -> occurrence
   
-  Closes #7311
+  Closes #7566
 
-Jay Satiro (29 Jun 2021)
-- http: fix crash in rate-limited upload
-  
-  - Don't set the size of the piece of data to send to the rate limit if
-    that limit is larger than the buffer size that will hold the piece.
-  
-  Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
-  (curl tool: --limit-rate) was set then it was possible that a temporary
-  buffer used for uploading could be written to out of bounds. A likely
-  scenario for this would be a non-trivial amount of post data combined
-  with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
-  
-  The bug was introduced in 24e469f which is in releases since 7.76.0.
-  
-  perl -e "print '0' x 200000" > tmp
-  curl --limit-rate 128k -d @tmp httpbin.org/post
+- [Emil Engler brought this change]
+
+  curl_url_get.3: clarify about path and query
   
-  Reported-by: Richard Marion
+  The current man-page lacks some details regarding the obtained path and
+  query.
   
-  Fixes https://github.com/curl/curl/issues/7308
-  Closes https://github.com/curl/curl/pull/7315
+  Closes #7563
 
-Daniel Stenberg (29 Jun 2021)
-- copyright: add boiler-plate headers to CI config files
-  
-  And whitelist .zuul.ignore
+- c-hyper: fix header value passed to debug callback
   
-  Closes #7314
+  Closes #7567
 
-- CI: remove travis details
+Viktor Szakats (12 Aug 2021)
+- cleanup: URL updates
   
-  Rename still used leftovers to "zuul" as that's now the CI using them.
+  - replace broken URL with the one it was most probably pointing to
+    when added (lib/tftp.c)
+  - replace broken URL with archive.org link (lib/curl_ntlm_wb.c)
+  - delete unnecessary protocol designator from archive.org URL
+    (docs/BINDINGS.md)
   
-  Closes #7313
+  Closes #7562
 
-- RELEASE-NOTES: synced
+Daniel Stenberg (12 Aug 2021)
+- [April King brought this change]
 
-- openssl: avoid static variable for seed flag
-  
-  Avoid the race condition risk by instead storing the "seeded" flag in
-  the multi handle. Modern OpenSSL versions handle the seeding itself so
-  doing the seeding once per multi-handle instead of once per process is
-  less of an issue.
+  DEPRECATE.md: linkify curl-library mailing list
   
-  Reported-by: Gerrit Renker
-  Fixes #7296
-  Closes #7306
+  Closes #7561
 
-- configure: inhibit the implicit-fallthrough warning on gcc-12
+- [Barry Pollard brought this change]
+
+  output.d: add method to suppress response bodies
   
-  ... since it no longer acknowledges the comment markup we use for that
-  purpose.
+  Closes #7560
+
+- TODO: remove 'c-ares deviates on http://1346569778'
   
-  Reported-by: Younes El-karama
-  Fixes #7295
-  Closes #7307
+  Fixed since 56a037cc0ad1b2 (7.77.0)
 
-Daniel Gustafsson (28 Jun 2021)
-- [Andrei Rybak brought this change]
+- [Colin O'Dell brought this change]
 
-  misc: fix typos in comments which repeat a word
+  BINDINGS.md: update links to use https where available
   
-  Fix typos in code comments which repeat various words.  In trivial
-  cases, just delete the repeated word.  Reword the affected sentence in
-  "lib/url.c" for it to make sense.
+  Closes #7558
+
+- asyn-ares.c: move all version number checks to the top
   
-  Closes #7303
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  ... and use #ifdef [feature] in the code as per our guidelines.
 
-Daniel Stenberg (27 Jun 2021)
-- lib677: make it survive torture testing
+- ares: use ares_getaddrinfo()
   
-  Follow-up to a5ab72d5edd7
+  ares_getaddrinfo() is the getaddrinfo() cloned provided by c-ares, introduced
+  in version 1.16.0.
   
-  Closes #7300
+  With older c-ares versions, curl invokes ares_gethostbyname() twice - once for
+  IPv4 and once for IPv6 to resolve both addresses, and then combines the
+  returned results.
+  
+  Reported-by: jjandesmet
+  Fixes #7364
+  Closes #7552
 
-- [Tommy Chiang brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  docs/BINDINGS: fix outdated links
-  
-  * luacurl page is now not accessible, fix it with wayback machine page
-  * Scheme one seems not providing https now, change it back to http one
+  ngtcp2: utilize crypto API functions to simplify
   
-  Closes #7301
+  Closes #7551
 
-- [Jacob Hoffman-Andrews brought this change]
+- [megatronking brought this change]
 
-  curstls: bump crustls version and use new URL
+  ngtcp2: reset the oustanding send buffer again when drained
   
-  crustls moved to https://github.com/rustls/rustls-ffi. This also bumps
-  the expected version to 0.7.0.
+  Closes #7538
+
+Michael Kaufmann (10 Aug 2021)
+- progress: fix a compile warning on some systems
   
-  Closes #7297
+  lib/progress.c:380:40: warning: conversion to 'long double' from
+  'curl_off_t {aka long long int}' may alter its value [-Wconversion]
+  
+  Closes #7549
 
+Daniel Stenberg (10 Aug 2021)
 - RELEASE-NOTES: synced
 
-- examples: length-limit two sscanf() uses of %s
+- http: consider cookies over localhost to be secure
   
-  Reported-by: Jishan Shaikh
-  Fixes #7293
-  Closes #7294
+  Updated test31.
+  Added test 392 to verify secure cookies used for http://localhost
+  
+  Reviewed-by: Daniel Gustafsson
+  Fixes #6733
+  Closes #7263
 
-- [Richard Whitehouse brought this change]
+- TODO: erase secrets from heap/stack after use
+  
+  Closes #7268
 
-  multi: alter transfer timeout ordering
+Jay Satiro (10 Aug 2021)
+- hostip: Make Curl_ipv6works function independent of getaddrinfo
   
-  - Check whether a connection has succeded before checking whether it's
-    timed out.
+  - Do not assume IPv6 is not working when getaddrinfo is not present.
   
-    This means if we've connected quickly, but subsequently been
-    descheduled, we allow the connection to succeed. Note, if we timeout,
-    but between checking the timeout, and connecting to the server the
-    connection succeeds, we will allow it to go ahead. This is viewed as
-    an acceptable trade off.
+  The check to see if IPv6 actually works is now independent of whether
+  there is any resolver that can potentially resolve a hostname to IPv6.
   
-  - Add additional failf logging around failed connection attempts to
-    propogate the cause up to the caller.
+  Prior to this change if getaddrinfo() was not found at compile time then
+  Curl_ipv6works() would be defined as a macro that returns FALSE.
+  
+  When getaddrinfo is not found then libcurl is built with CURLRES_IPV4
+  defined instead of CURLRES_IPV6, meaning that it cannot do IPv6 lookups
+  in the traditional way. With this commit if libcurl is built with IPv6
+  support (ENABLE_IPV6) but without getaddrinfo (CURLRES_IPV6), and the
+  IPv6 stack is actually working, then it is possible for libcurl to
+  resolve IPv6 addresses by using DoH.
+  
+  Ref: https://github.com/curl/curl/issues/7483#issuecomment-890765378
   
-  Co-Authored-by: Martin Howarth
-  Closes #7178
+  Closes https://github.com/curl/curl/pull/7529
 
-- test677: IMAP CONNECT_ONLY, custom command and then exit
+- test1565: fix windows build errors
   
-  Adjusted ftpserver.pl to add support for the IMAP IDLE command
+  - Use our wait_ms() instead of sleep() since Windows doesn't have the
+    latter.
   
-  Adjusted test 660 to sync with the fix
-
-- multi: do not switch off connect_only flag when closing
+  - Use a separate variable to keep track of whether the pthread_t thread
+    id is valid.
   
-  ... as it made protocol specific disconnect commands wrongly get used.
+  On Windows pthread_t is not an integer type. pthread offers no macro for
+  invalid pthread_t thread id, so validity is kept track of separately.
   
-  Bug: https://curl.se/mail/lib-2021-06/0024.html
-  Reported-by: Aleksander Mazur
-  Closes #7288
+  Closes https://github.com/curl/curl/pull/7527
 
-- http: make the haproxy support work with unix domain sockets
+- [Jeremy Falcon brought this change]
+
+  winbuild/README.md: clarify GEN_PDB option
   
-  ... it should then pass on "PROXY UNKNOWN" since it doesn't know the
-  involved IP addresses.
+  - Document that GEN_PDB option creates an external database.
   
-  Reported-by: Valentín Gutiérrez
-  Fixes #7290
-  Closes #7291
+  Ref: https://github.com/curl/curl/issues/7502
 
-- [Xiang Xiao brought this change]
+Daniel Stenberg (9 Aug 2021)
+- [Tatsuhiro Tsujikawa brought this change]
 
-  curl.h: include sys/select.h for NuttX RTOS
+  ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
   
-  Closes #7287
+  Closes #7546
 
-- [Bin Meng brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  curl.h: remove the execution bit
-  
-  The execution bit of curl.h file was wrongly added:
-  
-    commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
+  ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
   
-  and should be removed.
+  Rework the return value handling of ngtcp2_conn_writev_stream and treat
+  NGTCP2_ERR_STREAM_SHUT_WR separately.
   
-  Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
-  Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-  Closes #7286
-
-- [Bin Lan brought this change]
+  Closes #7546
 
-  curl.h: <sys/select.h> is supported by VxWorks7
+- configure: error out if both ngtcp2 and quiche are specified
   
-  Closes #7285
+  Reported-by: Vincent Grande
+  See #7539
+  Closes #7545
 
-- [Bachue Zhou brought this change]
+- [Jeff Mears brought this change]
 
-  quiche: use send() instead of sendto() to avoid macOS issue
+  easy: use a custom implementation of wcsdup on Windows
   
-  sendto() always returns "Socket is already connected" error on macos
+  ... so that malloc/free overrides from curl_global_init are used for
+  wcsdup correctly.
   
-  Closes #7260
-
-- [Li Xinwei brought this change]
+  Closes #7540
 
-  cmake: fix support for UnixSockets feature on Win32
-  
-  Move the definition of sockaddr_un struct from config-win32.h to
-  curl_setup.h, so that it could be shared by all build systems.
-  
-  Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use
-  unix sockets.
-  
-  Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS
-  is defined.
+- zuul: add an mbedtls3 CI job
   
-  Closes #7034
+  Closes #7544
 
-- [Gregory Muchka brought this change]
+- [Benau brought this change]
 
-  hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
-  
-  From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
-  dictionary of key-value pairs that represent the current internet proxy
-  settings, or NULL if no proxy settings have been defined or if an error
-  occurred. You must release the returned value."
-  
-  Failure to release the returned value of SCDynamicStoreCopyProxies can
-  result in a memory leak.
-  
-  Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
+  mbedTLS: initial 3.0.0 support
   
-  Closes #7265
+  Closes #7428
 
 - RELEASE-NOTES: synced
 
-Jay Satiro (21 Jun 2021)
-- vtls: fix warning due to function prototype mismatch
-  
-  b09c8ee changed the function prototype. Caught by Visual Studio.
-
-- curl_multibyte: Remove local encoding fallbacks
-  
-  - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
-    no longer fall back to assuming the string is in a local encoding.
+- configure.ac: revert bad nghttp2 library detection improvements
   
-  Background:
+  This reverts commit b4b34db65f9f8, 673753344c5f and 29c7cf79e8b.
   
-  Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
-  pass to the Windows CRT API wide-character functions since in Windows
-  UTF-8 is not a valid locale (or at least 99% of the time right now).
+  The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
+  nothing else.
   
-  Prior to this change if the Unicode encoding conversion failed then
-  libcurl would assume, for backwards compatibility with applications that
-  may have written their code for non-Unicode builds, attempt to convert
-  the string from local encoding to UTF-16.
+  Reported-by: Rui Pinheiro
+  Reported-by: Alex Crichton
+  Fixes #7514
+  Closes #7515
+
+- happy-eyeballs-timeout-ms.d: polish the wording
   
-  That type of "best effort" could theoretically cause some type of
-  security or other problem if a string that was locally encoded was also
-  valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
-  could occur.
+  Reported-by: Josh Soref
+  Fixes #7433
+  Closes #7542
+
+- [modbw brought this change]
+
+  mbedtls_threadlock: fix unused variable warning
   
-  Ref: https://github.com/curl/curl/pull/7246
+  Closes #7393
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: compile with the latest ngtcp2 and nghttp3
   
-  Closes https://github.com/curl/curl/pull/7257
+  Closes #7541
 
-Daniel Stenberg (20 Jun 2021)
-- curl_endian: remove the unused Curl_write64_le function
+Marc Hoersken (31 Jul 2021)
+- CI/cirrus: reduce compile time with increased parallism
   
-  The last usage was removed in cca455a36
+  Cirrus CI VMs have 2 CPUs, let's use them also for Windows builds.
   
-  Closes #7280
+  Reviewed-by: Daniel Stenberg
+  Closes #7505
 
-- vtls: only store TIMER_APPCONNECT for non-proxy connect
+Daniel Stenberg (30 Jul 2021)
+- [Bin Lan brought this change]
+
+  tool/tests: fix potential year 2038 issues
   
-  Introducing a 'isproxy' argument to the connect function so that it
-  knows wether to store the time stamp or not.
+  The length of 'long' in a 32-bit system is 32 bits, which cannot be used
+  to save timestamps after 2038. Most operating systems have extended
+  time_t to 64 bits.
   
-  Reported-by: Yongkang Huang
-  Fixes #7274
-  Closes #7274
+  Remove the castings to long.
+  
+  Closes #7466
 
-- gnutls: set the preferred TLS versions in correct order
+- compressed.d: it's a request, not an order
   
-  Regression since 781864bedbc57 (curl 7.77.0)
+  Clarified
   
-  Reported-by: civodul on github
-  Assisted-by: Nikos Mavrogiannopoulos
-  Fixes #7277
-  Closes #7278
+  Reported-by: Dan Jacobson
+  Reviewed-by: Daniel Gustafsson
+  Fixes #7516
+  Closes #7517
 
-- [Gergely Nagy brought this change]
+- [Bernhard M. Wiedemann brought this change]
 
-  configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r
+  tests: make three tests pass until 2037
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r
+  after 2038 something in test1915 fails on 32-bit OSes
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Closes #7512
 
-  configure/cmake: remove unused define HAVE_PERROR
+Daniel Gustafsson (30 Jul 2021)
+- connect: remove superfluous conditional
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure: remove unused check for gai_strerror
+  Commit dbd16c3e2 cleaned up the logic for traversing the addrinfos,
+  but the move left a conditional on ai which no longer is needed as
+  the while loop reevaluation will cover it.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Closes #7511
+  Reviewed-by: Carlo Marcelo Arenas Belón
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  configure/cmake: remove unused define HAVE_FREEIFADDRS
+Daniel Stenberg (29 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  and bump curlver to 7.79.0 for next release
 
-  configure/cmake: remove unused define HAVE_FORK
+Marc Hoersken (29 Jul 2021)
+- tests/*server.py: remove pidfile on server termination
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove unused define HAVE_FDOPEN
+  Avoid pidfile leaking/laying around after server already exited.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Reviewed-by: Daniel Stenberg
+  Closes #7506
 
-  configure/cmake: remove checks for unused sgtty.h
+Daniel Gustafsson (27 Jul 2021)
+- tool_main: fix typo in comment
   
-  Closes #7276
+  The referred to library is NSPR, so fix the switched around characters.
 
-- [Gergely Nagy brought this change]
+Daniel Stenberg (28 Jul 2021)
+- [Aleksandr Krotov brought this change]
 
-  configure/cmake: remove remaining checks for rsa.h
+  bearssl: support CURLOPT_CAINFO_BLOB
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Closes #7468
 
-  configure/cmake: remove remaining checks for err.h
+- curl.1: mention "global" flags
+  
+  Mention options that are "global". A global command line option is one
+  that doesn't get reset at --next uses and therefore don't need to be
+  used again.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove remaining checks for crypto.h
+  Reported-by: Josh Soref
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Fixes #7457
+  Closes #7510
 
-  configure/cmake: remove checks for unused getservbyport_r
+- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
   
-  Closes #7276
+  Reported-by: Daniel Woelfel
+  Fixes #7441
+  Closes #7509
 
-- --socks4[a]: clarify where the host name is resolved
+- KNOWN_BUGS: add more HTTP/3 problems
   
-  Closes #7273
+  Closes #7351
+  Closes #7339
+  Closes #7125
 
-- libcurl-security.3: mention file descriptors and forks
+Marc Hoersken (27 Jul 2021)
+- CI/azure: reduce compile time with increased parallism
   
-  ... and move the security report section last.
+  Azure Pipelines CI VMs have 2 CPUs, let's use them.
   
-  Reported-by: Harry Sintonen
-  Closes #7270
+  Closes #7489
 
-- [Alex Xu (Hello71) brought this change]
+Jay Satiro (27 Jul 2021)
+- [Josh Soref brought this change]
 
-  configure.ac: make non-executable
-  
-  it needs to be processed by autoconf or autoreconf, and doesn't have a
-  suitable shebang to be directly executed. other projects normally set
-  configure.ac -x.
+  docs: fix grammar
   
-  Closes #7272
+  Fixes https://github.com/curl/curl/issues/7444
+  Fixes https://github.com/curl/curl/issues/7451
+  Fixes https://github.com/curl/curl/issues/7465
+  Closes https://github.com/curl/curl/pull/7495
 
-- configure: do not strip out debug flags
+- mail-rcpt.d: fix grammar
   
-  To allow users to set them when invoking configure without using
-  --with-debug.
+  Remove confusing sentence that says to specify an e-mail address for
+  mail transfer, since that's implied.
   
-  Reported-by: Alex Xu
-  Fixes #7216
-  Closes #7267
-
-- libssh2: limit time a disconnect can take to 1 second
+  Reported-by: Josh Soref
   
-  Closes #7271
+  Fixes https://github.com/curl/curl/issues/7452
+  Closes https://github.com/curl/curl/pull/7495
 
-- TLS: prevent shutdown loops to get stuck
+Daniel Stenberg (27 Jul 2021)
+- c-hyper: remove the hyper_executor_poll() loop from Curl_http
   
-  ... by making sure the loops are only allowed to read the shutdown
-  traffic a limited number of times.
+  1. it's superfluous
+  2. it didn't work identically to the Curl_hyper_stream one which could
+     cause problems like #7486
   
-  Reported-by: Harry Sintonen
-  Closes #7271
+  Pointed-out-by: David Cook
+  Closes #7499
 
-- hyper: propagate errors back up from read callbacks
+- curl-openssl.m4: check lib64 for the pkg-config file
   
-  Makes test 513 work with hyper
+  OpenSSL recently started putting the libs in $prefix/lib64 on 'make
+  install', so we check that directory for pkg-config data if the 'lib'
+  check fails.
   
-  Closes #7266
+  Closes #7503
 
-- KNOWN_BUGS: Negotiate on Windows fails
+- CURLOPT_SSL_CTX_*.3: tidy up the example
   
-  Closes #5881
-
-- KNOWN_BUGS: renames instead of locking for atomic operations
+  Use the proper code style. Don't store return codes that aren't read.
+  Copy the same example into CURLOPT_SSL_CTX_FUNCTION.3 as well.
   
-  Closes #6882
-  Closes #6884
+  Closes #7500
 
-- zuul: add two missing CI jobs
+- example/cookie_interface: fix scan-build printf warning
   
-  ... that were configured, just not run
+  Follow-up to 4b79c4fb565
   
-  Closes #7261
+  Fixes #7497
+  Closes #7498
 
-Viktor Szakats (15 Jun 2021)
-- idn: fix libidn2 with windows unicode builds
-  
-  Unicode Windows builds use UTF-8 strings internally in libcurl,
-  so make sure to call the UTF-8 flavour of the libidn2 API. Also
-  document that Windows builds with libidn2 and UNICODE do expect
-  CURLOPT_URL as an UTF-8 string.
+- [Josh Soref brought this change]
+
+  limit-rate.d: clarify base unit
   
-  Reported-by: dEajL3kA on github
-  Assisted-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Closes #7246
-  Fixes #7228
+  Fixes #7439
+  Closes #7494
 
-Daniel Stenberg (15 Jun 2021)
-- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
+- [Carlo Marcelo Arenas Belón brought this change]
+
+  examples/cookie_interface: avoid printfing time_t directly
   
-  They were never officially allowed and slipped in only due to sloppy
-  parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
-  being part of a URL.
+  time_t representation is undefined and varies on bitsize and signedness,
+  and as of C11 could be even non integer.
   
-  The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
-  allow spaces.
+  instead of casting to unsigned long (which would truncate in systems
+  with a 32bit long after 2106) use difftime to get the elapsed time as a
+  double and print that (without decimals) instead.
   
-  Updated test 1560 to verify.
+  alternatively a cast to curl_off_t and its corresponding print
+  formatting could have been used (at least in POSIX) but portability and
+  curl agnostic code was prioritized.
   
-  Closes #7073
+  Closes #7490
 
-- RELEASE-NOTES: synced
+Marc Hoersken (25 Jul 2021)
+- tests/servers: remove obsolete pid variable
   
-  ... and bump to version 7.78.0 for the next planned release.
+  Variable is not used since pidfile handling moved to util.[ch]
+  
+  Reviewed-by: Jay Satiro
+  Closes #7482
 
-Jay Satiro (15 Jun 2021)
-- docs: Remove outdated curl tool limitation
+- tests/servers: use our platform-aware pid for server verification
   
-  - Document that HTTP/2 multiplexing is supported by the curl tool when
-    parallel transfers are used.
+  The pid used for server verification is later stored as pid2 in
+  the hash of running test servers and therefore used for shutdown.
   
-  Supported since 7.66.0 via --parallel, but the doc wasn't updated.
+  The pid used for shutdown must be the platform-aware (Win32) pid
+  to avoid leaking test servers while running them using Cygwin/msys.
   
-  Closes https://github.com/curl/curl/pull/7259
+  Reviewed-by: Jay Satiro
+  Closes #7481
 
-- http2: Clarify 'Using HTTP2' verbose message
+- tests/runtests.pl: cleanup copy&paste mistakes and unused code
   
-  - Change phrasing from multi-use to multiplexing since the former may
-    not be as well understood.
+  Reviewed-by: Jay Satiro
+  Part of #7481
+
+Daniel Stenberg (25 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Before: * Using HTTP2, server supports multi-use
+  bumped to 7.78.1 for next release
+
+- http_proxy: clear 'sending' when the outgoing request is sent
   
-  After: * Using HTTP2, server supports multiplexing
+  ... so that Curl_connect_getsock() will know how to wait for the socket
+  to become readable and not writable after the entire CONNECT request has
+  been issued.
   
-  Bug: https://github.com/curl/curl/discussions/7255
-  Reported-by: David Hu
+  Regression added in 7.77.0
   
-  Closes https://github.com/curl/curl/pull/7258
+  Reported-by: zloi-user on github
+  Assisted-by: Jay Satiro
+  Fixes #7155
+  Closes #7484
 
-Daniel Stenberg (14 Jun 2021)
-- winbuild/README: VC should be set to 6 'or larger'
-  
-  Previously it listed all versions up to 15 (missing 16) but this new
-  phrasing is more open ended.
-  
-  Reported-by: Hugh Macdonald
-  Fixes #7253
-  Closes #7254
+Jay Satiro (25 Jul 2021)
+- [Josh Soref brought this change]
 
-- [Jacob Hoffman-Andrews brought this change]
+  openssl: fix grammar
+  
+  Closes https://github.com/curl/curl/pull/7480
 
-  rustls: remove native_roots fallback
+- configure.ac: tweak nghttp2 library name fix again
   
-  For the commandline tool, we expect to be passed
-  SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
-  trusted roots (like in other TLS backends).
+  - Change extraction to handle multiple library names returned by
+    pkg-config (eg a possible scenario with pkg-config --static).
   
-  This also removes a dependency on Security.framework when building on
-  macOS.
+  Ref: https://github.com/curl/curl/pull/7472
   
-  Closes #7250
-
-- [Albin Vass brought this change]
+  Closes https://github.com/curl/curl/pull/7485
 
-  travis: remove jobs that have migrated to zuul
+Dan Fandrich (23 Jul 2021)
+- Get rid of the unused HAVE_SIG_ATOMIC_T et. al.
   
-  Closes #7245
-
-- [Mohammed Naser brought this change]
+  It was added in 2006 but I see no evidence it was ever used.
 
-  CI: add jobs using Zuul
+Jay Satiro (23 Jul 2021)
+- docs: change max-filesize caveat again
   
-  It also includes a few changes to get the builds going:
-  - Added autoconf to common dependencies
-  - Added automake to common dependencies
-  - Added libtool to common dependencies
-  - Added libssl-dev to common dependencies
+  - Add protocols field to max-filesize.d.
   
-  Co-authored-by: Albin Vass
+  - Revert wording on unknown file size caveat and do not discuss specific
+    protocols in that section.
   
-  Closes #7245
-
-- netrc: skip 'macdef' definitions
+  Partial revert of ecf0225. All max-filesize options now have the list of
+  protocols and it's clearer just to have that list without discussing
+  specific protocols in the caveat.
   
-  Add test 494 to verify
+  Reported-by: Josh Soref
   
-  Reported-by: Harry Sintonen
-  Fixes #7238
-  Closes #7244
+  Ref: https://github.com/curl/curl/issues/7453#issuecomment-884128762
 
-- multi: add scan-build-6 work-around in curl_multi_fdset
+Daniel Stenberg (22 Jul 2021)
+- [Christian Weisgerber brought this change]
+
+  configure: tweak nghttp2 library name fix
   
-  scan-build-6 otherwise warns, saying: warning: The left operand of '>='
-  is a garbage value otherwise, which is false.
+  commit 29c7cf79e8b44cf (shipped in 7.78.0) introduced a problem by
+  assuming that LIB_H2 does not have any leading whitespace.  At least
+  OpenBSD's native pkg-config can produce such whitespace, though:
   
-  Later scan-builds don't claim this on the same code.
+      $ pkg-config --libs-only-l libnghttp2
+       -lnghttp2
+  
+  As a result, the configure check for libnghttp2 will erroneously fail.
   
-  Closes #7248
+  Bug: https://curl.se/mail/lib-2021-07/0050.html
+  Closes #7472
 
-- asyn-ares: remove check for 'data' in Curl_resolver_cancel
+- [Bastian Krause brought this change]
+
+  docs/MQTT: update state of username/password support
   
-  It implied it would survive a NULL in there which it won't. Instead do
-  an assert.
+  PR #7243 implemented username/password support for MQTT, so let's drop
+  these items from the caveats.
   
-  Pointed out by scan-build.
+  Signed-off-by: Bastian Krause <bst@pengutronix.de>
   
-  Closes #7248
+  Closes #7474
 
-- url.c: remove two variable assigns that are never read
-  
-  Pointed out by scan-build
+- [Oleg Pudeyev brought this change]
+
+  CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
   
-  Closes #7248
+  Closes #7470
 
-- [Gealber Morales brought this change]
+Version 7.78.0 (21 Jul 2021)
 
-  mqtt: add support for username and password
-  
-  Minor-edits-by: Daniel Stenberg
-  Added test 2200 to 2205
+Daniel Stenberg (21 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7243
+  curl 7.78.0 release
 
-- travis: remove the arm job
-  
-  We do it on circle CI instead
+- winbuild/MakefileBuild.vc: bump copyright year
 
-- CI: add .circleci/config.yml
+Jay Satiro (21 Jul 2021)
+- docs: mention max-filesize options also apply to MQTT transfers
   
-  Assisted-by: Gabriel Simmer
+  Also make it clearer that the caveat 'if the file size is unknown it
+  the option will have no effect' may apply to protocols other than FTP
+  and HTTP.
   
-  Closes #7239
+  Reported-by: Josh Soref
+  
+  Fixes https://github.com/curl/curl/issues/7453
 
-- RELEASE-NOTES: synced
+- [Josh Soref brought this change]
 
-- runtests: init $VERSION to avoid warnings when using -l
+  docs/cmdline: fix grammar and typos
 
-- openssl: don't remove session id entry in disassociate
+- [Josh Soref brought this change]
+
+  dump-header.d: Drop suggestion to use for cookie storage
   
-  When a connection is disassociated from a transfer, the Session ID entry
-  should remain.
+  Since --cookie-jar is the preferred way to store cookies, no longer
+  suggest using --dump-header to do so.
   
-  Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
-  Reported-by: Gergely Nagy
-  Reported-by: Paul Groke
+  Co-authored-by: Daniel Stenberg
   
-  Fixes #7222
-  Closes #7230
+  Closes https://github.com/curl/curl/issues/7414
 
-- single_transfer: ignore blank --output-dir
-  
-  ... as otherwise it creates a rather unexpected target directory with a
-  leading slash.
-  
-  Reported-by: Harry Sintonen
-  Fixes #7218
-  Closes #7233
+- [Josh Soref brought this change]
 
-- tests: update README about servers and port numbers
+  doc/cmdline: fix grammar and typos
   
-  Closes #7242
+  Closes https://github.com/curl/curl/pull/7454
+  Closes https://github.com/curl/curl/pull/7455
+  Closes https://github.com/curl/curl/pull/7456
+  Closes https://github.com/curl/curl/pull/7459
+  Closes https://github.com/curl/curl/pull/7460
+  Closes https://github.com/curl/curl/pull/7461
+  Closes https://github.com/curl/curl/pull/7462
+  Closes https://github.com/curl/curl/pull/7463
 
-- conn_shutdown: if closed during CONNECT cleanup properly
+Daniel Stenberg (20 Jul 2021)
+- vtls: fix connection reuse checks for issuer cert and case sensitivity
   
-  Reported-by: Alex Xu
-  Reported-by: Phil E. Taylor
+  CVE-2021-22924
   
-  Fixes #7236
-  Closes #7237
-
-- [Christian Weisgerber brought this change]
+  Reported-by: Harry Sintonen
+  Bug: https://curl.se/docs/CVE-2021-22924.html
 
-  sws: malloc request struct instead of using stack
-  
-  ... 2MB requests is otherwise just too big for some systems.
+- sectransp: check for client certs by name first, then file
   
-  (The allocations are not freed properly.)
+  CVE-2021-22926
   
-  Bug: https://curl.se/mail/lib-2021-06/0018.html
+  Bug: https://curl.se/docs/CVE-2021-22926.html
   
-  Closes #7235
-
-- [Mark Swaanenburg brought this change]
+  Assisted-by: Daniel Gustafsson
+  Reported-by: Harry Sintonen
 
-  lib: don't compare fd to FD_SETSIZE when using poll
+- telnet: fix option parser to not send uninitialized contents
   
-  FD_SETSIZE is irrelevant when using poll. So ensuring that the file
-  descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
-  multi_wait to ignore perfectly valid file descriptors and simply wait
-  for 1s to avoid hammering the CPU in a busy loop.
+  CVS-2021-22925
   
-  Fixes #7240
-  Closes #7241
-
-- [zhangxiuhua brought this change]
+  Reported-by: Red Hat Product Security
+  Bug: https://curl.se/docs/CVE-2021-22925.html
 
-  doh: fix wrong DEBUGASSERT for doh private_data
+Jay Satiro (20 Jul 2021)
+- connect: fix wrong format specifier in connect error string
   
-  Closes #7227
-
-- [yb999 brought this change]
-
-  tests: update README.md with a missing single quote
+  0842175 (not in any release) used the wrong format specifier (long int)
+  for timediff_t. On an OS such as Windows libcurl's timediff_t (usually
+  64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the
+  upper 32-bits of the timediff_t were erroneously then used by the next
+  format specifier. Usually since the timeout isn't larger than 32-bits
+  this would result in null as a pointer to the string with the reason for
+  the connection failing. On other OSes or maybe other compilers it could
+  probably result in garbage values (ie crash on deref).
   
-  Closes #7231
-
-- GHA: run all tests for hyper too
+  Before:
+  Failed to connect to localhost port 12345 after 1201 ms: (nil)
   
-  As it lists disabled ones in DISABLED now
+  After:
+  Failed to connect to localhost port 12345 after 1203 ms: Connection refused
   
-  Closes #7209
+  Closes https://github.com/curl/curl/pull/7449
 
-- tests/data/DISABLED: add tests not working with hyper
-  
-  The goal is to remove them all from here over time.
+- winbuild: support alternate nghttp2 static lib name
   
-  Closes #7209
-
-- runtests: also find the last test in Makefile.inc
+  - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2.
   
-  Closes #7209
-
-- test3010: work with hyper mode
+  nghttp2 briefly changed its static lib name to nghttp2_static, but then
+  made the _static suffix optional.
   
-  Closes #7209
-
-- configure: disable RTSP when hyper is selected
+  Ref: https://github.com/nghttp2/nghttp2/pull/1394
+  Ref: https://github.com/nghttp2/nghttp2/pull/1418
+  Ref: https://github.com/nghttp2/nghttp2/issues/1466
   
-  Makes test 1013 work
+  Reported-by: Pierre Yager
   
-  Closes #7209
+  Fixes https://github.com/curl/curl/issues/7446
+  Closes https://github.com/curl/curl/pull/7447
 
-- test1594/1595/1596: fix to work in hyper mode
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- test1438/1457: add HTTP keyword to make hyper mode work
+  docs/cmdline: fix grammar and typos
   
-  Closes #7209
+  Closes https://github.com/curl/curl/pull/7432
+  Closes https://github.com/curl/curl/pull/7436
+  Closes https://github.com/curl/curl/pull/7438
+  Closes https://github.com/curl/curl/pull/7440
+  Closes https://github.com/curl/curl/pull/7445
 
-- test1340/1341: adjusted for hyper mode
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- test1218: adjusted for hyper mode
+  delegation.d: mention what happens when used multiple times
   
-  Closes #7209
+  Closes https://github.com/curl/curl/pull/7408
 
-- test1216: adjusted for hyper mode
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- test1230: adjust to work in hyper mode
+  create-file-mode.d: mention what happens when used multiple times
   
-  Closes #7209
+  Closes https://github.com/curl/curl/pull/7407
 
-- c-hyper: abort CONNECT response reading early on non 2xx responses
-  
-  Fixes test 493
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- test434: add HTTP keyword
+  config.d: split comments and option-per line
   
-  Closes #7209
+  Closes https://github.com/curl/curl/pull/7405
 
-- test599: adjusted to work in hyper mode
-  
-  Closes #7209
+Daniel Stenberg (19 Jul 2021)
+- misc: copyright year range updates
 
-- c-hyper: fix the uploaded field in progress callbacks
-  
-  Makes test 578 work
-  
-  Closes #7209
+- mailmap: add Tobias and Timur
 
-- test566: adjust to work with hyper mode
+Daniel Gustafsson (18 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs: spell out directories instead of dirs in create-dirs
   
-  Closes #7209
+  Write out directories rather than using the dirs abbrevation. Also
+  use plural form consistently, even if the code in the end might just
+  create a single directory.
+  
+  Closes #7406
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- [Fawad Mirza brought this change]
+- [Tobias Nyholm brought this change]
 
-  CURLOPT_WRITEFUNCTION.3: minor update of the example
+  docs: correct spelling errors and a broken link
   
-  Safely avoid chunk.size garbage value if declared non globally.
+  Update grammar and spelling in docs and source code comments.
   
-  Closes #7219
-
-- [Bastian Krause brought this change]
+  Closes: #7427
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  configure: rename get-easy-option configure option to get-easy-options
+Marc Hoersken (18 Jul 2021)
+- CI/cirrus: install impacket from PyPI instead of FreeBSD packages
   
-  "get-easy-options" is the configure option advertised by the help text
-  anyway, so use that.
+  Availability of impacket as FreeBSD package is too flaky.
+  
+  Stick to legacy version of cryptography which still
+  supports OpenSSL version 1.0.2 due to FreeBSD 11.
   
-  Fixes #7211
-  Closes #7213
+  Reviewed-by: Daniel Stenberg
   
-  Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
-  Suggested-by: Daniel Stenberg <daniel@haxx.se>
-  Signed-off-by: Bastian Krause <bst@pengutronix.de>
+  Closes #7418
 
-- runtests: skip disabled tests unless -f is used
-  
-  To make it easier to write ranges like '115 to 229' without that
-  explicitly enabling tests that are listed in DISABLED, this makes
-  runtests always skip disabled tests unless the -f command line option is
-  used.
+Daniel Stenberg (18 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs/cmdline: mention what happens when used multiple times
   
-  Previously the code attempted to not run such tests, but didn't do it
-  correctly.
+  For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers
   
-  Closes #7212
+  Closes #7410
+  Closes #7411
+  Closes #7412
 
-- [Jun-ya Kato brought this change]
+- [Michał Antoniak brought this change]
 
-  ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
+  lib: fix compiler warnings with CURL_DISABLE_NETRC
   
-  The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
-  mode for middle box but it is enabled by default, which is unnecessary
-  for QUIC.
+  warning C4189: 'netrc_user_changed': local variable is initialized but
+  not referenced
   
-  Fixes #6896
-  Closes #7202
+  warning C4189: 'netrc_passwd_changed': local variable is initialized but
+  not referenced
+  
+  Closes #7423
 
-- test644: remove as duplicate of test 587
+- disable-epsv.d: remove duplicate "(FTP)"
   
-  Closes #7208
+  ... since the tooling adds that to the output based on the "Protocols:"
+  tag.
 
-Daniel Gustafsson (8 Jun 2021)
-- RELEASE-NOTES: synced
+- [Max Zettlmeißl brought this change]
 
-- cookies: track expiration in jar to optimize removals
+  docs: make the documentation for --etag-save match the program behaviour
   
-  Removing expired cookies needs to be a fast operation since we want to
-  be able to perform it often and speculatively. By tracking the timestamp
-  of the next known expiration we can exit early in case the timestamp is
-  in the future.
+  When using curl with the option `--etag-save` I expected it to save the
+  ETag without its surrounding quotes, as stated by the documentation in
+  the repository and by the generated man pages.
   
-  Closes: #7172
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-
-Daniel Stenberg (7 Jun 2021)
-- GHA: add several libcurl tests to the hyper job
+  My first endeavour was to fix the program, but while investigating the
+  history of the relevant parts, I discovered that curl once saved the
+  ETag without the quotes.  This was undone by Daniel Stenberg in commit
+  `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in
+  this case the documentation should be adjusted to match the behaviour of
+  curl.
   
-  500 to 512
+  The changed save behaviour also made parts of the `--etag-compare`
+  documentation wrong or superfluous, so I adjusted those accordingly.
+  
+  Closes #7429
 
-- test500: adjust to work with hyper mode
+- [Josh Soref brought this change]
 
-- c-hyper: support CURLINFO_STARTTRANSFER_TIME
+  write-out.d: add missing periods
   
-  Closes #7204
+  Closes #7404
 
-- c-hyper: support CURLOPT_HEADER
+- [Josie Huddleston brought this change]
+
+  easy: during upkeep, attach Curl_easy to connections in the cache
   
-  When enabled, the headers are passed to the body write callback as well.
+  During the protocol-specific parts of connection upkeep, some code
+  assumes that the data->conn pointer already is set correctly.  However,
+  there's currently no guarantee of that in the code.
   
-  Like in test 500
+  This fix temporarily attaches each connection to the Curl_easy object
+  before performing the protocol-specific connection check on it, in a
+  similar manner to the connection checking in extract_if_dead().
   
-  Closes #7204
+  Fixes #7386
+  Closes #7387
+  Reported-by: Josie Huddleston
 
-- GHA: run the newly fixed tests with hyper
-  
-  Closes #7205
+- [Josh Soref brought this change]
 
-- test433: adjust for hyper mode
+  cleanup: spell DoH with a lowercase o
   
-  Closes #7205
-
-- test395: hyper cannot work around > 64 bit content-lengths like built-in
+  Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
   
-  Closes #7205
+  Closes #7413
 
-- test394: hyper returns a different error
-  
-  Closes #7205
+- [Josh Soref brought this change]
 
-- test393: make Content-Length fit within 64 bit for hyper
+  TheArtOfHttpScripting: polish
   
-  Closes #7205
-
-- test347: CRLFify to work in hyper mode
+  - add missing backticks and comma
   
-  Closes #7205
-
-- test339: CRLFify better to work in hyper mode
+  - fix proxy description:
   
-  Closes #7205
+  * example proxy isn't local
+  * locally doesn't really make sense
+  
+  Closes #7416
 
-- travis: remove the hyper build
+- [Josh Soref brought this change]
 
-- GHA: add a linux-hyper job
+  form.d: add examples of `,`/`;` for file[name]
   
-  Closes #7206
+  Fixes #7415
+  Closes #7417
 
-- test328: avoid a header-looking body to make hyper mode work
+- [Michał Antoniak brought this change]
+
+  mbedtls: Remove unnecessary include
   
-  The test still works the same, just modified two bytes in the content.
+  - curl_setup.h: all references to mbedtls_md4* functions and structures
+    are in the md4.c. This file already includes the <mbedtls/md4.h> file
+    along with the file existence control (defined (MBEDTLS_MD4_C))
   
-  Closes #7203
+  - curl_ntlm_core.c: unnecessary include - repeated below
+  
+  Closes #7419
 
-- release-notes.pl: also spot common 'closes' typo
+- RELEASE-NOTES: synced
 
-- metalink: remove
+Jay Satiro (16 Jul 2021)
+- [User Sg brought this change]
+
+  multi: fix crash in curl_multi_wait / curl_multi_poll
   
-  Warning: this will make existing curl command lines that use metalink to
-  stop working.
+  Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a
+  VALID_SOCK check to one of the loops through the sockets but not the
+  other.
   
-  Reasons for removal:
+  Reported-by: sylgal@users.noreply.github.com
+  Authored-by: sylgal@users.noreply.github.com
   
-  1. We've found several security problems and issues involving the
-     metalink support in curl. The issues are not detailed here. When
-     working on those, it become apparent to the team that several of the
-     problems are due to the system design, metalink library API and what
-     the metalink RFC says. They are very hard to fix on the curl side
-     only.
+  Fixes https://github.com/curl/curl/issues/7379
+  Closes https://github.com/curl/curl/pull/7389
+
+- [Daniel Gustafsson brought this change]
+
+  tool_help: remove unused define
   
-  2. The metalink usage with curl was only very briefly documented and was
-     not following the "normal" curl usage pattern in several ways, making
-     it surprising and non-intuitive which could lead to further security
-     issues.
+  The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
+  cleaned out but one occurrence remained.
   
-  3. The metalink library was last updated 6 years ago and wasn't so
-     active the years before that either. An unmaintained library means
-     there's a security problem waiting to happen. This is probably reason
-     enough.
+  Closes https://github.com/curl/curl/pull/7380
+
+- [Sergey Markelov brought this change]
+
+  build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
   
-  4. Metalink requires an XML parsing library, which is complex code (even
-     the smaller alternatives) and to this day often gets security
-     updates.
+  fix compiler warnings about unused variables and parameters when
+  built with --disable-verbose.
   
-  5. Metalink is not a widely used curl feature. In the 2020 curl user
-     survey, only 1.4% of the responders said that they'd are using it. In
-     2021 that number was 1.2%. Searching the web also show very few
-     traces of it being used, even with other tools.
+  Closes https://github.com/curl/curl/pull/7377
+
+- [Andrea Pappacoda brought this change]
+
+  build: fix IoctlSocket FIONBIO check
   
-  6. The torrent format and associated technology clearly won for
-     downloading large files from multiple sources in parallel.
+  Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked
+  for (lowercase) ioctlsocket when it should have checked for IoctlSocket.
   
-  Cloes #7176
+  Closes https://github.com/curl/curl/pull/7375
 
-- docs/INSTALL: remove mentions of configure --with-darwin-ssl
-  
-  ... as it isn't supported since a while back.
+- [Timur Artikov brought this change]
+
+  configure: fix nghttp2 library name for static builds
   
-  Make configure fail with a warning if used.
+  Don't hardcode the nghttp2 library name,
+  because it can vary, be "nghttp2_static" for example.
   
-  Reported-by: Vadim Grinshpun
-  Bug: https://curl.se/mail/lib-2021-06/0008.html
-  Closes #7200
-
-- RELEASE-NOTES: synced
+  Fixes https://github.com/curl/curl/issues/7367
+  Closes https://github.com/curl/curl/pull/7368
 
-- [Gregor Jasny brought this change]
+Gisle Vanem (16 Jul 2021)
+- [PellesC] fix _lseeki64() macro
 
-  cmake: Avoid leaking absolute paths into exported config
+- [SChannel] Use '_tcsncmp()' instead
   
-  The `find_libarary` command resolves the library or framework
-  into an absolute path. In case of system frameworks which are
-  located within an Xcode-provided SDK this results in the Xcode
-  path and SDK version being part of the library path.
+  Revert previous change for PellesC.
   
-  Because those library paths end up in the exported CMake config
-  importing curl will fail once the Xcode location or SDK version
-  changes:
+  Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`.
+
+- [PellesC] missing '_tcsnccmp'
   
-  ```cmake
-  set_target_properties(CURL::libcurl PROPERTIES
-    INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
-    INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
-  )
-  ```
+  PellesC compiler does not have this macro in it's `<tchar.h>`
+
+Daniel Gustafsson (14 Jul 2021)
+- TODO: add mention of mbedTLS 3 incompatibilities
   
-  A work-around is to link against system-level frameworks with
-  `-framework XYZ`. In case of `SystemConfiguration` we might be able
-  to omit the lookup-check because we could assume the framework is
-  always present.
+  Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
+  and curl no longer builds with it. Document the need to fix our support
+  until so has been done.
   
-  Closes #7152
-
-- [Shikha Sharma brought this change]
+  Closes #7390
+  Fixes #7385
+  Reported-by: Wyatt OʼDay
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
 
-  http2_connisdead: handle trailing GOAWAY better
+- docs: fix inconsistencies in EGDSOCKET documentation
   
-  When checking the connection the input processing returns error
-  immediately, we now consider that a dead connnection.
+  Only the OpenSSL backend actually use the EGDSOCKET, and also use
+  TLS consistently rather than mixing SSL and TLS. While there, also
+  fix a minor spelling nit.
   
-  Bug: https://curl.se/mail/lib-2021-06/0001.html
-  Closes #7192
+  Closes: #7391
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
 
-- [Dmitry Karpov brought this change]
+- [Борис Верховский brought this change]
 
-  ares: always store IPv6 addresses first
-  
-  Trying dual-stack on some embedded platform, I noticed that quite
-  frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
-  timeout value.  After debugging this issue, I noticed that this happens
-  if c-ares resolver response for IPv6 family comes before IPv4 (which was
-  randomly happening in my tests).
-  
-  In such cases, because libCurl puts the last resolver response on top of
-  the address list, when IPv4 resolver response comes after IPv6 one - the
-  IPv4 family starts the connection phase instead of IPv6 family.
-  
-  The solution for this issue is to always put IPv6 addresses on top of
-  the address list, regardless the order of resolver responses.
+  docs: document missing arguments to commands
   
-  Bug: https://curl.se/mail/lib-2021-06/0003.html
+  This is a followup to commit f410b9e538129e77607fef1 fixing a few
+  more commands which takes arguments.
   
-  Closes #7188
+  Closes #7382
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- Revert "Revert "socketpair: fix potential hangs""
-  
-  This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.
+- [Randolf J brought this change]
+
+  docs: fix incorrect argument name reference
   
-  Thus brings back the change from #7144 as was originally landed in
-  c769d1eab4de8b
+  The documentation for the read callback was erroneously referencing
+  the nitems argument by nmemb.  The error was introduced in commit
+  ce0881edee3c7.
   
-  Closes #7144 (again)
+  Closes #7383
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- [Ebe Janchivdorj brought this change]
+- [Борис Верховский brought this change]
 
-  schannel: move code out of SChannel_connect_step1
+  tool_help: Document that --tlspassword takes a password
   
-  Reviewed-by: Marc Hoersken
-  Closes #7168
+  Closes #7378
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- tests/data/Makefile.inc: error: trailing backslash on last line
+- scripts: Fix typo in release-notes instructions
   
-  Follow-up to d8dcb399b8009d
-
-- TODO: Support rate-limiting for MQTT
+  The command to run had a typo in the pathname which prevented copy
+  pasting it to work, which has annoyed me enough to fix this now.
 
-- [Dmitry Kostjuchenko brought this change]
+- RELEASE-NOTES: synced
 
-  warnless: simplify type size handling
+Jay Satiro (10 Jul 2021)
+- write-out.d: Clarify urlnum is not unique for de-globbed URLs
   
-  By using sizeof(T), existing defines and relying on the compiler to
-  define the required signed/unsigned mask.
+  Reported-by: Коваленко Анатолий Викторович
   
-  Closes #7181
+  Fixes https://github.com/curl/curl/issues/7342
+  Closes https://github.com/curl/curl/pull/7369
 
-Gisle Vanem (4 Jun 2021)
-- [Win32] Fix for USE_WATT32
+Daniel Gustafsson (3 Jul 2021)
+- [William Desportes brought this change]
+
+  docs: Fix typos
   
-  My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`
+  Closes: #7370
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-Daniel Stenberg (4 Jun 2021)
-- [Alexis Vachette brought this change]
+Daniel Stenberg (8 Jul 2021)
+- [Jonathan Wernberg brought this change]
 
-  url: bad CURLOPT_CONNECT_TO syntax now returns error
+  Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
   
-  Added test 3020 to verify
+  The reverted commit introduced a logic error in code that was
+  correct.
   
-  Closes #7183
-
-- github: remove the cmake macOS gcc-8 jobs
+  The client using libcurl would notice the error since FTP file
+  uploads in active transfer mode would somtimes complete with
+  success despite no transfer having been performed and the
+  "uploaded" file thus not being on the remote server afterwards.
   
-  They're too similar to the gcc-9 ones to be useful (and seems to not
-  work anymore).
+  The FTP server would notice the error because it receives a
+  RST on the data connection it has established with the client
+  before any data was transferred at all.
   
-  Closes #7187
-
-- test269: disable for hyper
+  The logic error happens if the STOR response from the server have
+  arrived by the time ftp_multi_statemach() in the affected code path
+  is called, but the incoming data connection have not arrived yet.
+  In that case, the processing of the STOR response will cause
+  'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
+  in the code. Since 'complete' will also be set, later logic would
+  believe the transfer was done.
   
-  --ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
-  with hyper.
+  In most cases, the STOR response will not have arrived yet when
+  the affected code path is executed, or the incoming connection will
+  also have arrived, and thus the error would not express itself.
+  But if the speed difference of the device using libcurl and the
+  FTP server is exactly right, the error may happen as often as in
+  one out of hundred file transfers.
   
-  Closes #7184
+  This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
+  
+  Bug: https://curl.se/mail/lib-2021-07/0025.html
+  Closes #7362
 
-- runtests: enable 'hyper mode' only for HTTP tests
+- msnprintf: return number of printed characters excluding null byte
   
-  The 'hyper mode' makes line-ending checks work in the test suite for
-  when hyper is used. Now it also requires that HTTP or HTTPS are
-  mentioned as keywords to be enabled so that it doesn't wrongly adjusts
-  tests for other protocols.
+  ... even when the output is "capped" by the maximum length argument.
   
-  This makes test 271 (TFTP) work again in hyper enabled builds.
+  Clarified in the docs.
   
-  Closes #7185
-
-- [Alexis Vachette brought this change]
+  Closes #7361
 
-  hostip: bad CURLOPT_RESOLVE syntax now returns error
+- infof: remove newline from format strings, always append it
   
-  Added test 3019
-  Fixes #7170
-  Closes #7174
-
-Daniel Gustafsson (3 Jun 2021)
-- cookies: fix typo and expand comment
+  - the data needs to be "line-based" anyway since it's also passed to the
+    debug callback/application
   
-  Fix a typo in the sorting comment, and while in there elaborate slightly
-  on why creationtime can be used as a tiebreaker.
-
-- cookies: remove unused header
+  - it makes infof() work like failf() and consistency is good
   
-  Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
-  for the inet_pton.h headerfile, this removes the inclusion of the
-  header.
+  - there's an assert that triggers on newlines in the format string
   
-  Closes: #7182
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-
-Daniel Stenberg (3 Jun 2021)
-- Revert "socketpair: fix potential hangs"
+  - Also removes a few instances of "..."
   
-  This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.
+  - Removes the code that would append "..." to the end of the data *iff*
+    it was truncated in infof()
   
-  See #7144 for details
-
-- [Paul Groke brought this change]
+  Closes #7357
 
-  socketpair: fix potential hangs
-  
-  Fixes potential hang in accept by using select + non-blocking accept.
+- examples/multi-single: fix scan-build warning
   
-  Fixes potential hang in peer check by replacing the send/recv check with
-  a getsockname/getpeername check.
+  warning: Value stored to 'mc' during its initialization is never read
   
-  Adds length check for returned sockaddr data.
+  Follow-up to ae8e11ed5fd2ce
   
-  Closes #7144
+  Closes #7360
 
-- runtests: parse data/Makefile.inc instead of using make
+- wolfssl: failing to set a session id is not reason to error out
   
-  The warning about missing entries in that file then doesn't require that
-  the Makefile has been regenerated which was confusing.
+  ... as it is *probably* just timed out.
   
-  The scan for the test num is a little more error prone than before
-  (since now it doesn't actually verify that it is legitimate Makefile
-  syntax), but I think it is good enough.
+  Reported-by: Francisco Munoz
   
-  Closes #7177
-
-- [Harry Sintonen brought this change]
+  Closes #7358
 
-  filecheck: quietly remove test-place/*~
+- docs/examples: use curl_multi_poll() in multi examples
   
-  Closes #7179
-
-- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
+  The API is soon two years old and deserves being shown as the primary
+  way to drive multi code as it makes it much easier to write code.
   
-  For options that pass in lists or strings that are subsequently parsed
-  and must be correct. This broadens the scope for the option previously
-  known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
-  provided as a #define for existing applications.
+  multi-poll: removed
   
-  Closes #7175
+  multi-legacy: add to show how we did multi API use before
+  curl_multi_wait/poll.
+  
+  Closes #7352
 
-- tests: fix Accept-Encoding strips to work with Hyper builds
+- KNOWN_BUGS: flaky Windows CI builds
   
-  The previous strip also removed the CR which turned problematic.
+  Closes #6972
+
+- RELEASE-NOTES: synced
+
+- test1147: hyper doesn't allow "crazy" request headers like built-in
   
-  valgrind.supp: add zstd suppression using hyper
+  ... so strip that from the test.
   
-  Reported-and-analyzed-by: Kevin Burke
-  Fixes #7169
-  Closes #7171
+  Closes #7349
 
-- github: timeout jobs on macOS after 90 minutes
+- c-hyper: bail on too long response headers
   
-  Assisted-by: Marc Hoersken
-  Closes #7173
-
-- [Harry Sintonen brought this change]
-
-  mqtt: detect illegal and too large file size
+  To match with built-in behaviors. Makes test 1154 work.
   
-  Add test 3017 and 3018 to verify.
-  Closes #7166
+  Closes #7350
 
-- [Abhinav Singh brought this change]
+- test1151: added missing CRLF to work with hyper
+  
+  Closes #7350
 
-  cmake: add CURL_DISABLE_NTLM option
+- c-hyper: add support for transfer-encoding in the request
   
-  Closes #7028
+  Closes #7348
 
-- [Abhinav Singh brought this change]
+- [Andrea Pappacoda brought this change]
 
-  configure: add --disable-ntlm option
+  cmake: remove libssh2 feature checks
   
-  Closes #7028
+  libssh2 features are detected based on version since commit
+  9dbbba997608f7c3c5de1c627c77c8cd2aa85b73
+  
+  Closes #7343
 
-- [Abhinav Singh brought this change]
+- test1116: hyper doesn't pass through "surprise-trailers"
+  
+  Closes #7344
 
-  define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
+- socks4: scan for the IPv4 address in resolve results
   
-  This flag will be further exposed by adding build options.
+  Follow-up to 84d2839740 which changed the resolving to always resolve
+  both address families, but since SOCKS4 only supports IPv4 it should
+  scan for and use the first available IPv4 address.
   
-  Reverts #6809
-  Closes #7028
+  Reported-by: shithappens2016 on github
+  Fixes #7345
+  Closes #7346
 
-- RELEASE-NOTES: synced
+Jay Satiro (5 Jul 2021)
+- proto.d: fix formatting for paragraphs after margin changes
+  
+  Closes https://github.com/curl/curl/pull/7341
 
-Viktor Szakats (1 Jun 2021)
-- travis: delete --enable-hsts option (it is the default now) [ci skip]
+- pinnedpubkey.d: fix formatting for version support lists
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7167
+  Closes https://github.com/curl/curl/pull/7340
 
-Daniel Stenberg (1 Jun 2021)
-- hostip: fix 3 coverity complaints
+Daniel Stenberg (2 Jul 2021)
+- TODO: "Support in-memory certs/ca certs/keys" done
   
-  Follow-up to 1a0ebf6632f889eed
+  Has been suppored for a while now with the *BLOB options.
+
+- examples: safer and more proper read callback logic
   
-  - Check the return code to Curl_inet_pton() in two instances, even
-    though we know the input is valid so the functions won't fail.
+  The same callback code is used in:
   
-  - Clear the 'struct sockaddr_in' struct before use so that the
-    'sin_zero' field isn't left uninitialized.
+   imap-append.c
+   smtp-authzid.c
+   smtp-mail.c
+   smtp-multi.c
+   smtp-ssl.c
+   smtp-tls.c
   
-  Detected by Coverity.
-  Assisted-by: Harry Sintonen
-  Closes #7163
+  It should not assume that it can copy full lines into the buffer as it
+  will encourage sloppy coding practices. Instead use byte-wise logic and
+  check/acknowledge the buffer size appropriately.
+  
+  Reported-by: Harry Sintonen
+  Fixes #7330
+  Closes #7331
 
-- c-hyper: fix NTLM on closed connection tested with test159
+- test1519: adjusted to work with hyper
   
-  Closes #7154
+  Closes #7333
 
-- conncache: lowercase the hash key for better match
+- test1518: adjusted to work with hyper
   
-  As host names are case insensitive, the use of case sensitive hashing
-  caused unnecesary cache misses and therefore lost performance. This
-  lowercases the hash key.
+  ... by making sure the stdout output doesn't look like HTTP headers.
   
-  Reported-by: Harry Sintonen
-  Fixes #7159
-  Closes #7161
+  Closes #7333
 
-- mbedtls: make mbedtls_strerror always work
+- test1514: add a CRLF to the response to make it correct
   
-  If the function doesn't exist, provide a macro that just clears the
-  error message. Removes #ifdef uses from the code.
+  Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on
+  us.
   
-  Closes #7162
+  Closes #7334
 
-- vtls: exit addsessionid if no cache is inited
+- formdata: avoid "Argument cannot be negative" warning
   
-  Follow-up to b249592d29ae0
+  ... when converting a curl_off_t to size_t, by using
+  CURL_ZERO_TERMINATED before passing the argument to the function.
   
-  Avoids NULL pointer derefs.
+  Detected by Coverity CID 1486590.
   
-  Closes #7165
-
-- [Harry Sintonen brought this change]
+  Closes #7328
+  Assisted-by: Daniel Gustafsson
 
-  Curl_ntlm_core_mk_nt_hash: fix OOM in error path
+- lib: more %u for port and int for %*s fixes
   
-  Closes #7164
+  Detected by Coverity
+  
+  Closes #7329
 
-Michael Kaufmann (1 Jun 2021)
-- ssl: read pending close notify alert before closing the connection
+- doh: (void)-prefix call to curl_easy_setopt
+
+- lib: fix type of len passed to *printf's %*s
   
-  This avoids a TCP reset (RST) if the server initiates a connection
-  shutdown by sending an SSL close notify alert and then closes the TCP
-  connection.
+  ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc)
   
-  For SSL connections, usually the server announces that it will close the
-  connection with an SSL close notify alert. curl should read this alert.
-  If curl does not read this alert and just closes the connection, some
-  operating systems close the TCP connection with an RST flag.
+  Closes #7326
+
+- lib: use %u instead of %ld for port number printf
   
-  See RFC 1122, section 4.2.2.13
+  Follow-up to 764c6bd3bf which changed the type of some port number
+  fields. Detected by Coverity (CID 1486624) etc.
   
-  If curl reads the close notify alert, the TCP connection is closed
-  normally with a FIN flag.
+  Closes #7325
+
+- version: turn version number functions into returning void
   
-  The new code is similar to existing code in the "SSL shutdown" function:
-  try to read an alert (non-blocking), and ignore any read errors.
+  ... as we never use the return codes from them.
   
-  Closes #7095
-
-Daniel Stenberg (1 Jun 2021)
-- [Laurent Dufresne brought this change]
+  Reviewed-by: Daniel Gustafsson
+  Closes #7319
 
-  setopt: fix incorrect comments
+- mqtt: extend the error message for no topic
   
-  Closes #7157
+  ... and mention that it needs URL encoding.
+  
+  Reported-by: Peter Körner
+  Fixes #7316
+  Closes #7317
 
-- [Laurent Dufresne brought this change]
+- formdata: correct typecast in curl_mime_data call
+  
+  Coverity pointed out it the mismatch. CID 1486590
+  
+  Closes #7327
 
-  mbedtls: add support for cert and key blob options
+- url: (void)-prefix a curl_url_get() call
   
-  CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
-  mbedtls backend, so the support was added.
+  Coverity (CID 1486645) pointed out a use of curl_url_get() in the
+  parse_proxy function where the return code wasn't checked. A
+  (void)-prefix makes the intention obvious.
   
-  Closes #7157
+  Closes #7320
 
-- [Gregor Jasny brought this change]
+- glob: pass an 'int' as len when using printf's %*s
+  
+  Detected by Coverity CID 1486629.
+  
+  Closes #7324
 
-  cmake: try well-known send/recv signature for Apple
+- vtls: use free() not curl_free()
   
-  The CMake `try_compile` command is especially slow for
-  the Xcode generator. With this patch applied it first tests
-  for the currently used (and Open Group specified) send/recv
-  signature. In case this fails testing falls-back to the
-  permutations.
+  curl_free() is provided for users of the API to free returned data,
+  there's no need to use it internally.
   
-  speed-up:
+  Closes #7318
+
+- zuul: use the new rustls directory name
   
-  ```
-  time cmake .. -GNinja -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
-  before: 11.64s user 11.09s system 55% cpu 40.754 total
-  after:   7.84s user 6.57s  system 51% cpu 28.074 total
-  ```
+  Follow-up to 6d972c8b1cbb3 which missed updating this directory name.
   
-  ```
-  time cmake .. -GXcode -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
-  before: 217.07s user 104.15s system 60% cpu 8:51.79 total
-  after:  108.76s user  51.80s system 58% cpu 4:32.58 total
-  ```
+  Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1
   
-  Closes #7158
+  Closes #7311
 
-- http2: init recvbuf struct for pushed streams
+Jay Satiro (29 Jun 2021)
+- http: fix crash in rate-limited upload
   
-  Debug builds would warn that these structs were not initialized properly
-  for pushed streams.
+  - Don't set the size of the piece of data to send to the rate limit if
+    that limit is larger than the buffer size that will hold the piece.
   
-  Ref: #7148
-  Closes #7153
+  Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
+  (curl tool: --limit-rate) was set then it was possible that a temporary
+  buffer used for uploading could be written to out of bounds. A likely
+  scenario for this would be a non-trivial amount of post data combined
+  with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
+  
+  The bug was introduced in 24e469f which is in releases since 7.76.0.
+  
+  perl -e "print '0' x 200000" > tmp
+  curl --limit-rate 128k -d @tmp httpbin.org/post
+  
+  Reported-by: Richard Marion
+  
+  Fixes https://github.com/curl/curl/issues/7308
+  Closes https://github.com/curl/curl/pull/7315
 
-- Curl_ssl_getsessionid: fail if no session cache exists
+Daniel Stenberg (29 Jun 2021)
+- copyright: add boiler-plate headers to CI config files
   
-  This function might get called for an easy handle for which the session
-  cache hasn't been setup. It now just returns a "miss" in that case.
+  And whitelist .zuul.ignore
   
-  Reported-by: Christoph M. Becker
-  Fixes #7148
-  Closes #7153
+  Closes #7314
 
-- GOVERNANCE: add 'user', 'committer' and 'contributor'
+- CI: remove travis details
   
-  As those are commonly used terms in the project.
+  Rename still used leftovers to "zuul" as that's now the CI using them.
   
-  Closes #7151
+  Closes #7313
 
-- URL-SYNTAX.md: document the new 'localhost' treatment
+- RELEASE-NOTES: synced
 
-- hostip: make 'localhost' return fixed values
+- openssl: avoid static variable for seed flag
   
-  Resolving the case insensitive host name 'localhost' now returns the
-  addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
-  resolver.
+  Avoid the race condition risk by instead storing the "seeded" flag in
+  the multi handle. Modern OpenSSL versions handle the seeding itself so
+  doing the seeding once per multi-handle instead of once per process is
+  less of an issue.
   
-  This removes the risk that users accidentally resolves 'localhost' to
-  something else. By making sure 'localhost' is always local, we can
-  assume a "secure context" for such transfers (for cookies etc).
+  Reported-by: Gerrit Renker
+  Fixes #7296
+  Closes #7306
+
+- configure: inhibit the implicit-fallthrough warning on gcc-12
   
-  Closes #7039
+  ... since it no longer acknowledges the comment markup we use for that
+  purpose.
+  
+  Reported-by: Younes El-karama
+  Fixes #7295
+  Closes #7307
 
-Daniel Gustafsson (31 May 2021)
-- docs: fix typos
+Daniel Gustafsson (28 Jun 2021)
+- [Andrei Rybak brought this change]
 
-Daniel Stenberg (30 May 2021)
-- hsts: ignore numberical IP address hosts
+  misc: fix typos in comments which repeat a word
   
-  Also, use a single function library-wide for detecting if a given hostname is
-  a numerical IP address.
+  Fix typos in code comments which repeat various words.  In trivial
+  cases, just delete the repeated word.  Reword the affected sentence in
+  "lib/url.c" for it to make sense.
   
-  Reported-by: Harry Sintonen
-  Fixes #7146
-  Closes #7149
+  Closes #7303
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- test178: adjust for hyper
+Daniel Stenberg (27 Jun 2021)
+- lib677: make it survive torture testing
   
-  Hyper returns the same error for wrong HTTP version as for negative
-  content-length. Test 178 verifies that negative content-length is
-  rejected but the hyper backend will return a different error for it (and
-  without any helpful message telling why the message was bad). It will
-  also not return any headers at all for the response, not even the ones
-  that arrived before the error.
+  Follow-up to a5ab72d5edd7
   
-  Closes #7147
+  Closes #7300
 
-- HYPER: remove mentions of deprecated development branch
+- [Tommy Chiang brought this change]
 
-- c-hyper: handle NULL from hyper_buf_copy()
+  docs/BINDINGS: fix outdated links
   
-  Closes #7143
-
-- HSTS: not experimental anymore
+  * luacurl page is now not accessible, fix it with wayback machine page
+  * Scheme one seems not providing https now, change it back to http one
+  
+  Closes #7301
 
-- [Douglas R. Reno brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  INSTALL: use correct extension for CURL-DISABLE.md
+  curstls: bump crustls version and use new URL
   
-  In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
-  CURL-DISABLE.md. This generates a 404 on the cURL website as well as
-  when viewing the docs through Github.
+  crustls moved to https://github.com/rustls/rustls-ffi. This also bumps
+  the expected version to 0.7.0.
   
-  Closes #7142
+  Closes #7297
 
-- travis: run tests 1 - 153 with hyper
+- RELEASE-NOTES: synced
 
-- c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
-  
-  Makes test 129 work (HTTP/1.2 response).
+- examples: length-limit two sscanf() uses of %s
   
-  Closes #7141
+  Reported-by: Jishan Shaikh
+  Fixes #7293
+  Closes #7294
 
-- http_proxy: deal with non-200 CONNECT response with Hyper
-  
-  Makes test 94 and 95 work
-  
-  Closes #7141
+- [Richard Whitehouse brought this change]
 
-- c-hyper: clear NTLM auth buffer when request is issued
+  multi: alter transfer timeout ordering
   
-  To prevent previous ones to get reused on subsequent requests. Matches
-  how the built-in HTTP code works. Makes test 90 to 93 work.
+  - Check whether a connection has succeded before checking whether it's
+    timed out.
   
-  Add test 90 to 93 in travis.
+    This means if we've connected quickly, but subsequently been
+    descheduled, we allow the connection to succeed. Note, if we timeout,
+    but between checking the timeout, and connecting to the server the
+    connection succeeds, we will allow it to go ahead. This is viewed as
+    an acceptable trade off.
   
-  Closes #7139
-
-- [Joel Depooter brought this change]
+  - Add additional failf logging around failed connection attempts to
+    propogate the cause up to the caller.
+  
+  Co-Authored-by: Martin Howarth
+  Closes #7178
 
-  schannel: set ALPN length correctly for HTTP/2
+- test677: IMAP CONNECT_ONLY, custom command and then exit
   
-  In a3268eca792f1 this code was changed to use the ALPN_H2 constant
-  instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
-  not the same. The nghttp2 constant included the length of the string,
-  like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
-  to re-add the length of the string to the ALPN buffer.
+  Adjusted ftpserver.pl to add support for the IMAP IDLE command
   
-  Closes #7138
+  Adjusted test 660 to sync with the fix
 
-- travis: run tests 1-89 in the hyper build
+- multi: do not switch off connect_only flag when closing
   
-  Closes #7137
+  ... as it made protocol specific disconnect commands wrongly get used.
+  
+  Bug: https://curl.se/mail/lib-2021-06/0024.html
+  Reported-by: Aleksander Mazur
+  Closes #7288
 
-- Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
+- http: make the haproxy support work with unix domain sockets
   
-  This reverts commit c3eefa95c31f55657f0af422e8268d738f689066.
+  ... it should then pass on "PROXY UNKNOWN" since it doesn't know the
+  involved IP addresses.
   
-  Reported-by: Kevin Burke
-  Fixes #7122
-  Closes #7136
+  Reported-by: Valentín Gutiérrez
+  Fixes #7290
+  Closes #7291
 
-- [Jon Rumsey brought this change]
+- [Xiang Xiao brought this change]
 
-  ccsidcurl: fix the compile errors
-  
-  Looks like the declaration of cpp shoule be const char ** and return
-  null if convert_version_info_string fails.
+  curl.h: include sys/select.h for NuttX RTOS
   
-  Fixes #7134
-  Closes #7135
+  Closes #7287
 
-- [Viktor Szakats brought this change]
+- [Bin Meng brought this change]
 
-  docs: use --max-redirs instead of --max-redir
+  curl.h: remove the execution bit
   
-  For consistency.
+  The execution bit of curl.h file was wrongly added:
   
-  Closes #7130
-
-- RELEASE-NOTES: synced
+    commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
   
-  ... and bump to 7.77.1
+  and should be removed.
+  
+  Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
+  Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+  Closes #7286
 
-- [Michael Forney brought this change]
+- [Bin Lan brought this change]
 
-  travis: add bearssl build
+  curl.h: <sys/select.h> is supported by VxWorks7
   
-  Closes #7133
+  Closes #7285
 
-- [Michael Forney brought this change]
+- [Bachue Zhou brought this change]
 
-  bearssl: explicitly initialize all fields of Curl_ssl
+  quiche: use send() instead of sendto() to avoid macOS issue
   
-  Also, add comments like the other vtls backends.
+  sendto() always returns "Socket is already connected" error on macos
   
-  Closes #7133
+  Closes #7260
 
-- [Michael Forney brought this change]
+- [Li Xinwei brought this change]
 
-  bearssl: remove incorrect const on variable that is modified
+  cmake: fix support for UnixSockets feature on Win32
   
-  hostname may be set to NULL later on in this function if it is an
-  IP address.
+  Move the definition of sockaddr_un struct from config-win32.h to
+  curl_setup.h, so that it could be shared by all build systems.
   
-  Closes #7133
+  Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use
+  unix sockets.
+  
+  Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS
+  is defined.
+  
+  Closes #7034
 
-Version 7.77.0 (26 May 2021)
+- [Gregory Muchka brought this change]
+
+  hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
+  
+  From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
+  dictionary of key-value pairs that represent the current internet proxy
+  settings, or NULL if no proxy settings have been defined or if an error
+  occurred. You must release the returned value."
+  
+  Failure to release the returned value of SCDynamicStoreCopyProxies can
+  result in a memory leak.
+  
+  Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
+  
+  Closes #7265
 
-Daniel Stenberg (26 May 2021)
 - RELEASE-NOTES: synced
 
-- THANKS: added contributors from 7.77.0 cycle
+Jay Satiro (21 Jun 2021)
+- vtls: fix warning due to function prototype mismatch
+  
+  b09c8ee changed the function prototype. Caught by Visual Studio.
 
-- copyright: update copyright year ranges to 2021
+- curl_multibyte: Remove local encoding fallbacks
+  
+  - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
+    no longer fall back to assuming the string is in a local encoding.
+  
+  Background:
+  
+  Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
+  pass to the Windows CRT API wide-character functions since in Windows
+  UTF-8 is not a valid locale (or at least 99% of the time right now).
+  
+  Prior to this change if the Unicode encoding conversion failed then
+  libcurl would assume, for backwards compatibility with applications that
+  may have written their code for non-Unicode builds, attempt to convert
+  the string from local encoding to UTF-16.
+  
+  That type of "best effort" could theoretically cause some type of
+  security or other problem if a string that was locally encoded was also
+  valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
+  could occur.
+  
+  Ref: https://github.com/curl/curl/pull/7246
+  
+  Closes https://github.com/curl/curl/pull/7257
 
-- [Radek Zajic brought this change]
+Daniel Stenberg (20 Jun 2021)
+- curl_endian: remove the unused Curl_write64_le function
+  
+  The last usage was removed in cca455a36
+  
+  Closes #7280
 
-  hostip: fix broken macOS/CMake/GCC builds
+- vtls: only store TIMER_APPCONNECT for non-proxy connect
   
-  Follow-up to 31f631a142d855f06
+  Introducing a 'isproxy' argument to the connect function so that it
+  knows wether to store the time stamp or not.
   
-  Fixes #7128
-  Closes #7129
+  Reported-by: Yongkang Huang
+  Fixes #7274
+  Closes #7274
 
-- TODO: netrc caching and sharing
+- gnutls: set the preferred TLS versions in correct order
   
-  URL: https://curl.se/mail/archive-2021-05/0018.html
+  Regression since 781864bedbc57 (curl 7.77.0)
+  
+  Reported-by: civodul on github
+  Assisted-by: Nikos Mavrogiannopoulos
+  Fixes #7277
+  Closes #7278
 
-- [Orgad Shaneh brought this change]
+- [Gergely Nagy brought this change]
 
-  setopt: streamline ssl option code
-  
-  Make it use the same style as the code next to it
+  configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r
   
-  Closes #7123
+  Closes #7276
 
-- [Radek Zajic brought this change]
+- [Gergely Nagy brought this change]
 
-  lib/hostip6.c: make NAT64 address synthesis on macOS work
+  configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r
   
-  Closes #7121
+  Closes #7276
 
-- [ejanchivdorj brought this change]
+- [Gergely Nagy brought this change]
 
-  sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
-  
-  When the SecCertificateCopyCommonName function fails, it leaves
-  common_name in a invalid state so CFStringCompare uses the invalid
-  result, causing EXC_BAD_ACCESS.
-  
-  The fix is to check the return value of the function before using the
-  name.
+  configure/cmake: remove unused define HAVE_PERROR
   
-  Closes #7126
+  Closes #7276
 
-- [Paweł Wegner brought this change]
+- [Gergely Nagy brought this change]
 
-  CMake: add CURL_ENABLE_EXPORT_TARGET option
-  
-  install(EXPORT ...) causes trouble when embedding curl dependencies
-  which don't provide install(EXPORT ...) targets (e.g libressl and
-  nghttp2) with cmake's add_subdirectory.
+  configure: remove unused check for gai_strerror
   
-  Reviewed-by: Jakub Zakrzewski
-  Closes #7060
+  Closes #7276
 
-- [Alessandro Ghedini brought this change]
+- [Gergely Nagy brought this change]
 
-  quiche: update for network path aware API
-  
-  Latest version of quiche requires the application to pass the peer
-  address of received packets, and it provides the address for outgoing
-  packets back.
+  configure/cmake: remove unused define HAVE_FREEIFADDRS
   
-  Closes #7120
+  Closes #7276
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Gergely Nagy brought this change]
 
-  rustls: switch read_tls and write_tls to callbacks
-  
-  And update to 0.6.0, including a rename from session to connection for
-  many fields.
+  configure/cmake: remove unused define HAVE_FORK
   
-  Closes #7071
+  Closes #7276
 
-- [Koichi Shiraishi brought this change]
+- [Gergely Nagy brought this change]
 
-  sectransp: fix 7f4a9a9b2a49 commit about missing comma
-  
-  Follow-up to 7f4a9a9b2a495
+  configure/cmake: remove unused define HAVE_FDOPEN
   
-  Closes #7119
+  Closes #7276
 
-- [Harry Sintonen brought this change]
+- [Gergely Nagy brought this change]
 
-  openssl: associate/detach the transfer from connection
-  
-  CVE-2021-22901
+  configure/cmake: remove checks for unused sgtty.h
   
-  Bug: https://curl.se/docs/CVE-2021-22901.html
+  Closes #7276
 
-- [Harry Sintonen brought this change]
+- [Gergely Nagy brought this change]
 
-  telnet: check sscanf() for correct number of matches
-  
-  CVE-2021-22898
+  configure/cmake: remove remaining checks for rsa.h
   
-  Bug: https://curl.se/docs/CVE-2021-22898.html
+  Closes #7276
 
-- schannel: don't use static to store selected ciphers
-  
-  CVE-2021-22897
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove remaining checks for err.h
   
-  Bug: https://curl.se/docs/CVE-2021-22897.html
+  Closes #7276
 
-- docs/tests: remove freenode references
+- [Gergely Nagy brought this change]
 
-- RELEASE-NOTES: synced
+  configure/cmake: remove remaining checks for crypto.h
+  
+  Closes #7276
 
-- [Sergey Markelov brought this change]
+- [Gergely Nagy brought this change]
 
-  NSS: make colons, commas and spaces valid separators in cipher list
+  configure/cmake: remove checks for unused getservbyport_r
   
-  Fixes #7110
-  Closes #7115
+  Closes #7276
 
-- curl: include libmetalink version in --version output
+- --socks4[a]: clarify where the host name is resolved
   
-  Closes #7112
-
-Jay Satiro (21 May 2021)
-- [Matias N. Goldberg brought this change]
+  Closes #7273
 
-  cmake: Use multithreaded compilation on VS 2008+
+- libcurl-security.3: mention file descriptors and forks
   
-  Multithreaded compilation has been supported since at least VS 2005 and
-  been robustly stable since at least VS 2008
+  ... and move the security report section last.
   
-  Closes https://github.com/curl/curl/pull/7109
+  Reported-by: Harry Sintonen
+  Closes #7270
 
-Daniel Stenberg (21 May 2021)
-- [Matias N. Goldberg brought this change]
+- [Alex Xu (Hello71) brought this change]
 
-  cmake: fix two invokes result in different curl_config.h
+  configure.ac: make non-executable
   
-  Fixes #7100
-  Closes #7101
+  it needs to be processed by autoconf or autoreconf, and doesn't have a
+  suitable shebang to be directly executed. other projects normally set
+  configure.ac -x.
   
-  Reviewed-by: Jakub Zakrzewski
-  Signed-off-by: Matias N. Goldberg <dark_sylinc@yahoo.com.ar>
-
-- [Peng-Yu Chen brought this change]
+  Closes #7272
 
-  cmake: detect CURL_SA_FAMILY_T
+- configure: do not strip out debug flags
   
-  Fixes #7049
-  Closes #7065
+  To allow users to set them when invoking configure without using
+  --with-debug.
+  
+  Reported-by: Alex Xu
+  Fixes #7216
+  Closes #7267
 
-- [Lucas Clemente Vella brought this change]
+- libssh2: limit time a disconnect can take to 1 second
+  
+  Closes #7271
 
-  CURLOPT_IPRESOLVE: preventing wrong IP version from being used
+- TLS: prevent shutdown loops to get stuck
   
-  In some situations, it was possible that a transfer was setup to
-  use an specific IP version, but due do DNS caching or connection
-  reuse, it ended up using a different IP version from requested.
+  ... by making sure the loops are only allowed to read the shutdown
+  traffic a limited number of times.
   
-  This commit changes the effect of CURLOPT_IPRESOLVE from simply
-  restricting address resolution to preventing the wrong connection
-  type being used, when choosing a connection from the pool, and
-  to restricting what addresses could be used when establishing
-  a new connection.
+  Reported-by: Harry Sintonen
+  Closes #7271
+
+- hyper: propagate errors back up from read callbacks
   
-  It is important that all addresses versions are resolved, even if
-  not used in that transfer in particular, because the result is
-  cached, and could be useful for a different transfer with a
-  different CURLOPT_IPRESOLVE setting.
+  Makes test 513 work with hyper
   
-  Closes #6853
+  Closes #7266
 
-- [Oliver Urbann brought this change]
+- KNOWN_BUGS: Negotiate on Windows fails
+  
+  Closes #5881
 
-  AmigaOS: add functions definitions for SHA256
+- KNOWN_BUGS: renames instead of locking for atomic operations
   
-  AmiSSL replaces many functions with macros. Curl requires pointer
-  to some of these functions. Thus, we have to encapsulate these macros:
-  SHA256_Init, SHA256_Update, SHA256_Final, X509_INFO_free.
+  Closes #6882
+  Closes #6884
+
+- zuul: add two missing CI jobs
   
-  Bug: https://github.com/jens-maus/amissl/issues/15
-  Co-authored-by: Daniel Stenberg <daniel@haxx.se>
+  ... that were configured, just not run
   
-  Closes #7099
+  Closes #7261
 
-- test2100: make it run with and require IPv6
+Viktor Szakats (15 Jun 2021)
+- idn: fix libidn2 with windows unicode builds
   
-  Closes #7083
-
-- tests/getpart: generate output URL encoded for better diffs
+  Unicode Windows builds use UTF-8 strings internally in libcurl,
+  so make sure to call the UTF-8 flavour of the libidn2 API. Also
+  document that Windows builds with libidn2 and UNICODE do expect
+  CURLOPT_URL as an UTF-8 string.
   
-  Closes #7083
-
-- [Ryan Beck-Buysse brought this change]
+  Reported-by: dEajL3kA on github
+  Assisted-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Closes #7246
+  Fixes #7228
 
-  docs/TheArtOfHttpScripting: fix markdown links
+Daniel Stenberg (15 Jun 2021)
+- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
   
-  extra parens cause the links to be incorrectly formatted
-  and inconsistent with the rest of the document.
+  They were never officially allowed and slipped in only due to sloppy
+  parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
+  being part of a URL.
   
-  Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
-  Closes #7097
+  The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
+  allow spaces.
+  
+  Updated test 1560 to verify.
+  
+  Closes #7073
 
 - RELEASE-NOTES: synced
+  
+  ... and bump to version 7.78.0 for the next planned release.
 
-- [Emil Engler brought this change]
-
-  docs: replace dots with dashes in markdown enums
+Jay Satiro (15 Jun 2021)
+- docs: Remove outdated curl tool limitation
   
-  We use dashes instead of dots nearly everywhere except for those few
-  cases. This commit addresses this issues and brings more coherency into
-  it.
+  - Document that HTTP/2 multiplexing is supported by the curl tool when
+    parallel transfers are used.
   
-  Closes #7093
-
-- [Emil Engler brought this change]
+  Supported since 7.66.0 via --parallel, but the doc wasn't updated.
+  
+  Closes https://github.com/curl/curl/pull/7259
 
-  docs: improve INTERNALS.md regarding getsock cb
+- http2: Clarify 'Using HTTP2' verbose message
   
-  This adds the I/O prefix to indicate that those "actions" are kind-of
-  related to those found in select(2) or poll(2) (reading/writing).
+  - Change phrasing from multi-use to multiplexing since the former may
+    not be as well understood.
   
-  It also adds a note where the prototypes of those functions can be found
-  in the source code.
+  Before: * Using HTTP2, server supports multi-use
   
-  Closes #7092
+  After: * Using HTTP2, server supports multiplexing
+  
+  Bug: https://github.com/curl/curl/discussions/7255
+  Reported-by: David Hu
+  
+  Closes https://github.com/curl/curl/pull/7258
 
-- [Emil Engler brought this change]
+Daniel Stenberg (14 Jun 2021)
+- winbuild/README: VC should be set to 6 'or larger'
+  
+  Previously it listed all versions up to 15 (missing 16) but this new
+  phrasing is more open ended.
+  
+  Reported-by: Hugh Macdonald
+  Fixes #7253
+  Closes #7254
+
+- [Jacob Hoffman-Andrews brought this change]
 
-  docs: document attach in INTERNALS.md
+  rustls: remove native_roots fallback
   
-  The new field in the Curl_handler struct still lacks documentation. This
-  adds it it from the information extracted from lib/urldata.h:797
+  For the commandline tool, we expect to be passed
+  SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
+  trusted roots (like in other TLS backends).
   
-  Closes #7091
+  This also removes a dependency on Security.framework when building on
+  macOS.
+  
+  Closes #7250
 
-- [Marc Aldorasi brought this change]
+- [Albin Vass brought this change]
 
-  config: remove now-unused macros
+  travis: remove jobs that have migrated to zuul
   
-  Closes #7094
+  Closes #7245
 
-- [Marc Aldorasi brought this change]
+- [Mohammed Naser brought this change]
 
-  hostip.h: remove declaration of unimplemented function
+  CI: add jobs using Zuul
   
-  Closes #7094
-
-- h3: add 'attach' callback to protocol handlers
+  It also includes a few changes to get the builds going:
+  - Added autoconf to common dependencies
+  - Added automake to common dependencies
+  - Added libtool to common dependencies
+  - Added libssl-dev to common dependencies
   
-  Follow-up to 0c55fbab45be
+  Co-authored-by: Albin Vass
   
-  Reviewed-by: Emil Engler
-  Closes #7090
+  Closes #7245
 
-- wolfssl: remove SSLv3 support leftovers
+- netrc: skip 'macdef' definitions
   
-  Closes #7088
+  Add test 494 to verify
+  
+  Reported-by: Harry Sintonen
+  Fixes #7238
+  Closes #7244
 
-- curl-wolfssl.m4: without custom include path, assume /usr/include
+- multi: add scan-build-6 work-around in curl_multi_fdset
   
-  ... so that we can point out the root of the OpenSSL emulation headers.
-  Previously this used the '$includedir' variable which is wrong since
-  that defaults to the dir where the current configure invoke will install
-  the built libcurl headers: /usr/local by default.
+  scan-build-6 otherwise warns, saying: warning: The left operand of '>='
+  is a garbage value otherwise, which is false.
   
-  Fixes #7085
-  Reported-by: Joel Jakobsson
-  Closes #7087
-
-- [Joel Depooter brought this change]
+  Later scan-builds don't claim this on the same code.
+  
+  Closes #7248
 
-  data_pending: check only SECONDARY socket for FTP(S) transfers
+- asyn-ares: remove check for 'data' in Curl_resolver_cancel
   
-  Check the FIRST for all other protocols.
+  It implied it would survive a NULL in there which it won't. Instead do
+  an assert.
   
-  This fixes a timeout in an ftps download. The server sends a TLS
-  close_notify message in the same packet as the file data. The
-  close_notify seems to not be handled in the schannel_recv function, so
-  libcurl is not aware that the server has closed the connection. Thus
-  libcurl ends up waiting for action on the socket until a timeout is
-  reached. With the secondary socket check added to the data_pending
-  function, the close_notify is properly handled, and the ftps transfer
-  terminates as expected.
+  Pointed out by scan-build.
   
-  Fixes #7068
-  Closes #7069
+  Closes #7248
 
-- github: inhibit deprecated declarations for clang on macOS
+- url.c: remove two variable assigns that are never read
   
-  ... as they otherwise cause ldap build errors in the CI.
+  Pointed out by scan-build
   
-  Fixes #7081
-  Closes #7082
+  Closes #7248
 
-- conn: add 'attach' to protocol handler, make libssh2 use it
+- [Gealber Morales brought this change]
+
+  mqtt: add support for username and password
   
-  The libssh2 backend has SSH session associated with the connection but
-  the callback context is the easy handle, so when a connection gets
-  attached to a transfer, the protocol handler now allows for a custom
-  function to get used to set things up correctly.
+  Minor-edits-by: Daniel Stenberg
+  Added test 2200 to 2205
   
-  Reported-by: Michael O'Farrell
-  Fixes #6898
-  Closes #7078
+  Closes #7243
 
-- http2: make sure pause is done on HTTP
-  
-  Since the function is called for any protocol, we can't assume that the
-  HTTP struct is there without first making sure it is HTTP.
+- travis: remove the arm job
   
-  Reported-by: Denis Goleshchikhin
-  Fixes #7079
-  Closes #7080
+  We do it on circle CI instead
 
-- docs: cookies from HTTP headers need domain set
+- CI: add .circleci/config.yml
   
-  ... or the cookies won't get sent. Push users to using the "Netscape"
-  format instead, which curl uses when saving a cookie "jar".
+  Assisted-by: Gabriel Simmer
   
-  Reported-by: Martin Dorey
-  Reviewed-by: Daniel Gustafsson
-  Fixes #6723
-  Closes #7077
+  Closes #7239
 
 - RELEASE-NOTES: synced
 
-- github: add a workflow with libssh2 on macOS using cmake
-  
-  Closes #7047
+- runtests: init $VERSION to avoid warnings when using -l
 
-- sws: allow HTTP requests up to 2MB in size
+- openssl: don't remove session id entry in disassociate
   
-  To allow tests with slightly larger payloads. Like #7071 ...
+  When a connection is disassociated from a transfer, the Session ID entry
+  should remain.
   
-  Closes #7075
-
-Marc Hoersken (16 May 2021)
-- CI/azure: increase verbosity and fix outdated task names
+  Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
+  Reported-by: Gergely Nagy
+  Reported-by: Paul Groke
   
-  Closes #7063
+  Fixes #7222
+  Closes #7230
 
-- CI/cirrus: add shared and static Windows release builds
+- single_transfer: ignore blank --output-dir
   
-  Azure Pipelines is currently being used for debug builds,
-  let's also run some non-debug (release) Windows builds and
-  make use of previously underutilized Cirrus CI for that.
+  ... as otherwise it creates a rather unexpected target directory with a
+  leading slash.
   
-  Reviewed-by: Marcel Raad
+  Reported-by: Harry Sintonen
+  Fixes #7218
+  Closes #7233
+
+- tests: update README about servers and port numbers
   
-  Closes #6991
+  Closes #7242
 
-Daniel Stenberg (16 May 2021)
-- CURLOPT_CAPATH.3: defaults to a path, not NULL
+- conn_shutdown: if closed during CONNECT cleanup properly
   
-  Reported-by: Andrew Barnert
+  Reported-by: Alex Xu
+  Reported-by: Phil E. Taylor
   
-  Closes #7062
+  Fixes #7236
+  Closes #7237
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Christian Weisgerber brought this change]
 
-  c-hyper: handle body on HYPER_TASK_EMPTY
-  
-  Some of the time, we get a HYPER_TASK_EMPTY response before the status
-  line, headers, and body have been read. Previously, that would cause us
-  to poll again, leading to a 1 second timeout.
+  sws: malloc request struct instead of using stack
   
-  The HYPER_TASK_EMPTY docs say:
+  ... 2MB requests is otherwise just too big for some systems.
   
-     The value of this task is null (does not imply an error).
+  (The allocations are not freed properly.)
   
-  So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
-  response.
+  Bug: https://curl.se/mail/lib-2021-06/0018.html
   
-  Reported-by: Kevin Burke
-  Fixes #7064
-  Closes #7070
+  Closes #7235
 
-- [Ikko Ashimine brought this change]
+- [Mark Swaanenburg brought this change]
 
-  tool_getparam: fix comment typo in tool_getparam.c
+  lib: don't compare fd to FD_SETSIZE when using poll
   
-  enfore -> enforce
+  FD_SETSIZE is irrelevant when using poll. So ensuring that the file
+  descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
+  multi_wait to ignore perfectly valid file descriptors and simply wait
+  for 1s to avoid hammering the CPU in a busy loop.
   
-  Closes #7074
+  Fixes #7240
+  Closes #7241
 
-- mem-include-scan.pl: require a non-word letter before memory funcs
-  
-  ... so that ldap_memfree() for example doesn't match the scan for free.
-  
-  Closes #7061
+- [zhangxiuhua brought this change]
 
-- version: free the openldap info correctly
-  
-  ... to avoid memory leaks.
+  doh: fix wrong DEBUGASSERT for doh private_data
   
-  Follow-up to: bf0feae7768d9
-  Closes #7061
+  Closes #7227
 
-- dupset: remove totally off comment
-  
-  Closes #7067
+- [yb999 brought this change]
 
-- configure: if asked for, fail if ldap is not found
+  tests: update README.md with a missing single quote
   
-  Reported-by: Jakub Zakrzewski
-  Fixes #7053
-  Closes #7055
+  Closes #7231
 
-- version: add OpenLDAP version in the output
+- GHA: run all tests for hyper too
   
-  Assisted-by: Howard Chu
-  Closes #7054
-
-Jay Satiro (13 May 2021)
-- [Joel Depooter brought this change]
+  As it lists disabled ones in DISABLED now
+  
+  Closes #7209
 
-  schannel: Ensure the security context request flags are always set
+- tests/data/DISABLED: add tests not working with hyper
   
-  As of commit 54e7475, these flags would only be set when using a new
-  credential handle. When re-using an existing credential handle, the
-  flags would not be set.
+  The goal is to remove them all from here over time.
   
-  Closes https://github.com/curl/curl/pull/7051
-
-Dan Fandrich (12 May 2021)
-- tests: Fix some tag matching issues in a number of tests
+  Closes #7209
 
-Daniel Stenberg (12 May 2021)
-- sasl: use 'unsigned short' to store mechanism
-  
-  ... saves a few bytes of struct size in memory and it only uses
-  10 bits anyway.
+- runtests: also find the last test in Makefile.inc
   
-  Closes #7045
+  Closes #7209
 
-- hostip: remove the debug code for LocalHost
+- test3010: work with hyper mode
   
-  The Curl_resolv() had special code (when built in debug mode) for when
-  resolving the host name "LocalHost" (using that exact casing). It would
-  then get the host name from the --interface option instead.
+  Closes #7209
+
+- configure: disable RTSP when hyper is selected
   
-  This development-only feature was not used by anything (anymore) and we
-  have the --resolve feature if we want to play similar tricks properly
-  going forward.
+  Makes test 1013 work
   
-  Closes #7044
+  Closes #7209
 
-- progress: reset limit_size variables at transfer start
+- test1594/1595/1596: fix to work in hyper mode
   
-  Otherwise the old value would linger from a previous use and would mess
-  up the network speed cap logic.
+  Closes #7209
+
+- test1438/1457: add HTTP keyword to make hyper mode work
   
-  Reported-by: Ymir1711 on github
+  Closes #7209
+
+- test1340/1341: adjusted for hyper mode
   
-  Fixes #7042
-  Closes #7043
+  Closes #7209
 
-- RELEASE-NOTES: synced
+- test1218: adjusted for hyper mode
+  
+  Closes #7209
 
-- [Daniel Gustafsson brought this change]
+- test1216: adjusted for hyper mode
+  
+  Closes #7209
 
-  cookies: use CURLcode for cookie_output reporting
+- test1230: adjust to work in hyper mode
   
-  Writing the cookie file has multiple error conditions, and was using an
-  int with magic numbers to report the different error (which in turn were
-  disregarded anyways). This moves reporting to use a CURLcode value.
+  Closes #7209
+
+- c-hyper: abort CONNECT response reading early on non 2xx responses
   
-  Lightly-touched-by: Daniel Stenberg
+  Fixes test 493
   
-  Closes #7037
-  Closes #6749
+  Closes #7209
 
-- [Daniel Gustafsson brought this change]
+- test434: add HTTP keyword
+  
+  Closes #7209
 
-  cookies: make use of string duplication function
+- test599: adjusted to work in hyper mode
   
-  strstore() is defined as a strdup which ensures to free the target
-  pointer before duping the source char * into it. Make use of it in
-  two more cases where it can simplify the code.
+  Closes #7209
 
-- [Daniel Gustafsson brought this change]
+- c-hyper: fix the uploaded field in progress callbacks
+  
+  Makes test 578 work
+  
+  Closes #7209
 
-  cookies: refactor comments
+- test566: adjust to work with hyper mode
   
-  Comments in the cookie code were a bit all over the place in terms of
-  style and wording. This takes a stab at cleaning them up by keeping to
-  a single style and overall shape. Some comments are moved a little and
-  some removed alltogether due to being redundant. No functional changes
-  have been made,
+  Closes #7209
 
-- [Peng-Yu Chen brought this change]
+- [Fawad Mirza brought this change]
 
-  http2: skip immediate parsing of payload following protocol switch
-  
-  This is considered not harmful as a following http2_recv shall be
-  called very soon.
+  CURLOPT_WRITEFUNCTION.3: minor update of the example
   
-  This is considered helpful in the specific situation where some
-  servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
-  following the return of HTTP status 101, other than waiting for
-  the client-side connection preface to arrive.
+  Safely avoid chunk.size garbage value if declared non globally.
   
-  Fixes #7036
-  Closes #7040
+  Closes #7219
 
-- [Peng-Yu Chen brought this change]
+- [Bastian Krause brought this change]
 
-  http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
+  configure: rename get-easy-option configure option to get-easy-options
   
-  Following the upstream deprecation of nghttp2_session_upgrade.
+  "get-easy-options" is the configure option advertised by the help text
+  anyway, so use that.
   
-  Also provides further checks for requests with the HEAD method.
+  Fixes #7211
+  Closes #7213
   
-  Closes #7041
+  Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
+  Suggested-by: Daniel Stenberg <daniel@haxx.se>
+  Signed-off-by: Bastian Krause <bst@pengutronix.de>
 
-- progress/trspeed: use a local convenient pointer to beautify code
+- runtests: skip disabled tests unless -f is used
   
-  The function becomes easier to read and understand with less repetition.
+  To make it easier to write ranges like '115 to 229' without that
+  explicitly enabling tests that are listed in DISABLED, this makes
+  runtests always skip disabled tests unless the -f command line option is
+  used.
+  
+  Previously the code attempted to not run such tests, but didn't do it
+  correctly.
+  
+  Closes #7212
 
-- trspeed: use long double for transfer speed calculation
+- [Jun-ya Kato brought this change]
 
-- progress: move transfer speed calc into function
+  ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
   
-  This silences two scan-build-11 warnings: "The result of the '/'
-  expression is undefined"
+  The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
+  mode for middle box but it is enabled by default, which is unnecessary
+  for QUIC.
   
-  Bug: https://curl.se/mail/lib-2021-05/0022.html
-  Closes #7035
-
-- [Cameron Cawley brought this change]
+  Fixes #6896
+  Closes #7202
 
-  openssl: remove unneeded cast for CertOpenSystemStore()
+- test644: remove as duplicate of test 587
   
-  Closes #7025
+  Closes #7208
 
-- travis: disable the libssh build
+Daniel Gustafsson (8 Jun 2021)
+- RELEASE-NOTES: synced
+
+- cookies: track expiration in jar to optimize removals
   
-  It can't run on focal and causes warnings on bionic. Since the focal
-  failure started rather suddenly a while ago, we can suspect it might be
-  temporary.
+  Removing expired cookies needs to be a fast operation since we want to
+  be able to perform it often and speculatively. By tracking the timestamp
+  of the next known expiration we can exit early in case the timestamp is
+  in the future.
   
-  Added "bring back the build" to the TODO document.
+  Closes: #7172
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (7 Jun 2021)
+- GHA: add several libcurl tests to the hyper job
   
-  Fixes #7011
-  Closes #7012
+  500 to 512
 
-- [Peng-Yu Chen brought this change]
+- test500: adjust to work with hyper mode
 
-  http: use calculated offsets inst of integer literals for header parsing
+- c-hyper: support CURLINFO_STARTTRANSFER_TIME
   
-  Assumed to be a minor coding style improvement with no behavior change.
+  Closes #7204
+
+- c-hyper: support CURLOPT_HEADER
   
-  A modern compiler is expected to have the calculation optimized during
-  compilation. It may be deemed okay even if that's not the case, since
-  the added overhead is considered very low.
+  When enabled, the headers are passed to the body write callback as well.
   
-  Closes #7032
-
-- [Peng-Yu Chen brought this change]
-
-  GIT-INFO: suggest using autoreconf instead of buildconf
+  Like in test 500
   
-  Follow-up to 85868537d
+  Closes #7204
+
+- GHA: run the newly fixed tests with hyper
   
-  Closes #7033
+  Closes #7205
 
-- http: deal with partial CONNECT sends
+- test433: adjust for hyper mode
   
-  Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
-  which helped verifying this even more.
+  Closes #7205
+
+- test395: hyper cannot work around > 64 bit content-lengths like built-in
   
-  Add test 363 to verify.
+  Closes #7205
+
+- test394: hyper returns a different error
   
-  Reported-by: ustcqidi on github
-  Fixes #6950
-  Closes #7024
+  Closes #7205
 
-- HTTP3: make the ngtcp2 build use the quictls fork
+- test393: make Content-Length fit within 64 bit for hyper
   
-  ... as ngtcp2 itself documents the build this way.
+  Closes #7205
+
+- test347: CRLFify to work in hyper mode
   
-  Closes #7031
+  Closes #7205
 
-- http: limit the initial send amount to used upload buffer size
+- test339: CRLFify better to work in hyper mode
   
-  Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
-  but for the situations where a larger upload buffer has been set, this
-  function can benefit from sending more bytes. With default size used,
-  this does the same as before.
+  Closes #7205
+
+- travis: remove the hyper build
+
+- GHA: add a linux-hyper job
   
-  Also changed the storage of the size to an 'unsigned int' as it is not
-  allowed to be set larger than 2M.
+  Closes #7206
+
+- test328: avoid a header-looking body to make hyper mode work
   
-  Also added cautions to the man pages about changing buffer sizes in
-  run-time.
+  The test still works the same, just modified two bytes in the content.
   
-  Closes #7022
+  Closes #7203
 
-- RELEASE-NOTES: synced
+- release-notes.pl: also spot common 'closes' typo
 
-- ngtcp2: fix the cb_acked_stream_data_offset proto
+- metalink: remove
   
-  The 'datalen' value should be 64 bit, not size_t!
+  Warning: this will make existing curl command lines that use metalink to
+  stop working.
   
-  Reported-by: Dmitry Karpov
-  Bug: https://curl.se/mail/lib-2021-05/0019.html
-  Closes #7027
-
-- progress: when possible, calculate transfer speeds with microseconds
+  Reasons for removal:
   
-  ... this improves precision, especially for transfers in the few or even
-  sub millisecond range.
+  1. We've found several security problems and issues involving the
+     metalink support in curl. The issues are not detailed here. When
+     working on those, it become apparent to the team that several of the
+     problems are due to the system design, metalink library API and what
+     the metalink RFC says. They are very hard to fix on the curl side
+     only.
   
-  Reported-by: J. Bromley
-  Fixes #7017
-  Closes #7020
-
-- http: reset the header buffer when sending the request
+  2. The metalink usage with curl was only very briefly documented and was
+     not following the "normal" curl usage pattern in several ways, making
+     it surprising and non-intuitive which could lead to further security
+     issues.
   
-  A reused transfer handle could otherwise reuse the previous leftover
-  buffer and havoc would ensue.
+  3. The metalink library was last updated 6 years ago and wasn't so
+     active the years before that either. An unmaintained library means
+     there's a security problem waiting to happen. This is probably reason
+     enough.
+  
+  4. Metalink requires an XML parsing library, which is complex code (even
+     the smaller alternatives) and to this day often gets security
+     updates.
+  
+  5. Metalink is not a widely used curl feature. In the 2020 curl user
+     survey, only 1.4% of the responders said that they'd are using it. In
+     2021 that number was 1.2%. Searching the web also show very few
+     traces of it being used, even with other tools.
+  
+  6. The torrent format and associated technology clearly won for
+     downloading large files from multiple sources in parallel.
   
-  Reported-by: sergio-nsk on github
-  Fixes #7018
-  Closes #7021
+  Cloes #7176
 
-- curl_mprintf.3: add description
+- docs/INSTALL: remove mentions of configure --with-darwin-ssl
   
-  These functions have existed in the API since the dawn of time. It is
-  about time we describe how they work, even if we discourage users from
-  using them.
+  ... as it isn't supported since a while back.
   
-  Closes #7010
+  Make configure fail with a warning if used.
+  
+  Reported-by: Vadim Grinshpun
+  Bug: https://curl.se/mail/lib-2021-06/0008.html
+  Closes #7200
 
-- [Timothy Gu brought this change]
+- RELEASE-NOTES: synced
 
-  URL-SYNTAX: update IDNA section for WHATWG spec changes
+- [Gregor Jasny brought this change]
+
+  cmake: Avoid leaking absolute paths into exported config
   
-  WHATWG URL has dictated the use of Nontransitional Processing (IDNA
-  2008) for several years now. Chrome (and derivatives) still use
-  Transitional Processing, but Firefox and Safari have both switched.
+  The `find_libarary` command resolves the library or framework
+  into an absolute path. In case of system frameworks which are
+  located within an Xcode-provided SDK this results in the Xcode
+  path and SDK version being part of the library path.
   
-  Also document the fact that winidn functions differently from libidn2
-  here.
+  Because those library paths end up in the exported CMake config
+  importing curl will fail once the Xcode location or SDK version
+  changes:
   
-  Closes #7026
+  ```cmake
+  set_target_properties(CURL::libcurl PROPERTIES
+    INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
+    INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
+  )
+  ```
+  
+  A work-around is to link against system-level frameworks with
+  `-framework XYZ`. In case of `SystemConfiguration` we might be able
+  to omit the lookup-check because we could assume the framework is
+  always present.
+  
+  Closes #7152
 
-- [Calvin Buckley brought this change]
+- [Shikha Sharma brought this change]
 
-  INSTALL: add IBM i specific quirks
+  http2_connisdead: handle trailing GOAWAY better
   
-  Fixes #6830
-  Closes #7013
+  When checking the connection the input processing returns error
+  immediately, we now consider that a dead connnection.
+  
+  Bug: https://curl.se/mail/lib-2021-06/0001.html
+  Closes #7192
 
-- libcurl.3: mention the URL API
+- [Dmitry Karpov brought this change]
+
+  ares: always store IPv6 addresses first
   
-  To make it easier to find. Also a minor polish of libcurl-url.3
+  Trying dual-stack on some embedded platform, I noticed that quite
+  frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
+  timeout value.  After debugging this issue, I noticed that this happens
+  if c-ares resolver response for IPv6 family comes before IPv4 (which was
+  randomly happening in my tests).
   
-  Closes #7009
-
-- GnuTLS: don't allow TLS 1.3 for versions that don't support it
+  In such cases, because libCurl puts the last resolver response on top of
+  the address list, when IPv4 resolver response comes after IPv6 one - the
+  IPv4 family starts the connection phase instead of IPv6 family.
   
-  Follow-up to 781864bedbc5
+  The solution for this issue is to always put IPv6 addresses on top of
+  the address list, regardless the order of resolver responses.
   
-  ... as they don't understand it and will return error at us!
+  Bug: https://curl.se/mail/lib-2021-06/0003.html
   
-  Closes #7014
+  Closes #7188
 
-Kamil Dudka (6 May 2021)
-- tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
+- Revert "Revert "socketpair: fix potential hangs""
   
-  Reported by GCC analyzer:
+  This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.
   
-  Error: GCC_ANALYZER_WARNING (CWE-476):
-  src/tool_getparam.c: scope_hint: In function 'parse_args'
-  src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
-  lib/curlx.h:56: included_from: Included from here.
-  src/tool_getparam.c:28: included_from: Included from here.
-  lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
-  src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
+  Thus brings back the change from #7144 as was originally landed in
+  c769d1eab4de8b
   
-  Reviewed-by: Marcel Raad
-  Reviewed-by: Daniel Stenberg
-  Closes #7023
+  Closes #7144 (again)
 
-Daniel Stenberg (6 May 2021)
-- scripts/delta: also show total number of days
+- [Ebe Janchivdorj brought this change]
 
-Marc Hoersken (5 May 2021)
-- sockfilt: fix invalid increment of handles index variable nfd
-  
-  Only increment the array index if we actually stored a handle.
+  schannel: move code out of SChannel_connect_step1
   
-  Follow up to e917492048f4b85a0fd58a033d10072fc7666c3b
-  Closes #6992
+  Reviewed-by: Marc Hoersken
+  Closes #7168
 
-- sockfilt: avoid getting stuck waiting for writable socket
-  
-  Reset FD_WRITE event using the same approach as in multi.c
+- tests/data/Makefile.inc: error: trailing backslash on last line
   
-  Follow up to b36442b24305f3cda7c13cc64b46838995a4985b
-  Closes #6992
+  Follow-up to d8dcb399b8009d
 
-Jay Satiro (5 May 2021)
-- test678: Fix for Windows multibyte builds
-  
-  Follow-up to 77fc385 from yesterday.
-  
-  Bug: https://github.com/curl/curl/pull/6662#issuecomment-832966557
-  Reported-by: Marc Hörsken
+- TODO: Support rate-limiting for MQTT
 
 - [Dmitry Kostjuchenko brought this change]
 
-  build: fix compilation for Windows UWP platform
+  warnless: simplify type size handling
   
-  - Include afunix.h which is necessary for sockaddr_un when
-    USE_UNIX_SOCKETS is defined on Windows.
+  By using sizeof(T), existing defines and relying on the compiler to
+  define the required signed/unsigned mask.
   
-  Closes https://github.com/curl/curl/pull/7006
+  Closes #7181
 
-Daniel Stenberg (5 May 2021)
-- gnutls: make setting only the MAX TLS allowed version work
-  
-  Previously, settting only the max allowed TLS version, leaving the
-  minimum one at default, didn't actually set it and left it to default
-  (TLS 1.3) too!
-  
-  As a bonus, this change also removes the dead code handling of SSLv3
-  since that version can't be set anymore (since eff614fb0242cb).
+Gisle Vanem (4 Jun 2021)
+- [Win32] Fix for USE_WATT32
   
-  Reported-by: Daniel Carpenter
-  Fixes #6998
-  Closes #7000
+  My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`
 
-- openldap: replace ldap_ prefix on private functions
-  
-  Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
-  least) there's a symbol collision because of that.
+Daniel Stenberg (4 Jun 2021)
+- [Alexis Vachette brought this change]
+
+  url: bad CURLOPT_CONNECT_TO syntax now returns error
   
-  The private functions now use the 'oldap_' prefix where it previously
-  used 'ldap_'.
+  Added test 3020 to verify
   
-  Reported-by: 3eka on github
-  Fixes #7004
-  Closes #7005
+  Closes #7183
 
-Jay Satiro (5 May 2021)
-- http2: fix potentially uninitialized variable
+- github: remove the cmake macOS gcc-8 jobs
   
-  introduced several days ago in 3193170. caught by visual studio linker.
-
-- [Gilles Vollant brought this change]
+  They're too similar to the gcc-9 ones to be useful (and seems to not
+  work anymore).
+  
+  Closes #7187
 
-  SSL: support in-memory CA certs for some backends
+- test269: disable for hyper
   
-  - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
-    specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
-    and Secure Transport (Apple) SSL backends.
+  --ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
+  with hyper.
   
-  Prior to this change PEM certificates could only be imported from a file
-  and not from memory.
+  Closes #7184
+
+- runtests: enable 'hyper mode' only for HTTP tests
   
-  Co-authored-by: moparisthebest@users.noreply.github.com
+  The 'hyper mode' makes line-ending checks work in the test suite for
+  when hyper is used. Now it also requires that HTTP or HTTPS are
+  mentioned as keywords to be enabled so that it doesn't wrongly adjusts
+  tests for other protocols.
   
-  Ref: https://github.com/curl/curl/pull/4679
-  Ref: https://github.com/curl/curl/pull/5677
-  Ref: https://github.com/curl/curl/pull/6109
+  This makes test 271 (TFTP) work again in hyper enabled builds.
   
-  Closes https://github.com/curl/curl/pull/6662
+  Closes #7185
 
-Daniel Stenberg (4 May 2021)
-- [David Cook brought this change]
+- [Alexis Vachette brought this change]
 
-  tests: ignore case of chunked hex numbers in tests
+  hostip: bad CURLOPT_RESOLVE syntax now returns error
   
-  When hyper is used, it emits uppercase hexadecimal numbers for chunked
-  encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
-  This change adds preprocessor statements to tests where this is an
-  issue, and adapts the fixtures to match.
+  Added test 3019
+  Fixes #7170
+  Closes #7174
+
+Daniel Gustafsson (3 Jun 2021)
+- cookies: fix typo and expand comment
   
-  Closes #6987
+  Fix a typo in the sorting comment, and while in there elaborate slightly
+  on why creationtime can be used as a tiebreaker.
 
-- cmake: check for getppid and utimes
+- cookies: remove unused header
   
-  ... as they're checked for in the configure script and are used by
-  source code.
+  Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
+  for the inet_pton.h headerfile, this removes the inclusion of the
+  header.
   
-  Removed checks for perror, setvbuf and strlcat since those defines are
-  not checked for in source code.
+  Closes: #7182
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (3 Jun 2021)
+- Revert "socketpair: fix potential hangs"
   
-  Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
-  symbol is not used in source code.
+  This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.
   
-  Closes #6997
+  See #7144 for details
 
-- libtest: remove lib530.c
+- [Paul Groke brought this change]
+
+  socketpair: fix potential hangs
   
-  Follow up from e50a877df when test 530 was removed. Since then this
-  source file has not been used/needed.
+  Fixes potential hang in accept by using select + non-blocking accept.
   
-  Closes #6999
-
-- FILEFORMAT: mention sectransp as a feature
+  Fixes potential hang in peer check by replacing the send/recv check with
+  a getsockname/getpeername check.
   
-  Been supported since at least 40259ca65
+  Adds length check for returned sockaddr data.
   
-  Closes #7001
-
-- RELEASE-NOTES: synced
+  Closes #7144
 
-- libssh2: ignore timeout during disconnect
+- runtests: parse data/Makefile.inc instead of using make
   
-  ... to avoid memory leaks!
+  The warning about missing entries in that file then doesn't require that
+  the Makefile has been regenerated which was confusing.
   
-  libssh2 is tricky as we have to deal with the non-blockiness even in
-  close and shutdown cases. In the cases when we shutdown after a timeout
-  already expired, it is crucial that curl doen't let the timeout abort
-  the shutdown process as that then leaks memory!
+  The scan for the test num is a little more error prone than before
+  (since now it doesn't actually verify that it is legitimate Makefile
+  syntax), but I think it is good enough.
   
-  Reported-by: Benjamin Riefenstahl
-  Fixes #6990
+  Closes #7177
 
-- KNOWN_BUGS: add two HTTP/2 bugs
+- [Harry Sintonen brought this change]
 
-- KNOWN_BUGS: add three HTTP/3 issues
-  
-  ... and moved the HTTP/2 issues to its own section
+  filecheck: quietly remove test-place/*~
   
-  Closes #6606
-  Closes #6510
-  Closes #6494
+  Closes #7179
 
-- [ejanchivdorj brought this change]
+- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
+  
+  For options that pass in lists or strings that are subsequently parsed
+  and must be correct. This broadens the scope for the option previously
+  known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
+  provided as a #define for existing applications.
+  
+  Closes #7175
 
-  CURLcode: add CURLE_SSL_CLIENTCERT
+- tests: fix Accept-Encoding strips to work with Hyper builds
   
-  When a TLS server requests a client certificate during handshake and
-  none can be provided, libcurl now returns this new error code
-  CURLE_SSL_CLIENTCERT
+  The previous strip also removed the CR which turned problematic.
   
-  Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
+  valgrind.supp: add zstd suppression using hyper
   
-  Closes #6721
-
-- [Tobias Gabriel brought this change]
+  Reported-and-analyzed-by: Kevin Burke
+  Fixes #7169
+  Closes #7171
 
-  .github/FUNDING: add link to GitHub sponsors
+- github: timeout jobs on macOS after 90 minutes
   
-  Closes #6985
+  Assisted-by: Marc Hoersken
+  Closes #7173
 
 - [Harry Sintonen brought this change]
 
-  krb5/name_to_level: replace checkprefix with curl_strequal
+  mqtt: detect illegal and too large file size
   
-  Closes #6993
+  Add test 3017 and 3018 to verify.
+  Closes #7166
 
-- [Harry Sintonen brought this change]
+- [Abhinav Singh brought this change]
 
-  Curl_input_digest: require space after Digest
+  cmake: add CURL_DISABLE_NTLM option
   
-  Closes #6993
+  Closes #7028
 
-- [Harry Sintonen brought this change]
+- [Abhinav Singh brought this change]
 
-  Curl_http_header: check for colon when matching Persistent-Auth
+  configure: add --disable-ntlm option
   
-  Closes #6993
-
-- [Harry Sintonen brought this change]
+  Closes #7028
 
-  Curl_http_input_auth: require valid separator after negotiation type
-  
-  Closes #6993
+- [Abhinav Singh brought this change]
 
-- http: fix the check for 'Authorization' with Bearer
+  define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
   
-  The code would wrongly check for it using an additional colon.
+  This flag will be further exposed by adding build options.
   
-  Reported-by: Blake Burkhart
-  Closes #6988
+  Reverts #6809
+  Closes #7028
 
-- [Kamil Dudka brought this change]
+- RELEASE-NOTES: synced
 
-  http2: fix a resource leak in push_promise()
-  
-  ... detected by Coverity:
-  
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
-  lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
-  lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
-  lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
+Viktor Szakats (1 Jun 2021)
+- travis: delete --enable-hsts option (it is the default now) [ci skip]
   
-  Closes #6986
-
-- [Kamil Dudka brought this change]
+  Reviewed-by: Daniel Stenberg
+  Closes #7167
 
-  http2: fix resource leaks in set_transfer_url()
-  
-  ... detected by Coverity:
-  
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+Daniel Stenberg (1 Jun 2021)
+- hostip: fix 3 coverity complaints
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  Follow-up to 1a0ebf6632f889eed
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  - Check the return code to Curl_inet_pton() in two instances, even
+    though we know the input is valid so the functions won't fail.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  - Clear the 'struct sockaddr_in' struct before use so that the
+    'sin_zero' field isn't left uninitialized.
   
-  Closes #6986
+  Detected by Coverity.
+  Assisted-by: Harry Sintonen
+  Closes #7163
 
-- [Jacob Hoffman-Andrews brought this change]
+- c-hyper: fix NTLM on closed connection tested with test159
+  
+  Closes #7154
 
-  rustls: use ALPN
+- conncache: lowercase the hash key for better match
   
-  Update required rustls to 0.5.0
+  As host names are case insensitive, the use of case sensitive hashing
+  caused unnecesary cache misses and therefore lost performance. This
+  lowercases the hash key.
   
-  Closes #6960
+  Reported-by: Harry Sintonen
+  Fixes #7159
+  Closes #7161
 
-- [Michał Antoniak brought this change]
+- mbedtls: make mbedtls_strerror always work
+  
+  If the function doesn't exist, provide a macro that just clears the
+  error message. Removes #ifdef uses from the code.
+  
+  Closes #7162
 
-  gskit: fix CURL_DISABLE_PROXY build
+- vtls: exit addsessionid if no cache is inited
   
-  Removed localfd and remotefd from ssl_backend_data (ued only with proxy
-  connection). Function pipe_ssloverssl return always 0, when proxy is not
-  used.
+  Follow-up to b249592d29ae0
   
-  Closes #6981
+  Avoids NULL pointer derefs.
+  
+  Closes #7165
 
-- [Michał Antoniak brought this change]
+- [Harry Sintonen brought this change]
 
-  gskit: fix undefined reference to 'conn'
+  Curl_ntlm_core_mk_nt_hash: fix OOM in error path
   
-  Closes #6980
-
-- [Jacob Hoffman-Andrews brought this change]
+  Closes #7164
 
-  tls: add USE_HTTP2 define
+Michael Kaufmann (1 Jun 2021)
+- ssl: read pending close notify alert before closing the connection
   
-  This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
+  This avoids a TCP reset (RST) if the server initiates a connection
+  shutdown by sending an SSL close notify alert and then closes the TCP
+  connection.
   
-  Add our own define for the "h2" ALPN protocol, so TLS backends can use
-  it without depending on a specific HTTP backend.
+  For SSL connections, usually the server announces that it will close the
+  connection with an SSL close notify alert. curl should read this alert.
+  If curl does not read this alert and just closes the connection, some
+  operating systems close the TCP connection with an RST flag.
   
-  Closes #6959
+  See RFC 1122, section 4.2.2.13
+  
+  If curl reads the close notify alert, the TCP connection is closed
+  normally with a FIN flag.
+  
+  The new code is similar to existing code in the "SSL shutdown" function:
+  try to read an alert (non-blocking), and ignore any read errors.
+  
+  Closes #7095
 
-- [Jacob Hoffman-Andrews brought this change]
+Daniel Stenberg (1 Jun 2021)
+- [Laurent Dufresne brought this change]
 
-  lib: fix 0-length Curl_client_write calls
+  setopt: fix incorrect comments
   
-  Closes #6954
+  Closes #7157
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Laurent Dufresne brought this change]
 
-  lib: remove strlen call from Curl_client_write
+  mbedtls: add support for cert and key blob options
   
-  At all call sites with an explicit 0 len, pass an appropriate nonzero
-  len.
+  CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
+  mbedtls backend, so the support was added.
   
-  Closes #6954
+  Closes #7157
 
-- [Ayushman Singh Chauhan brought this change]
+- [Gregor Jasny brought this change]
 
-  docs: camelcase it like GitHub everywhere
+  cmake: try well-known send/recv signature for Apple
   
-  Closes #6979
-
-Jay Satiro (27 Apr 2021)
-- [Lucas Servén Marín brought this change]
-
-  docs: fix typo in fail-with-body doc
+  The CMake `try_compile` command is especially slow for
+  the Xcode generator. With this patch applied it first tests
+  for the currently used (and Open Group specified) send/recv
+  signature. In case this fails testing falls-back to the
+  permutations.
   
-  This commit fixes a small typo in the documentation for the
-  --fail-with-body flag.
+  speed-up:
   
-  Closes https://github.com/curl/curl/pull/6977
-
-- lib: fix some misuse of curlx_convert_UTF8_to_tchar
+  ```
+  time cmake .. -GNinja -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
+  before: 11.64s user 11.09s system 55% cpu 40.754 total
+  after:   7.84s user 6.57s  system 51% cpu 28.074 total
+  ```
   
-  curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
-  prior to this change some uses mistakenly called free.
+  ```
+  time cmake .. -GXcode -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
+  before: 217.07s user 104.15s system 60% cpu 8:51.79 total
+  after:  108.76s user  51.80s system 58% cpu 4:32.58 total
+  ```
   
-  I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
-  curlx_convert_tchar_to_UTF8.
+  Closes #7158
+
+- http2: init recvbuf struct for pushed streams
   
-  Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
-  Reported-by: sergio-nsk@users.noreply.github.com
+  Debug builds would warn that these structs were not initialized properly
+  for pushed streams.
   
-  Closes https://github.com/curl/curl/pull/6938
+  Ref: #7148
+  Closes #7153
 
-Daniel Stenberg (27 Apr 2021)
-- ntlm: precaution against super huge type2 offsets
+- Curl_ssl_getsessionid: fail if no session cache exists
   
-  ... which otherwise caused an integer overflow and circumvented the if()
-  conditional size check.
+  This function might get called for an easy handle for which the session
+  cache hasn't been setup. It now just returns a "miss" in that case.
   
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
-  Assisted-by: Max Dymond
-  Closes #6975
-
-- c-hyper: fix unused variable ‘wrote’
+  Reported-by: Christoph M. Becker
+  Fixes #7148
+  Closes #7153
 
-- libcurl-security.3: be careful of setuid
+- GOVERNANCE: add 'user', 'committer' and 'contributor'
   
-  Reported-by: Harry Sintonen
-  Closes #6970
+  As those are commonly used terms in the project.
+  
+  Closes #7151
 
-- [Kevin Burke brought this change]
+- URL-SYNTAX.md: document the new 'localhost' treatment
 
-  c-hyper: don't write to set.writeheader if null
+- hostip: make 'localhost' return fixed values
   
-  Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
-  CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
-  the data->set.writeheader header buffer, even though it is null.  This
-  led to NPE segfaults attempting to use libcurl+Hyper with Git, for
-  example.
+  Resolving the case insensitive host name 'localhost' now returns the
+  addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
+  resolver.
   
-  Instead, process the client write for the status line using the same
-  logic we use to process the client write for the later HTTP headers,
-  which contains the appropriate guard logic. As a side benefit,
-  data->set.writeheader is now only read in one file instead of two.
+  This removes the risk that users accidentally resolves 'localhost' to
+  something else. By making sure 'localhost' is always local, we can
+  assume a "secure context" for such transfers (for cookies etc).
   
-  Fixes #6619
-  Fixes abetterinternet/crustls#49
-  Fixes hyperium/hyper#2438
-  Closes #6971
+  Closes #7039
 
-- wolfssl: handle SSL_write() returns 0 for error
-  
-  Reported-by: Timo Lange
-  
-  Closes #6967
+Daniel Gustafsson (31 May 2021)
+- docs: fix typos
 
-- easy: ignore sigpipe in curl_easy_send
+Daniel Stenberg (30 May 2021)
+- hsts: ignore numberical IP address hosts
   
-  Closes #6965
-
-- sigpipe: ignore SIGPIPE when using wolfSSL as well
+  Also, use a single function library-wide for detecting if a given hostname is
+  a numerical IP address.
   
-  Closes #6966
+  Reported-by: Harry Sintonen
+  Fixes #7146
+  Closes #7149
 
-- libcurl-security.3: don't try to filter IPv4 hosts based on the URL
+- test178: adjust for hyper
   
-  Closes #6942
+  Hyper returns the same error for wrong HTTP version as for negative
+  content-length. Test 178 verifies that negative content-length is
+  rejected but the hyper backend will return a different error for it (and
+  without any helpful message telling why the message was bad). It will
+  also not return any headers at all for the response, not even the ones
+  that arrived before the error.
+  
+  Closes #7147
 
-- [Harry Sintonen brought this change]
+- HYPER: remove mentions of deprecated development branch
 
-  nss_set_blocking: avoid static for sock_opt
+- c-hyper: handle NULL from hyper_buf_copy()
   
-  Reviewed-by: Kamil Dudka
-  Closes #6945
-
-- RELEASE-NOTES: synced
+  Closes #7143
 
-- [Yusuke Nakamura brought this change]
+- HSTS: not experimental anymore
 
-  docs/HTTP3.md: fix nghttp2's HTTP/3 server port
-  
-  Port 8443 does not work now.
-  Correct origin is in the quicwg's wiki.
-  https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
-  
-  Closes #6964
+- [Douglas R. Reno brought this change]
 
-- krb5: don't use 'static' to store PBSZ size response
+  INSTALL: use correct extension for CURL-DISABLE.md
   
-  ... because it makes the knowledge and usage cross-transfer in funny and
-  unexpected ways.
+  In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
+  CURL-DISABLE.md. This generates a 404 on the cURL website as well as
+  when viewing the docs through Github.
   
-  Reported-by: Harry Sintonen
-  Closes #6963
+  Closes #7142
 
-- [Kevin Burke brought this change]
+- travis: run tests 1 - 153 with hyper
 
-  m4: add security frameworks on Mac when compiling rustls
-  
-  Previously compiling rustls on Mac would only complete if you also
-  compiled the SecureTransport TLS backend, which curl would prefer to
-  the Rust backend.
-  
-  Appending these flags to LDFLAGS makes it possible to compile the
-  Rustls backend on Mac without the SecureTransport backend, which means
-  this patch will make it possible for Mac users to use the Rustls
-  backend for TLS.
+- c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
   
-  Reviewed-by: Jacob Hoffman-Andrews
+  Makes test 129 work (HTTP/1.2 response).
   
-  Fixes #6955
-  Cloes #6956
+  Closes #7141
 
-- krb5: remove the unused 'overhead' function
+- http_proxy: deal with non-200 CONNECT response with Hyper
   
-  Closes #6947
-
-- [Johann150 brought this change]
+  Makes test 94 and 95 work
+  
+  Closes #7141
 
-  curl_url_set.3: add memory management information
+- c-hyper: clear NTLM auth buffer when request is issued
   
-  wording taken from man page for CURLOPT_URL.3
+  To prevent previous ones to get reused on subsequent requests. Matches
+  how the built-in HTTP code works. Makes test 90 to 93 work.
   
-  As far as I can see, the URL part is either malloc'ed before due to
-  encoding or it is strdup'ed.
+  Add test 90 to 93 in travis.
   
-  Closes #6953
+  Closes #7139
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Joel Depooter brought this change]
 
-  c-hpyer: fix handling of zero-byte chunk from hyper
+  schannel: set ALPN length correctly for HTTP/2
   
-  Closes #6951
-
-- CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
+  In a3268eca792f1 this code was changed to use the ALPN_H2 constant
+  instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
+  not the same. The nghttp2 constant included the length of the string,
+  like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
+  to re-add the length of the string to the ALPN buffer.
   
-  Ref: https://curl.se/mail/lib-2021-04/0085.html
-  Closes #6943
-
-- [Ralph Langendam brought this change]
+  Closes #7138
 
-  cmake: make libcurl output filename configurable
+- travis: run tests 1-89 in the hyper build
   
-  Reviewed-by: Jakub Zakrzewski
-  Closes #6933
-
-- [Patrick Monnerat brought this change]
+  Closes #7137
 
-  vtls: reset ssl use flag upon negotiation failure
-  
-  Fixes the segfault in ldaps disconnect.
+- Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
   
-  Reported-by: Illarion Taev
-  Fixes #6934
-  Closes #6937
-
-- configure: fix typo in TLS error message
+  This reverts commit c3eefa95c31f55657f0af422e8268d738f689066.
   
-  Reported-by: Pontus Lundkvist
-
-- README: link to the commercial support option
+  Reported-by: Kevin Burke
+  Fixes #7122
+  Closes #7136
 
-Jay Satiro (22 Apr 2021)
-- [Martin Halle brought this change]
+- [Jon Rumsey brought this change]
 
-  version: add gsasl_version to curl_version_info_data
-  
-  - Add gsasl_version string and bump to CURLVERSION_TENTH.
+  ccsidcurl: fix the compile errors
   
-  Ref: https://curl.se/mail/lib-2021-04/0003.html
+  Looks like the declaration of cpp shoule be const char ** and return
+  null if convert_version_info_string fails.
   
-  Closes https://github.com/curl/curl/pull/6843
+  Fixes #7134
+  Closes #7135
 
-- [Morten Minde Neergaard brought this change]
+- [Viktor Szakats brought this change]
 
-  schannel: Support strong crypto option
-  
-  - Support enabling strong crypto via optional user cipher list when
-    USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
-  
-  MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
-  weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
-  versions that may be otherwise enabled for better interoperability."
+  docs: use --max-redirs instead of --max-redir
   
-  Ref: https://curl.se/mail/lib-2021-02/0066.html
-  Ref: https://curl.se/docs/manpage.html#--ciphers
-  Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
-  Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
+  For consistency.
   
-  Closes https://github.com/curl/curl/pull/6734
+  Closes #7130
 
-Daniel Stenberg (22 Apr 2021)
 - RELEASE-NOTES: synced
+  
+  ... and bump to 7.77.1
 
-- ci: adapt to configure requiring an explicit TLS choice
+- [Michael Forney brought this change]
 
-- configure: split out each TLS library detector into its own function
+  travis: add bearssl build
   
-  ... and put those functions in separate m4 files per TLS library.
+  Closes #7133
 
-- configure: make the TLS library choice(s) explicit
-  
-  configure no longer tries to find a TLS library by default, but all
-  libraries are now equal: the user needs to explicitly ask what TLS
-  library or libraries to use.
-  
-  If no TLS library is selected, configure will error out unless
-  --without-ssl is explicitly used to request a built without TLS (as that
-  is very rare these days).
+- [Michael Forney brought this change]
+
+  bearssl: explicitly initialize all fields of Curl_ssl
   
-  Removes: --with-winssl, --with-darwinssl and all --without-* options for
-  TLS libraries.
+  Also, add comments like the other vtls backends.
   
-  Closes #6897
+  Closes #7133
 
-- tests/disable-scan.pl: also scan all m4 files
-  
-  Fixes test 1165 when functions are moved from configure.ac to files in
-  m4/
+- [Michael Forney brought this change]
 
-Jay Satiro (22 Apr 2021)
-- schannel: Disable auto credentials; add an option to enable it
-  
-  - Disable auto credentials by default. This is a breaking change
-    for clients that are using it, wittingly or not.
-  
-  - New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
-    to automatically locate and use a client certificate for
-    authentication, when requested by the server.
-  
-  - New curl tool options --ssl-auto-client-cert and
-    --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
-  
-  This option is only supported for Schannel (the native Windows SSL
-  library). Prior to this change Schannel would, with no notification to
-  the client, attempt to locate a client certificate and send it to the
-  server, when requested by the server. Since the server can request any
-  certificate that supports client authentication in the OS certificate
-  store it could be a privacy violation and unexpected.
-  
-  Fixes https://github.com/curl/curl/issues/2262
-  Reported-by: Jeroen Ooms
-  Assisted-by: Wes Hinsley
-  Assisted-by: Rich FitzJohn
+  bearssl: remove incorrect const on variable that is modified
   
-  Ref: https://curl.se/mail/lib-2021-02/0066.html
-  Reported-by: Morten Minde Neergaard
+  hostname may be set to NULL later on in this function if it is an
+  IP address.
   
-  Closes https://github.com/curl/curl/pull/6673
+  Closes #7133
 
-Daniel Stenberg (22 Apr 2021)
-- [Michał Antoniak brought this change]
+Version 7.77.0 (26 May 2021)
+
+Daniel Stenberg (26 May 2021)
+- RELEASE-NOTES: synced
+
+- THANKS: added contributors from 7.77.0 cycle
+
+- copyright: update copyright year ranges to 2021
+
+- [Radek Zajic brought this change]
 
-  vtls: deduplicate some DISABLE_PROXY ifdefs
-  
-  continue from #5735
-  
-  - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
-    tls backend
+  hostip: fix broken macOS/CMake/GCC builds
   
-  - create SSL_HOST_PORT
+  Follow-up to 31f631a142d855f06
   
-  Closes #6660
+  Fixes #7128
+  Closes #7129
 
-Jay Satiro (22 Apr 2021)
-- OS400: fix typo
+- TODO: netrc caching and sharing
   
-  CURLVERSION_HEIGHTH -> CURLVERSION_EIGHTH
+  URL: https://curl.se/mail/archive-2021-05/0018.html
 
-Daniel Stenberg (22 Apr 2021)
-- checksrc: complain on == NULL or != 0 checks in conditions
-  
-  ... to make them all consistenly use if(!var) and if(var)
-  
-  Also added a few missing warnings to the documentation.
-  
-  Closes #6912
+- [Orgad Shaneh brought this change]
 
-- tidy-up: make conditional checks more consistent
+  setopt: streamline ssl option code
   
-  ... remove '== NULL' and '!= 0'
+  Make it use the same style as the code next to it
   
-  Closes #6912
+  Closes #7123
 
-- [Patrick Monnerat brought this change]
+- [Radek Zajic brought this change]
 
-  vauth: factor base64 conversions out of authentication procedures
-  
-  Input challenges and returned messages are now in binary.
-  Conversions from/to base64 are performed by callers (currently curl_sasl.c
-  and http_ntlm.c).
+  lib/hostip6.c: make NAT64 address synthesis on macOS work
   
-  Closes #6654
+  Closes #7121
 
-- [Patrick Monnerat brought this change]
+- [ejanchivdorj brought this change]
 
-  bufref: buffer reference support
+  sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
   
-  A struct bufref holds a buffer pointer, a data size and a destructor.
-  When freed or its contents are changed, the previous buffer is implicitly
-  released by the associated destructor. The data size, although not used
-  internally, allows binary data support.
+  When the SecCertificateCopyCommonName function fails, it leaves
+  common_name in a invalid state so CFStringCompare uses the invalid
+  result, causing EXC_BAD_ACCESS.
   
-  A unit test checks its handling methods: test 1661
+  The fix is to check the return value of the function before using the
+  name.
   
-  Closes #6654
+  Closes #7126
 
-- [Patrick Monnerat brought this change]
+- [Paweł Wegner brought this change]
 
-  os400: additional support for options metadata
-  
-  New functions curl_easy_option_by_name_ccsid() and
-  curl_easy_option_get_name_ccsid() allows accessing metadata in alternate
-  character encoding.
-  
-  This commit also updates curl_version_info_ccsid() to handle info version 9
-  and adds recent definitions to the ILE/RPG include file.
+  CMake: add CURL_ENABLE_EXPORT_TARGET option
   
-  Documentation updated accordingly.
+  install(EXPORT ...) causes trouble when embedding curl dependencies
+  which don't provide install(EXPORT ...) targets (e.g libressl and
+  nghttp2) with cmake's add_subdirectory.
   
-  Reviewed-by: Jon Rumsey
-  Closes #6574
-
-- [Patrick Monnerat brought this change]
+  Reviewed-by: Jakub Zakrzewski
+  Closes #7060
 
-  test server: take care of siginterrupt() deprecation
-  
-  Closes #6529
+- [Alessandro Ghedini brought this change]
 
-Marc Hoersken (21 Apr 2021)
-- lib1564.c: enable last wakeup test part on Windows
+  quiche: update for network path aware API
   
-  Suggested-by: Gergely Nagy
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  Latest version of quiche requires the application to pass the peer
+  address of received packets, and it provides the address for outgoing
+  packets back.
   
-  Closes #6245
+  Closes #7120
 
-- multi: fix slow write/upload performance on Windows
-  
-  Reset FD_WRITE by sending zero bytes which is permissible
-  and will be treated by implementations as successful send.
-  
-  Without this we won't be notified in case a socket is still
-  writable if we already received such a notification and did
-  not send any data afterwards on the socket. This would lead
-  to waiting forever on a writable socket being writable again.
-  
-  Assisted-by: Tommy Odom
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Tested-by: tmkk on github
-  
-  Bug: #6146
-  Closes #6245
+- [Jacob Hoffman-Andrews brought this change]
 
-- multi: reduce Win32 API calls to improve performance
-  
-  1. Consolidate pre-checks into a single Curl_poll call:
-  
-  This is an attempt to restructure the code in Curl_multi_wait
-  in such a way that less syscalls are made by removing individual
-  calls to Curl_socket_check via SOCKET_READABLE/SOCKET_WRITABLE.
-  
-  2. Avoid resetting the WinSock event multiple times:
-  
-  We finally call WSAResetEvent anyway, so specifying it as
-  an optional parameter to WSAEnumNetworkEvents is redundant.
-  
-  3. Wakeup directly in case no sockets are being monitoring:
-  
-  Fix the WinSock based implementation to skip extra waiting by
-  not sleeping in case no sockets are to be waited on and just
-  the WinSock event is being monitored for wakeup functionality.
+  rustls: switch read_tls and write_tls to callbacks
   
-  Assisted-by: Tommy Odom
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  And update to 0.6.0, including a rename from session to connection for
+  many fields.
   
-  Bug: #6146
-  Closes #6245
+  Closes #7071
 
-- Revert "Revert 'multi: implement wait using winsock events'"
-  
-  This reverts commit 2260e0ebe6d45529495231b3e37a0c58fb92a6a2,
-  also restoring previous follow up changes which were reverted.
-  
-  Authored-by: rcombs on github
-  Authored-by: Marc Hörsken
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  
-  Restores #5634
-  Reverts #6281
-  Part of #6245
+- [Koichi Shiraishi brought this change]
 
-Daniel Stenberg (21 Apr 2021)
-- Revert "cmake: make libcurl library output name configurable"
-  
-  This reverts commit 1cba36d2166c396f987eea587cf92671b27acb92.
+  sectransp: fix 7f4a9a9b2a49 commit about missing comma
   
-  CMake provides properties that can be set on a target to rename the
-  output artifact without changing the name of a target.
+  Follow-up to 7f4a9a9b2a495
   
-  Ref: #6899
+  Closes #7119
 
-- [Michael Kolechkin brought this change]
+- [Harry Sintonen brought this change]
 
-  sectransp: allow cipher name to be specified
-  
-  Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
-  back-end. Similar to NSS and GSKit back-ends, new code parses string
-  value and configures ST library to use those ciphers for communication.
-  Create cipher spec data structure and initialize the array of specs with
-  cipher number, name, alias, and 'weak' flag.
+  openssl: associate/detach the transfer from connection
   
-  Mark triple-DES ciphers as 'weak', and exclude them from the default
-  ciphers list.
+  CVE-2021-22901
   
-  Closes #6464
+  Bug: https://curl.se/docs/CVE-2021-22901.html
 
-- [Michael Kolechkin brought this change]
+- [Harry Sintonen brought this change]
 
-  NSS: add ciphers to map
+  telnet: check sscanf() for correct number of matches
   
-  Add cipher names to the `cipherlist` map, based on the list of ciphers
-  implemented by the NSS in the source code file
-  https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c
+  CVE-2021-22898
   
-  Closes #6670
+  Bug: https://curl.se/docs/CVE-2021-22898.html
 
-- http2: remove DEBUG_HTTP2
+- schannel: don't use static to store selected ciphers
   
-  Accidentally committed in 605e84235
+  CVE-2021-22897
+  
+  Bug: https://curl.se/docs/CVE-2021-22897.html
 
-- [Ralph Langendam brought this change]
+- docs/tests: remove freenode references
 
-  cmake: make libcurl library output name configurable
-  
-  Closes #6899
+- RELEASE-NOTES: synced
 
-- sws: #ifdef S_IFSOCK use
-  
-  SCO OpenServer 5.0.7 does not define S_IFSOCK.
-  
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0074.html
-  Closes #6926
+- [Sergey Markelov brought this change]
 
-- curl_setup: provide the shutdown flags wider
-  
-  By using #ifdef on the symbol names to work on anything that don't
-  provide them. SCO OpenServer 5.0.7, sys/socket.h does not define either
-  SHUT_RDWR, SHUT_RD, and SHUT_WR.
+  NSS: make colons, commas and spaces valid separators in cipher list
   
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0073.html
-  Closes #6925
+  Fixes #7110
+  Closes #7115
 
-- connect: use CURL_SA_FAMILY_T for portability
-  
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0071.html
+- curl: include libmetalink version in --version output
   
-  Closes #6918
+  Closes #7112
 
-- urlapi: make sure no +/- signs are accepted in IPv4 numericals
-  
-  Follow-up to 56a037cc0ad1b2. Extends test 1560 to verify.
-  
-  Reported-by: Tuomas Siipola
-  Fixes #6916
-  Closes #6917
+Jay Satiro (21 May 2021)
+- [Matias N. Goldberg brought this change]
 
-- ConnectionExists: respect requests for h1 connections better
+  cmake: Use multithreaded compilation on VS 2008+
   
-  ... for situations when multiplexing isn't enabled on the h2 connection
-  and h1 is explicitly requested for the transfer.
+  Multithreaded compilation has been supported since at least VS 2005 and
+  been robustly stable since at least VS 2008
   
-  Assisted-by: Gergely Nagy
+  Closes https://github.com/curl/curl/pull/7109
 
-- multi: don't close connection HTTP_1_1_REQUIRED
-  
-  The ConnectionExists() function will note that the new transfer wants
-  less then h2 and that it can't multiplex it and therefor opt to open a
-  new connection instead.
+Daniel Stenberg (21 May 2021)
+- [Matias N. Goldberg brought this change]
 
-- http2: move the stream error field to the per-transfer storage
+  cmake: fix two invokes result in different curl_config.h
   
-  Storing a stream error in the per-connection struct was an error that lead to
-  race conditions as subsequent stream handling could overwrite the error code
-  before it was used for the stream with the actual problem.
+  Fixes #7100
+  Closes #7101
   
-  Closes #6910
+  Reviewed-by: Jakub Zakrzewski
+  Signed-off-by: Matias N. Goldberg <dark_sylinc@yahoo.com.ar>
 
-- http2: call the handle-closed function correctly on closed stream
-  
-  This was this one condition where the stream could be closed due to an
-  error and the function would still wrongly just return 0 for it.
-  
-  Reported-by: Gergely Nagy
-  Fixes #6862
-  Closes #6910
+- [Peng-Yu Chen brought this change]
 
-- test1660: check the created HSTS file as text mode
+  cmake: detect CURL_SA_FAMILY_T
   
-  Closes #6922
-
-- RELEASE-NOTES: synced
+  Fixes #7049
+  Closes #7065
 
-- test 493: require https in curl to run
-  
-  Closes #6927
+- [Lucas Clemente Vella brought this change]
 
-Jay Satiro (20 Apr 2021)
-- tool_operate: don't discard failed parallel transfer result
+  CURLOPT_IPRESOLVE: preventing wrong IP version from being used
   
-  - Save a parallel transfer's result code only when it fails and the
-    transfer is not being retried.
+  In some situations, it was possible that a transfer was setup to
+  use an specific IP version, but due do DNS caching or connection
+  reuse, it ended up using a different IP version from requested.
   
-  Prior to this change the result code was always set which meant that a
-  failed result could be erroneously discarded if a different transfer
-  later had a successful result (CURLE_OK).
+  This commit changes the effect of CURLOPT_IPRESOLVE from simply
+  restricting address resolution to preventing the wrong connection
+  type being used, when choosing a connection from the pool, and
+  to restricting what addresses could be used when establishing
+  a new connection.
   
-  Before:
+  It is important that all addresses versions are resolved, even if
+  not used in that transfer in particular, because the result is
+  cached, and could be useful for a different transfer with a
+  different CURLOPT_IPRESOLVE setting.
   
-  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
-  > echo %ERRORLEVEL%
-  0
+  Closes #6853
+
+- [Oliver Urbann brought this change]
+
+  AmigaOS: add functions definitions for SHA256
   
-  After:
+  AmiSSL replaces many functions with macros. Curl requires pointer
+  to some of these functions. Thus, we have to encapsulate these macros:
+  SHA256_Init, SHA256_Update, SHA256_Final, X509_INFO_free.
   
-  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
-  > echo %ERRORLEVEL%
-  22
+  Bug: https://github.com/jens-maus/amissl/issues/15
+  Co-authored-by: Daniel Stenberg <daniel@haxx.se>
   
-  Closes #xxxx
-
-- [Georeth Zhou brought this change]
+  Closes #7099
 
-  openssl: fix build error with OpenSSL < 1.0.2
+- test2100: make it run with and require IPv6
   
-  Closes https://github.com/curl/curl/pull/6920
+  Closes #7083
 
-Viktor Szakats (19 Apr 2021)
-- README.md: delete Codacy UTM parameters & follow permanent redirect [ci skip]
-  
-  UTM parameters leak referrer and various marketing/tracking information
-  even if these would normally be stripped by website or client policy.
-  This link also works fine without them. Also took the opportunity to
-  update the URL to the one pointed to by the previous one via permanent
-  redirect.
+- tests/getpart: generate output URL encoded for better diffs
   
-  Reviewed-by: Daniel Stenberg
-  Closes #6919
+  Closes #7083
+
+- [Ryan Beck-Buysse brought this change]
 
-Daniel Stenberg (19 Apr 2021)
-- urlapi: "normalize" numerical IPv4 host names
+  docs/TheArtOfHttpScripting: fix markdown links
   
-  When the host name in a URL is given as an IPv4 numerical address, the
-  address can be specified with dotted numericals in four different ways:
-  a32, a.b24, a.b.c16 or a.b.c.d and each part can be specified in
-  decimal, octal (0-prefixed) or hexadecimal (0x-prefixed).
+  extra parens cause the links to be incorrectly formatted
+  and inconsistent with the rest of the document.
   
-  Instead of passing on the name as-is and leaving the handling to the
-  underlying name functions, which made them not work with c-ares but work
-  with getaddrinfo, this change now makes the curl URL API itself detect
-  and "normalize" host names specified as IPv4 numericals.
+  Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
+  Closes #7097
+
+- RELEASE-NOTES: synced
+
+- [Emil Engler brought this change]
+
+  docs: replace dots with dashes in markdown enums
   
-  The WHATWG URL Spec says this is an okay way to specify a host name in a
-  URL. RFC 3896 does not allow them, but curl didn't prevent them before
-  and it seems other RFC 3896-using tools have not either. Host names used
-  like this are widely supported by other tools as well due to the
-  handling being done by getaddrinfo and friends.
+  We use dashes instead of dots nearly everywhere except for those few
+  cases. This commit addresses this issues and brings more coherency into
+  it.
   
-  I decided to add the functionality into the URL API itself so that all
-  users of these functions get the benefits, when for example wanting to
-  compare two URLs. Also, it makes curl built to use c-ares now support
-  them as well and make curl builds more consistent.
+  Closes #7093
+
+- [Emil Engler brought this change]
+
+  docs: improve INTERNALS.md regarding getsock cb
   
-  The normalization makes HTTPS and virtual hosted HTTP work fine even
-  when curl gets the address specified using one of the "obscure" formats.
+  This adds the I/O prefix to indicate that those "actions" are kind-of
+  related to those found in select(2) or poll(2) (reading/writing).
   
-  Test 1560 is extended to verify.
+  It also adds a note where the prototypes of those functions can be found
+  in the source code.
   
-  Fixes #6863
-  Closes #6871
+  Closes #7092
 
-- libssh: fix "empty expression statement has no effect" warnings
-  
-  ... by fixing macros to do-while constructs and moving out the calls to
-  "break" outside of the actual macro. It also fixes the problem where the
-  macro was used witin a loop and the break didn't do right.
-  
-  Reported-by: Emil Engler
-  Fixes #6847
-  Closes #6909
+- [Emil Engler brought this change]
 
-- hsts: enable by default
+  docs: document attach in INTERNALS.md
   
-  No longer considered experimental.
+  The new field in the Curl_handler struct still lacks documentation. This
+  adds it it from the information extracted from lib/urldata.h:797
   
-  Closes #6700
+  Closes #7091
 
-- vtls: refuse setting any SSL version
-  
-  ... previously they were supported if a TLS library would (unexpectedly)
-  still support them, but from this change they will be refused already in
-  curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
-  many years now.
+- [Marc Aldorasi brought this change]
+
+  config: remove now-unused macros
   
-  Closes #6773
+  Closes #7094
+
+- [Marc Aldorasi brought this change]
 
-- curl: ignore options asking for SSLv2 or SSLv3
+  hostip.h: remove declaration of unimplemented function
   
-  Instead output a warning about it and continue with the defaults.
+  Closes #7094
+
+- h3: add 'attach' callback to protocol handlers
   
-  These SSL versions are typically not supported by the TLS libraries since a
-  long time back already since they are inherently insecure and broken. Asking
-  for them to be used will just cause an error to be returned slightly later.
+  Follow-up to 0c55fbab45be
   
-  In the unlikely event that a user's TLS library actually still supports these
-  protocol versions, this change might make the request a little less insecure.
+  Reviewed-by: Emil Engler
+  Closes #7090
+
+- wolfssl: remove SSLv3 support leftovers
   
-  Closes #6772
+  Closes #7088
 
-- test972: verify the json output with jsonlint
+- curl-wolfssl.m4: without custom include path, assume /usr/include
   
-  Make sure one of the azure jobs has jsonlint installed so that the test
-  runs there.
+  ... so that we can point out the root of the OpenSSL emulation headers.
+  Previously this used the '$includedir' variable which is wrong since
+  that defaults to the dir where the current configure invoke will install
+  the built libcurl headers: /usr/local by default.
   
-  Ref: #6905
+  Fixes #7085
+  Reported-by: Joel Jakobsson
+  Closes #7087
 
-- [Jay Satiro brought this change]
+- [Joel Depooter brought this change]
 
-  tool_writeout: fix the HTTP_CODE json output
+  data_pending: check only SECONDARY socket for FTP(S) transfers
+  
+  Check the FIRST for all other protocols.
   
-  Update test 970 accordingly.
+  This fixes a timeout in an ftps download. The server sends a TLS
+  close_notify message in the same packet as the file data. The
+  close_notify seems to not be handled in the schannel_recv function, so
+  libcurl is not aware that the server has closed the connection. Thus
+  libcurl ends up waiting for action on the socket until a timeout is
+  reached. With the secondary socket check added to the data_pending
+  function, the close_notify is properly handled, and the ftps transfer
+  terminates as expected.
   
-  Reported-by: Michal Rus
-  Fixes #6905
-  Closes #6906
+  Fixes #7068
+  Closes #7069
 
-- openldap: protect SSL-specific code with proper #ifdef
+- github: inhibit deprecated declarations for clang on macOS
+  
+  ... as they otherwise cause ldap build errors in the CI.
   
-  Closes #6901
+  Fixes #7081
+  Closes #7082
 
-- libssh2: fix Value stored to 'sshp' is never read
+- conn: add 'attach' to protocol handler, make libssh2 use it
   
-  Pointed out by scan-build
+  The libssh2 backend has SSH session associated with the connection but
+  the callback context is the easy handle, so when a connection gets
+  attached to a transfer, the protocol handler now allows for a custom
+  function to get used to set things up correctly.
   
-  Closes #6900
-
-- [Victor Vieux brought this change]
+  Reported-by: Michael O'Farrell
+  Fixes #6898
+  Closes #7078
 
-  tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
+- http2: make sure pause is done on HTTP
   
-  Signed-off-by: Victor Vieux <victorvieux@gmail.com>
+  Since the function is called for any protocol, we can't assume that the
+  HTTP struct is there without first making sure it is HTTP.
   
-  Closes #6895
+  Reported-by: Denis Goleshchikhin
+  Fixes #7079
+  Closes #7080
 
-- configure: provide --with-openssl, deprecate --with-ssl
+- docs: cookies from HTTP headers need domain set
   
-  Makes the option more explicit.
+  ... or the cookies won't get sent. Push users to using the "Netscape"
+  format instead, which curl uses when saving a cookie "jar".
   
-  Closes #6887
+  Reported-by: Martin Dorey
+  Reviewed-by: Daniel Gustafsson
+  Fixes #6723
+  Closes #7077
 
 - RELEASE-NOTES: synced
-  
-  and bumped curlver to 7.77.0
 
-- [Javier Blazquez brought this change]
+- github: add a workflow with libssh2 on macOS using cmake
+  
+  Closes #7047
 
-  rustls: only return CURLE_AGAIN when TLS session is fully drained
+- sws: allow HTTP requests up to 2MB in size
   
-  The code in cr_recv was returning prematurely as soon as the socket
-  reported no more data to read. However, this could be leaving some
-  unread plaintext data in the rustls session from a previous call,
-  causing causing the transfer to hang if the socket never receives
-  further data.
+  To allow tests with slightly larger payloads. Like #7071 ...
   
-  We need to ensure that the session is fully drained of plaintext data
-  before returning CURLE_AGAIN to the caller.
+  Closes #7075
+
+Marc Hoersken (16 May 2021)
+- CI/azure: increase verbosity and fix outdated task names
   
-  Reviewed-by: Jacob Hoffman-Andrews
-  Closes #6894
+  Closes #7063
 
-- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
+- CI/cirrus: add shared and static Windows release builds
   
-  Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
-  the cookiejar from memory.
+  Azure Pipelines is currently being used for debug builds,
+  let's also run some non-debug (release) Windows builds and
+  make use of previously underutilized Cirrus CI for that.
   
-  Reported-by: Stefan Karpinski
-  Fixes #6889
-  Closes #6891
-
-Version 7.76.1 (14 Apr 2021)
-
-Daniel Stenberg (14 Apr 2021)
-- RELEASE-NOTES: synced
+  Reviewed-by: Marcel Raad
   
-  curl 7.76.1 release
-
-- THANKS: add names from 7.76.1
-
-- misc: update copyright year ranges to match latest updates
-
-- [Tatsuhiro Tsujikawa brought this change]
+  Closes #6991
 
-  ngtcp2: Use ALPN h3-29 for now
+Daniel Stenberg (16 May 2021)
+- CURLOPT_CAPATH.3: defaults to a path, not NULL
   
-  Fixes #6864
-  Cloes #6886
-
-Jay Satiro (11 Apr 2021)
-- TODO: remove 18.22 --fail-with-body
+  Reported-by: Andrew Barnert
   
-  --fail-with-body was added in 8a964cb (precedes curl-7_76_0).
+  Closes #7062
 
-Daniel Stenberg (10 Apr 2021)
-- [Jürgen Gmach brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  src/tool_vms.c: remove duplicated word in comment
+  c-hyper: handle body on HYPER_TASK_EMPTY
   
-  Closes #6881
-
-- configure: fix CURL_DARWIN_CFLAGS use
+  Some of the time, we get a HYPER_TASK_EMPTY response before the status
+  line, headers, and body have been read. Previously, that would cause us
+  to poll again, leading to a 1 second timeout.
   
-  The macro name change was not completely done.
+  The HYPER_TASK_EMPTY docs say:
   
-  Follow-up to 5d2c384452543c
-  Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
-  Reported-by: Marcel Raad
-  Closes #6878
-
-- [Anthony Shaw brought this change]
-
-  github/workflow: add "security-extended" to codeql-analysis.yml
+     The value of this task is null (does not imply an error).
   
-  Extends the CodeQL code scan.
+  So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
+  response.
   
-  Closes #6815
+  Reported-by: Kevin Burke
+  Fixes #7064
+  Closes #7070
 
-- [Jochem Broekhoff brought this change]
+- [Ikko Ashimine brought this change]
 
-  examples/hiperfifo.c: check event_initialized before delete
+  tool_getparam: fix comment typo in tool_getparam.c
   
-  If event_del is called with the event struct (still) zeroed out, a
-  segmentation fault may occur.  event_initialized checks whether the
-  event struct is nonzero.
+  enfore -> enforce
   
-  Closes #6876
-
-- [Patrick Monnerat brought this change]
+  Closes #7074
 
-  ntlm: fix negotiated flags usage
+- mem-include-scan.pl: require a non-word letter before memory funcs
   
-  According to Microsoft document MS-NLMP, current flags usage is not
-  accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
-  extended security in an NTLM authentication message and NTLM version 2
-  cannot be negotiated within the protocol.
+  ... so that ldap_memfree() for example doesn't match the scan for free.
   
-  The solution implemented here is: if the extended security flag is set,
-  prefer using NTLM version 2 (as a server featuring extended security
-  should also support version 2). If version 2 has been disabled at
-  compile time, use extended security.
+  Closes #7061
+
+- version: free the openldap info correctly
   
-  Tests involving NTLM are adjusted to this new behavior.
+  ... to avoid memory leaks.
   
-  Fixes #6813
-  Closes #6849
-
-- [Patrick Monnerat brought this change]
+  Follow-up to: bf0feae7768d9
+  Closes #7061
 
-  ntlm: support version 2 on 32-bit platforms
+- dupset: remove totally off comment
   
-  Closes #6849
-
-- [Patrick Monnerat brought this change]
+  Closes #7067
 
-  curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
-  
-  ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
-  whole NTLM.
+- configure: if asked for, fail if ldap is not found
   
-  Closes #6849
+  Reported-by: Jakub Zakrzewski
+  Fixes #7053
+  Closes #7055
 
-- lib: remove unused HAVE_INET_NTOA_R* defines
+- version: add OpenLDAP version in the output
   
-  Closes #6867
+  Assisted-by: Howard Chu
+  Closes #7054
 
-- [Michael Forney brought this change]
+Jay Satiro (13 May 2021)
+- [Joel Depooter brought this change]
 
-  configure: include <time.h> unconditionally
-  
-  In 2682e5f5, several instances of AC_HEADER_TIME were removed since
-  it is a deprecated autoconf macro. However, this was the macro that
-  defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
-  can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
-  used in the configure test body and since it is no longer defined,
-  <time.h> is *not* included on systems that have <sys/time.h>.
-  
-  In particular, at least on musl libc and glibc, <sys/time.h> does
-  not implicitly include <time.h> and does not declare clock_gettime,
-  gmtime_r, or localtime_r. This causes configure to fail to detect
-  those functions.
-  
-  The AC_HEADER_TIME macro deprecation text says
-  
-  > All current systems provide time.h; it need not be checked for.
-  > Not all systems provide sys/time.h, but those that do, all allow
-  > you to include it and time.h simultaneously.
+  schannel: Ensure the security context request flags are always set
   
-  So, to fix this issue, simply include <time.h> unconditionally when
-  testing for time-related functions and in libcurl, and don't bother
-  checking for it.
+  As of commit 54e7475, these flags would only be set when using a new
+  credential handle. When re-using an existing credential handle, the
+  flags would not be set.
   
-  Closes #6859
+  Closes https://github.com/curl/curl/pull/7051
 
-- [Michael Forney brought this change]
+Dan Fandrich (12 May 2021)
+- tests: Fix some tag matching issues in a number of tests
 
-  configure: remove use of RETSIGTYPE
+Daniel Stenberg (12 May 2021)
+- sasl: use 'unsigned short' to store mechanism
   
-  This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
-  which was removed in 2682e5f5. The deprecation text says
+  ... saves a few bytes of struct size in memory and it only uses
+  10 bits anyway.
   
-  > Your code may safely assume C89 semantics that RETSIGTYPE is void.
+  Closes #7045
+
+- hostip: remove the debug code for LocalHost
   
-  So, remove it and just use void instead.
+  The Curl_resolv() had special code (when built in debug mode) for when
+  resolving the host name "LocalHost" (using that exact casing). It would
+  then get the host name from the --interface option instead.
   
-  Closes #6861
-
-- [Muhammed Yavuz Nuzumlalı brought this change]
-
-  install: add instructions for Apple Darwin platforms
+  This development-only feature was not used by anything (anymore) and we
+  have the --resolve feature if we want to play similar tricks properly
+  going forward.
   
-  Closes #6860
-
-- [Muhammed Yavuz Nuzumlalı brought this change]
+  Closes #7044
 
-  configure: disable min version set for Darwin
+- progress: reset limit_size variables at transfer start
   
-  Fixes #6838
-  Closes #6860
-
-- [David Hu brought this change]
-
-  docs/HTTP3.md: update the build instruction using gnutls
+  Otherwise the old value would linger from a previous use and would mess
+  up the network speed cap logic.
   
-  In ngtcp2 the `with-gnutls` option is disabled by default, which will
-  cause `curl` unable to be `make` because of lacking the libraries
-  needed.
+  Reported-by: Ymir1711 on github
   
-  Closes #6857
+  Fixes #7042
+  Closes #7043
 
 - RELEASE-NOTES: synced
 
-- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
-  
-  ... and not values.
-  
-  Reported-by: locpyl-tidnyd on github
-  Fixes #6818
-  Closes #6819
-
-- ngtcp2+gnutls: clear credentials when freed
-  
-  ... to avoid double-free.
-  
-  Reported-by: Kenneth Davidson
-  Fixes #6824
-  Closes #6856
-
-Jay Satiro (5 Apr 2021)
-- [Cherish98 brought this change]
+- [Daniel Gustafsson brought this change]
 
-  tool_progress: Fix progress meter in parallel mode
-  
-  Make sure the total amount of DL/UL bytes are counted before the
-  transfer finalizes. Otherwise if a transfer finishes too quick, its
-  total numbers are not added, and results in a DL%/UL% that goes above
-  100%.
+  cookies: use CURLcode for cookie_output reporting
   
-  Detail:
+  Writing the cookie file has multiple error conditions, and was using an
+  int with magic numbers to report the different error (which in turn were
+  disregarded anyways). This moves reporting to use a CURLcode value.
   
-  progress_meter() is called periodically, and it may not catch a
-  transfer's total bytes if the value was unknown during the last call,
-  and the transfer is finished and deleted (i.e., lost) during the next
-  call.
+  Lightly-touched-by: Daniel Stenberg
   
-  Closes https://github.com/curl/curl/pull/6840
+  Closes #7037
+  Closes #6749
 
-- [Emil Engler brought this change]
+- [Daniel Gustafsson brought this change]
 
-  libssh: get rid of PATH_MAX
-  
-  This removes the last occurrence of PATH_MAX inside our libssh
-  implementation by calculating the path length from the string length of
-  the two components.
+  cookies: make use of string duplication function
   
-  Closes #6829
+  strstore() is defined as a strdup which ensures to free the target
+  pointer before duping the source char * into it. Make use of it in
+  two more cases where it can simplify the code.
 
-Daniel Stenberg (5 Apr 2021)
-- http_proxy: only loop on 407 + close if we have credentials
-  
-  ... to fix the retry-loop.
-  
-  Add test 718 to verify.
-  
-  Reported-by: Daniel Kurečka
-  Fixes #6828
-  Closes #6850
+- [Daniel Gustafsson brought this change]
 
-- h2: allow 100 streams by default
-  
-  instead of 13, before the server has told how many streams it
-  accepts. The server can always reject new streams anyway if we go above
-  what it accepts.
+  cookies: refactor comments
   
-  Ref: #6826
-  Closes #6852
+  Comments in the cookie code were a bit all over the place in terms of
+  style and wording. This takes a stab at cleaning them up by keeping to
+  a single style and overall shape. Some comments are moved a little and
+  some removed alltogether due to being redundant. No functional changes
+  have been made,
 
-- [Luke Granger-Brown brought this change]
+- [Peng-Yu Chen brought this change]
 
-  file: support GETing directories again
-  
-  After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
-  expected_size for directories. This has the upshot that when we compare
-  even an empty Range with the available size, we fail.
+  http2: skip immediate parsing of payload following protocol switch
   
-  This brings back the previous behaviour, which was to succeed, but with
-  empty content. This also removes the "Accept-ranges: bytes" header,
-  which is nonsensical on directories.
+  This is considered not harmful as a following http2_recv shall be
+  called very soon.
   
-  Adds test 3016
-  Fixes #6845
-  Closes #6846
-
-- RELEASE-NOTES: synced
+  This is considered helpful in the specific situation where some
+  servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
+  following the return of HTTP status 101, other than waiting for
+  the client-side connection preface to arrive.
   
-  and bumped to 7.76.1
+  Fixes #7036
+  Closes #7040
 
-- TLS: fix HTTP/2 selection
-  
-  for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
-  wolfSSL...
-  
-  Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
-  Reported-by: Kenneth Davidson
-  Reported-by: romamik om github
-  Fixes #6825
-  Closes #6827
+- [Peng-Yu Chen brought this change]
 
-Jay Satiro (2 Apr 2021)
-- hostip: Fix for builds that disable all asynchronous DNS
-  
-  - Define Curl_resolver_error function only when USE_CURL_ASYNC.
+  http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
   
-  Prior to this change building curl without an asynchronous resolver
-  backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
-  also asynchronous but independent of resolver backend) would cause a
-  build error since Curl_resolver_error is called by and evaluates
-  variables only available in asynchronous builds.
+  Following the upstream deprecation of nghttp2_session_upgrade.
   
-  Reported-by: Benbuck Nason
+  Also provides further checks for requests with the HEAD method.
   
-  Fixes https://github.com/curl/curl/issues/6831
-  Closes https://github.com/curl/curl/pull/6832
-
-Daniel Stenberg (31 Mar 2021)
-- [Gilles Vollant brought this change]
+  Closes #7041
 
-  openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
+- progress/trspeed: use a local convenient pointer to beautify code
   
-  Reported-by: Christian Schmitz
-  Fixes #6816
-  Closes #6820
+  The function becomes easier to read and understand with less repetition.
 
-Version 7.76.0 (31 Mar 2021)
+- trspeed: use long double for transfer speed calculation
 
-Daniel Stenberg (31 Mar 2021)
-- RELEASE-NOTES: synced
+- progress: move transfer speed calc into function
+  
+  This silences two scan-build-11 warnings: "The result of the '/'
+  expression is undefined"
   
-  curl 7.76.0 release
+  Bug: https://curl.se/mail/lib-2021-05/0022.html
+  Closes #7035
 
-- THANKS: added names from 7.76.0
+- [Cameron Cawley brought this change]
 
-- CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
+  openssl: remove unneeded cast for CertOpenSystemStore()
   
-  ... some users may not want that!
+  Closes #7025
 
-- define: remove CURL_DISABLE_NTLM ifdefs
+- travis: disable the libssh build
   
-  It was never defined anywhere. Fixed disable-scan (test 1165) to also
-  scan headers, which found this issue.
+  It can't run on focal and causes warnings on bionic. Since the focal
+  failure started rather suddenly a while ago, we can suspect it might be
+  temporary.
   
-  Closes #6809
-
-- vtls: fix addsessionid for non-proxy builds
+  Added "bring back the build" to the TODO document.
   
-  Follow-up to b09c8ee15771c61
-  Fixes #6812
-  Closes #6811
-
-- [Li Xinwei brought this change]
+  Fixes #7011
+  Closes #7012
 
-  cmake: support WinIDN
-  
-  Closes #6807
+- [Peng-Yu Chen brought this change]
 
-- transfer: clear 'referer' in declaration
+  http: use calculated offsets inst of integer literals for header parsing
   
-  To silence (false positive) compiler warnings about it.
+  Assumed to be a minor coding style improvement with no behavior change.
   
-  Follow-up to 7214288898f5625
+  A modern compiler is expected to have the calculation optimized during
+  compilation. It may be deemed okay even if that's not the case, since
+  the added overhead is considered very low.
   
-  Reviewed-by: Marcel Raad
-  Closes #6810
+  Closes #7032
 
-- [Marc Hoersken brought this change]
+- [Peng-Yu Chen brought this change]
 
-  config: fix SSPI enabling NTLM if crypto auth is disabled
-  
-  Avoid enabling NTLM feature based upon Windows SSPI
-  being enabled in case that crypto auth is disabled.
+  GIT-INFO: suggest using autoreconf instead of buildconf
   
-  Reported-by: Marcel Raad
+  Follow-up to 85868537d
   
-  Follow-up to #6277
-  Fixes #6803
-  Closes #6808
-
-- HISTORY: add two 2021 events
+  Closes #7033
 
-- vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+- http: deal with partial CONNECT sends
   
-  To make sure we set and extract the correct session.
+  Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
+  which helped verifying this even more.
   
-  Reported-by: Mingtao Yang
-  Bug: https://curl.se/docs/CVE-2021-22890.html
+  Add test 363 to verify.
   
-  CVE-2021-22890
-
-- [Viktor Szakats brought this change]
+  Reported-by: ustcqidi on github
+  Fixes #6950
+  Closes #7024
 
-  transfer: strip credentials from the auto-referer header field
-  
-  Added test 2081 to verify.
+- HTTP3: make the ngtcp2 build use the quictls fork
   
-  CVE-2021-22876
+  ... as ngtcp2 itself documents the build this way.
   
-  Bug: https://curl.se/docs/CVE-2021-22876.html
+  Closes #7031
 
-- curl_sasl: fix compiler error with --disable-crypto-auth
+- http: limit the initial send amount to used upload buffer size
   
-  ... if libgsasl was found.
+  Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
+  but for the situations where a larger upload buffer has been set, this
+  function can benefit from sending more bytes. With default size used,
+  this does the same as before.
   
-  Closes #6806
-
-- [Patrick Monnerat brought this change]
-
-  ldap: only set the callback ptr for TLS context when TLS is used
+  Also changed the storage of the size to an 'unsigned int' as it is not
+  allowed to be set larger than 2M.
   
-  Follow-up to a5eee22e594c2460f
-  Fixes #6804
-  Closes #6805
-
-- copyright: update copyright year ranges to 2021
+  Also added cautions to the man pages about changing buffer sizes in
+  run-time.
   
-  Reviewed-by: Emil Engler
-  Closes #6802
+  Closes #7022
 
-- send_speed: simplify the checks for if a speed limit is set
-  
-  ... as we know the value cannot be set to negative: enforced by
-  setopt()
+- RELEASE-NOTES: synced
 
-- http: cap body data amount during send speed limiting
+- ngtcp2: fix the cb_acked_stream_data_offset proto
   
-  By making sure never to send off more than the allowed number of bytes
-  per second the speed limit logic is given more room to actually work.
+  The 'datalen' value should be 64 bit, not size_t!
   
-  Reported-by: Fabian Keil
-  Bug: https://curl.se/mail/lib-2021-03/0042.html
-  Closes #6797
+  Reported-by: Dmitry Karpov
+  Bug: https://curl.se/mail/lib-2021-05/0019.html
+  Closes #7027
 
-- urldata: merge "struct DynamicStatic" into "struct UrlState"
+- progress: when possible, calculate transfer speeds with microseconds
   
-  Both were used for the same purposes and there was no logical separation
-  between them. Combined, this also saves 16 bytes in less holes in my
-  test build.
+  ... this improves precision, especially for transfers in the few or even
+  sub millisecond range.
   
-  Closes #6798
+  Reported-by: J. Bromley
+  Fixes #7017
+  Closes #7020
 
-- tests/README.md: mentioned that en_US.UTF-8 is required
+- http: reset the header buffer when sending the request
   
-  Reported-by: Oumph on github
-  Fixes #6768
-
-- HISTORY: fixed the Mac OS X 10.1 release date
+  A reused transfer handle could otherwise reuse the previous leftover
+  buffer and havoc would ensue.
   
-  Based on what Wikipedia says
+  Reported-by: sergio-nsk on github
+  Fixes #7018
+  Closes #7021
 
-Jay Satiro (26 Mar 2021)
-- examples: Remove threaded-shared-conn.c due to bug
-  
-  Known bug 11.11 is the shared object's connection cache is not thread
-  safe, so we should not have an example for it.
+- curl_mprintf.3: add description
   
-  Ref: https://github.com/curl/curl/issues/4915
-  Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not
+  These functions have existed in the API since the dawn of time. It is
+  about time we describe how they work, even if we discourage users from
+  using them.
   
-  Closes https://github.com/curl/curl/pull/6795
+  Closes #7010
 
-- KNOWN_BUGS: Update 11.9 - DoH option inheritance
-  
-  - Add description: Explain that some options aren't inherited because
-    they are not relevant for the DoH SSL connections or may result in
-    unexpected behavior.
-  
-  - Remove the reference to #4578 (SSL verify options not inherited) since
-    that was fixed by #6597 (separate DoH-specific options for verify).
+- [Timothy Gu brought this change]
+
+  URL-SYNTAX: update IDNA section for WHATWG spec changes
   
-  - Explain that DoH-specific options (those created by #6597) are
-    available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
-    CURLOPT_DOH_SSL_VERIFYSTATUS.
+  WHATWG URL has dictated the use of Nontransitional Processing (IDNA
+  2008) for several years now. Chrome (and derivatives) still use
+  Transitional Processing, but Firefox and Safari have both switched.
   
-  - Add a reference to #6605 and explain that the user's debug function is
-    not inherited because it would be unexpected to pass internal handles
-    (ie DoH handles) to the user's callback.
+  Also document the fact that winidn functions differently from libidn2
+  here.
   
-  Closes https://github.com/curl/curl/issues/6605
-
-Daniel Stenberg (26 Mar 2021)
-- curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
+  Closes #7026
 
-- [Jean-Philippe Menil brought this change]
+- [Calvin Buckley brought this change]
 
-  openssl: ensure to check SSL_CTX_set_alpn_protos return values
-  
-  SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure
-  
-  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+  INSTALL: add IBM i specific quirks
   
-  Closes #6794
+  Fixes #6830
+  Closes #7013
 
-- multi: close the connection when h2=>h1 downgrading
+- libcurl.3: mention the URL API
   
-  Otherwise libcurl is likely to reuse the connection again in the next
-  attempt since the connection reuse logic doesn't take downgrades into
-  account.
+  To make it easier to find. Also a minor polish of libcurl-url.3
   
-  Reported-by: Anthony Ramine
-  Fixes #6788
-  Closes #6793
+  Closes #7009
 
-- openssl: set the transfer pointer for logging early
+- GnuTLS: don't allow TLS 1.3 for versions that don't support it
   
-  Otherwise, the transfer will be NULL in the trace function when the
-  early handshake details arrive and then curl won't show them.
+  Follow-up to 781864bedbc5
   
-  Regresssion in 7.75.0
+  ... as they don't understand it and will return error at us!
   
-  Reported-by: David Hu
-  Fixes #6783
-  Closes #6792
-
-- RELEASE-NOTES: synced
+  Closes #7014
 
-- TODO: Custom progress meter update interval
+Kamil Dudka (6 May 2021)
+- tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
   
-  Ref: https://stackoverflow.com/q/66789977/93747
-
-- docs/ABI: tighten up the language
+  Reported by GCC analyzer:
   
-  Make the promises more firm
+  Error: GCC_ANALYZER_WARNING (CWE-476):
+  src/tool_getparam.c: scope_hint: In function 'parse_args'
+  src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
+  lib/curlx.h:56: included_from: Included from here.
+  src/tool_getparam.c:28: included_from: Included from here.
+  lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
+  src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
   
-  Closes #6786
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Closes #7023
+
+Daniel Stenberg (6 May 2021)
+- scripts/delta: also show total number of days
 
-- openldap: disconnect better
+Marc Hoersken (5 May 2021)
+- sockfilt: fix invalid increment of handles index variable nfd
   
-  Instead of clearing the callback argument in disconnect, set it to the
-  (new) transfer to make sure the correct data is passed to the callbacks.
+  Only increment the array index if we actually stored a handle.
   
-  Follow-up to e467ea3bd937f38
-  Assisted-by: Patrick Monnerat
-  Closes #6787
+  Follow up to e917492048f4b85a0fd58a033d10072fc7666c3b
+  Closes #6992
 
-- libssh2: kdb_callback: get the right struct pointer
-  
-  After the recent conn/data refactor in this source file, this function
-  was mistakenly still getting the old struct pointer which would lead to
-  crash on servers with keyboard-interactive auth enabled.
+- sockfilt: avoid getting stuck waiting for writable socket
   
-  Follow-up to a304051620b92e12b (shipped in 7.75.0)
+  Reset FD_WRITE event using the same approach as in multi.c
   
-  Reported-by: Christian Schmitz
-  Fixes #6691
-  Closes #6782
+  Follow up to b36442b24305f3cda7c13cc64b46838995a4985b
+  Closes #6992
 
-- tftp: remove unused struct fields
+Jay Satiro (5 May 2021)
+- test678: Fix for Windows multibyte builds
   
-  Follow-up to d3d90ad9c00530d
+  Follow-up to 77fc385 from yesterday.
   
-  Closes #6781
+  Bug: https://github.com/curl/curl/pull/6662#issuecomment-832966557
+  Reported-by: Marc Hörsken
 
-- openldap: avoid NULL pointer dereferences
-  
-  Follow-up to a59c33ceffb8f78
-  Reported-by: Patrick Monnerat
-  Fixes #6676
-  Closes #6780
+- [Dmitry Kostjuchenko brought this change]
 
-- http: strip default port from URL sent to proxy
+  build: fix compilation for Windows UWP platform
   
-  To make sure the Host: header and the URL provide the same authority
-  portion when sent to the proxy, strip the default port number from the
-  URL if one was provided.
+  - Include afunix.h which is necessary for sockaddr_un when
+    USE_UNIX_SOCKETS is defined on Windows.
   
-  Reported-by: Michael Brown
-  Fixes #6769
-  Closes #6778
+  Closes https://github.com/curl/curl/pull/7006
 
-- azure: disable test 433 on azure-ubuntu
-  
-  Something in that environment sets XDG_CONFIG_HOME for us in a way that
-  breaks the test.
+Daniel Stenberg (5 May 2021)
+- gnutls: make setting only the MAX TLS allowed version work
   
-  Reported-by: Marc Hörsken
-  Fixes #6739
-  Closes #6777
-
-- tftp: remove the 3600 second default timeout
+  Previously, settting only the max allowed TLS version, leaving the
+  minimum one at default, didn't actually set it and left it to default
+  (TLS 1.3) too!
   
-  ... it was never meant to be there.
+  As a bonus, this change also removes the dead code handling of SSLv3
+  since that version can't be set anymore (since eff614fb0242cb).
   
-  Reported-by: Tomas Berger
-  Fixes #6774
-  Closes #6776
+  Reported-by: Daniel Carpenter
+  Fixes #6998
+  Closes #7000
 
-- docs: make gen.pl support *italic* and **bold**
+- openldap: replace ldap_ prefix on private functions
   
-  Remove some nroffisms from the cmdline doc files to simplify editing,
-  and instead support this markdown style.
+  Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
+  least) there's a symbol collision because of that.
   
-  Closes #6771
-
-- ngtcp2: sync with recent API updates
+  The private functions now use the 'oldap_' prefix where it previously
+  used 'ldap_'.
   
-  Closes #6770
-
-- RELEASE-NOTES: synced
+  Reported-by: 3eka on github
+  Fixes #7004
+  Closes #7005
 
-- libssh2:ssh_connect: clear session pointer after free
-  
-  If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
-  ssh session was freed but the pointer wasn't cleared which made libcurl
-  later call libssh2 to cleanup using the stale pointer.
+Jay Satiro (5 May 2021)
+- http2: fix potentially uninitialized variable
   
-  Fixes #6764
-  Closes #6766
+  introduced several days ago in 3193170. caught by visual studio linker.
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Gilles Vollant brought this change]
 
-  docs: document version of crustls dependency
-  
-  This also pins a specific release in the Travis test so future
-  API-breaking changins in crustls won't break curl builds.
+  SSL: support in-memory CA certs for some backends
   
-  Add RUSTLS documentation to release tarball.
+  - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
+    specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
+    and Secure Transport (Apple) SSL backends.
   
-  Enable running tests for rustls, minus FTP tests (require
-  connect_blocking, which rustls doesn't implement) and 313 (requires CRL
-  handling).
+  Prior to this change PEM certificates could only be imported from a file
+  and not from memory.
   
-  Closes #6763
-
-- [Jacob Hoffman-Andrews brought this change]
-
-  rustls: Handle close_notify.
+  Co-authored-by: moparisthebest@users.noreply.github.com
   
-  If we get a close_notify, treat that as EOF. If we get an EOF from the
-  TCP stream, treat that as an error (because we should have ended the
-  connection earlier, when we got a close_notify).
+  Ref: https://github.com/curl/curl/pull/4679
+  Ref: https://github.com/curl/curl/pull/5677
+  Ref: https://github.com/curl/curl/pull/6109
   
-  Closes #6763
+  Closes https://github.com/curl/curl/pull/6662
 
-- docs: clarify timeouts for queued transfers in multi API
-  
-  Closes #6758
+Daniel Stenberg (4 May 2021)
+- [David Cook brought this change]
 
-- ftpserver: only load the preprocessed test file
+  tests: ignore case of chunked hex numbers in tests
   
-  We always preprocess and tests are no longer sensible to load "raw"
+  When hyper is used, it emits uppercase hexadecimal numbers for chunked
+  encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
+  This change adds preprocessor statements to tests where this is an
+  issue, and adapts the fixtures to match.
   
-  Closes #6738
+  Closes #6987
 
-- tests: use %TESTNUMBER instead of fixed number
+- cmake: check for getppid and utimes
   
-  This makes the tests easier to copy and relocate to other test numbers
-  without having to update content.
+  ... as they're checked for in the configure script and are used by
+  source code.
   
-  Closes #6738
-
-- KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
+  Removed checks for perror, setvbuf and strlcat since those defines are
+  not checked for in source code.
   
-  Closes #5747
-
-- TODO: provide timing info for each redirect
+  Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
+  symbol is not used in source code.
   
-  Closes #6743
+  Closes #6997
 
-Jay Satiro (17 Mar 2021)
-- docs: Add SSL backend names to CURL_SSL_BACKEND
-  
-  - Document the names that can be used with CURL_SSL_BACKEND:
-    bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
-    schannel, secure-transport, wolfssl
+- libtest: remove lib530.c
   
-  Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
-  Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201
+  Follow up from e50a877df when test 530 was removed. Since then this
+  source file has not been used/needed.
   
-  Closes https://github.com/curl/curl/pull/6755
+  Closes #6999
 
-- docs: Explain DOH transfers inherit some SSL settings
-  
-  - Document in DOH that some SSL settings are inherited but DOH hostname
-    and peer verification are not and are controlled separately.
+- FILEFORMAT: mention sectransp as a feature
   
-  - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
-    we're considering changing behavior to no longer inherit it. Request
-    feedback.
+  Been supported since at least 40259ca65
   
-  Closes https://github.com/curl/curl/pull/6688
+  Closes #7001
 
-Daniel Stenberg (17 Mar 2021)
-- http: make 416 not fail with resume + CURLOPT_FAILONERRROR
+- RELEASE-NOTES: synced
+
+- libssh2: ignore timeout during disconnect
   
-  When asked to resume a download, libcurl will convert that to HTTP logic
-  and if then the entire file is already transferred it will result in a
-  416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
-  scenario, it should *not* lead to an error return.
+  ... to avoid memory leaks!
   
-  Updated test 1156, added test 1273
+  libssh2 is tricky as we have to deal with the non-blockiness even in
+  close and shutdown cases. In the cases when we shutdown after a timeout
+  already expired, it is crucial that curl doen't let the timeout abort
+  the shutdown process as that then leaks memory!
   
-  Reported-by: Jonathan Watt
-  Fixes #6740
-  Closes #6753
+  Reported-by: Benjamin Riefenstahl
+  Fixes #6990
 
-- Curl_timeleft: check both timeouts during connect
-  
-  The duration of a connect and the total transfer are calculated from two
-  different time-stamps. It can end up with the total timeout triggering
-  before the connect timeout expires and we should make sure to
-  acknowledge whichever timeout that is reached first.
-  
-  This is especially notable when a transfer first sits in PENDING, as
-  that time is counted in the total time but the connect timeout is based
-  on the time since the handle changed to the CONNECT state.
+- KNOWN_BUGS: add two HTTP/2 bugs
+
+- KNOWN_BUGS: add three HTTP/3 issues
   
-  The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
-  operation.
+  ... and moved the HTTP/2 issues to its own section
   
-  Fixes #6744
-  Closes #6745
-  Reported-by: Andrei Bica
-  Assisted-by: Jay Satiro
+  Closes #6606
+  Closes #6510
+  Closes #6494
 
-- configure: remove use of deprecated macros
-  
-  AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL
+- [ejanchivdorj brought this change]
 
-- configure: make AC_TRY_* into AC_*_IFELSE
+  CURLcode: add CURLE_SSL_CLIENTCERT
   
-  ... as the former versions are deprecated.
-
-- configure: s/AC_HELP_STRING/AS_HELP_STRING
+  When a TLS server requests a client certificate during handshake and
+  none can be provided, libcurl now returns this new error code
+  CURLE_SSL_CLIENTCERT
   
-  AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
-  already since 2.59 so bump the minimum required version to that.
+  Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
   
-  Reported-by: Emil Engler
-  Fixes #6647
-  Closes #6748
+  Closes #6721
 
-- RELEASE-NOTES: synced
+- [Tobias Gabriel brought this change]
 
-- travis: use ubuntu nghttp2 package instead of build our own
+  .github/FUNDING: add link to GitHub sponsors
   
-  Closes #6751
+  Closes #6985
 
-- travis: bump wolfssl to 4.7.0
+- [Harry Sintonen brought this change]
 
-- travis: only build wolfssl when needed
+  krb5/name_to_level: replace checkprefix with curl_strequal
   
-  Closes #6751
+  Closes #6993
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Harry Sintonen brought this change]
 
-  rustls: allocate a buffer for TLS data.
-  
-  Previously, rustls was using an on-stack array for TLS data. However,
-  crustls has an (unusual) requirement that buffers it deals with are
-  initialized before writing to them. By using calloc, we can ensure the
-  buffer is initialized once and then reuse it across calls.
+  Curl_input_digest: require space after Digest
   
-  Closes #6742
+  Closes #6993
 
-- travis: add a rustls build
-  
-  ... that doesn't run any tests (yet)
+- [Harry Sintonen brought this change]
+
+  Curl_http_header: check for colon when matching Persistent-Auth
   
-  Closes #6750
+  Closes #6993
 
-- HTTP2: remove the outdated remark about multiplexing for the tool
+- [Harry Sintonen brought this change]
 
-- [Robert Ronto brought this change]
+  Curl_http_input_auth: require valid separator after negotiation type
+  
+  Closes #6993
 
-  http2: don't set KEEP_SEND when there's no more data to be sent
+- http: fix the check for 'Authorization' with Bearer
   
-  this should fix an issue where curl sometimes doesn't send out a request
-  with authorization info after a 401 is received over http2
+  The code would wrongly check for it using an additional colon.
   
-  Closes #6747
+  Reported-by: Blake Burkhart
+  Closes #6988
 
-Marc Hoersken (15 Mar 2021)
-- config: fix building SMB with configure using Win32 Crypto
-  
-  Align conditions for NTLM features between CMake and configure
-  builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
-  just like curl_setup.h does internally to detect support of:
+- [Kamil Dudka brought this change]
+
+  http2: fix a resource leak in push_promise()
   
-  - USE_NTLM: required for NTLM crypto authentication feature
-  - USE_CURL_NTLM_CORE: required for SMB protocol
+  ... detected by Coverity:
   
-  Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
-  in wincrypt.h which are not available in the Windows App environment.
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
+  lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
+  lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
+  lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
   
-  Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
-  Fix condition of Schannel SSL backend in CMake build accordingly.
+  Closes #6986
+
+- [Kamil Dudka brought this change]
+
+  http2: fix resource leaks in set_transfer_url()
   
-  Reviewed-by: Marcel Raad
+  ... detected by Coverity:
   
-  Closes #6277
-
-- config: fix detection of restricted Windows App environment
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Move the detection of the restricted Windows App environment
-  in curl_setup.h before the definition of USE_WIN32_CRYPTO
-  via included config-win32.h in case no build system is used.
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Reviewed-by: Marcel Raad
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Part of #6277
-
-Daniel Stenberg (15 Mar 2021)
-- HISTORY: curl 7.7.2 was the first version used in Mac OS X 10.1
-
-- gen.pl: quote "bare" minuses in the nroff curl.1
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Reported-by: Alejandro Colomar
-  Fixes #6698
-  Closes #6722
+  Closes #6986
 
-Daniel Gustafsson (14 Mar 2021)
-- hsts: remove unused defines
-  
-  MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
-  and mostly likely leftovers from early development.  Remove as they're not
-  used for anything.
-  
-  Closes #6741
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+- [Jacob Hoffman-Andrews brought this change]
 
-Daniel Stenberg (12 Mar 2021)
-- github: add torture-ftp for FTP-only torture testing
+  rustls: use ALPN
   
-  and at 20% to try to keep the run-time reasonable
+  Update required rustls to 0.5.0
   
-  Closes #6728
+  Closes #6960
 
-- travis: split "torture" into a separate "events" build as well
-  
-  Run torture without FTP and reducing coverage to 20%
-  
-  For some reason the torture tests now run a lot slower on travis and run
-  into the 50 minute limit all the time.
-  
-  Closes #6728
+- [Michał Antoniak brought this change]
 
-- ftp: fix memory leak in ftp_done
-  
-  If after a transfer is complete Curl_GetFTPResponse() returns an error,
-  curl would not free the ftp->pathalloc block.
+  gskit: fix CURL_DISABLE_PROXY build
   
-  Found by torture-testing test 576
+  Removed localfd and remotefd from ssl_backend_data (ued only with proxy
+  connection). Function pipe_ssloverssl return always 0, when proxy is not
+  used.
   
-  Closes #6737
+  Closes #6981
 
-- [oxalica brought this change]
+- [Michał Antoniak brought this change]
 
-  http2: fail if connection terminated without END_STREAM
+  gskit: fix undefined reference to 'conn'
   
-  Closes #6736
-
-- RELEASE-NOTES: synced
+  Closes #6980
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  rustls: support CURLOPT_SSL_VERIFYPEER
-  
-  This requires the latest main branch of crustls, which provides
-  rustls_client_config_builder_dangerous_set_certificate_verifier and
-  rustls_client_config_builder_set_enable_sni.
-  
-  This refactors the session setup into its own function, and adds a new
-  function cr_hostname_is_ip. Because crustls doesn't support verification
-  of IP addresses, special handling is needed: We disable SNI and set a
-  placeholder hostname (which never actually gets sent on the wire).
-  
-  Closes #6719
-
-Daniel Gustafsson (12 Mar 2021)
-- cookies: Fix potential NULL pointer deref with PSL
+  tls: add USE_HTTP2 define
   
-  Curl_cookie_init can be called with data being NULL, and this can in turn
-  be passed to Curl_cookie_add, meaning that both functions must be careful
-  to only use data where it's checked for being a NULL pointer.  The libpsl
-  support code does however dereference data without checking, so if we are
-  indeed having an unset data pointer we cannot PSL check the cookiedomain.
+  This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
   
-  This is currently not a reachable dereference, as the only caller with a
-  NULL data isn't passing a file to initialize cookies from, but since the
-  API has this contract let's ensure we hold it.
+  Add our own define for the "h2" ALPN protocol, so TLS backends can use
+  it without depending on a specific HTTP backend.
   
-  Closes #6731
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6959
 
-Daniel Stenberg (12 Mar 2021)
-- [Michael Hordijk brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  configure: only add OpenSSL paths if they are defined
-  
-  Add paths for OpenSSL compiling and linking only if they have been
-  defined.  If they haven't been defined, we'll assume that the paths are
-  already available to the toolchain.
+  lib: fix 0-length Curl_client_write calls
   
-  Closes #6730
+  Closes #6954
 
-Jay Satiro (12 Mar 2021)
-- retry.d: Clarify transient 5xx HTTP response codes
-  
-  - Clarify the only 5xx response codes that are treated as transient are
-    500, 502, 503 and 504.
-  
-  Prior to this change it said it treated all 5xx as transient, but the
-  code says otherwise.
-  
-  Ref: https://github.com/curl/curl/blob/curl-7_75_0/src/tool_operate.c#L462-L495
-  
-  Closes https://github.com/curl/curl/pull/6724
+- [Jacob Hoffman-Andrews brought this change]
 
-- retry-all-errors.d: Explain curl errors versus HTTP response errors
-  
-  - Add a paragraph explaining that curl does not consider HTTP response
-    errors as curl errors, and how that behavior can be modified by using
-    --retry and --fail.
-  
-  The --retry-all-errors doc says "Retry on any error" which some users
-  may find misleading without the added explanation.
-  
-  Ref: https://curl.se/docs/faq.html#Why_do_I_get_downloaded_data_eve
-  Ref: https://curl.se/docs/faq.html#curl_doesn_t_return_error_for_HT
+  lib: remove strlen call from Curl_client_write
   
-  Reported-by: Lawrence Gripper
+  At all call sites with an explicit 0 len, pass an appropriate nonzero
+  len.
   
-  Fixes https://github.com/curl/curl/issues/6712
-  Closes https://github.com/curl/curl/pull/6720
+  Closes #6954
 
-Daniel Stenberg (11 Mar 2021)
-- travis: switch ngtcp2 build over to quictls
-  
-  The ngtcp2 project switched over to using the quictls OpenSSL fork
-  instead of their own patched OpenSSL. We follow suit.
+- [Ayushman Singh Chauhan brought this change]
+
+  docs: camelcase it like GitHub everywhere
   
-  Closes #6729
+  Closes #6979
 
-- test220/314: adjust to run with Hyper
+Jay Satiro (27 Apr 2021)
+- [Lucas Servén Marín brought this change]
 
-- c-hyper: support automatic content-encoding
+  docs: fix typo in fail-with-body doc
   
-  Closes #6727
-
-- http: remove superfluous NULL assign
+  This commit fixes a small typo in the documentation for the
+  --fail-with-body flag.
   
-  Closes #6727
+  Closes https://github.com/curl/curl/pull/6977
 
-- tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
+- lib: fix some misuse of curlx_convert_UTF8_to_tchar
   
-  Closes #6727
-
-- setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
+  curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
+  prior to this change some uses mistakenly called free.
   
-  Not supported.
+  I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
+  curlx_convert_tchar_to_UTF8.
   
-  Closes #6727
-
-- test306: make it not run with Hyper
+  Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
+  Reported-by: sergio-nsk@users.noreply.github.com
   
-  ... as it tests HTTP/0.9 which Hyper doesn't support.
-
-- test304: header CRLF cleanup to work with Hyper
+  Closes https://github.com/curl/curl/pull/6938
 
-- FTP: allow SIZE to fail when doing (resumed) upload
+Daniel Stenberg (27 Apr 2021)
+- ntlm: precaution against super huge type2 offsets
   
-  Added test 362 to verify.
+  ... which otherwise caused an integer overflow and circumvented the if()
+  conditional size check.
   
-  Reported-by: Jordan Brown
-  Regression since 7ea2e1d0c5a7f (7.73.0)
-  Fixes #6715
-  Closes #6725
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
+  Assisted-by: Max Dymond
+  Closes #6975
 
-- configure: provide Largefile feature for curl-config
-  
-  ... as cmake now does it correctly, and make test1014 check for it
-  
-  Closes #6702
+- c-hyper: fix unused variable ‘wrote’
 
-- config: remove CURL_SIZEOF_CURL_OFF_T use only SIZEOF_CURL_OFF_T
-  
-  Make the code consistently use a single name for the size of the
-  "curl_off_t" type.
+- libcurl-security.3: be careful of setuid
   
-  Closes #6702
+  Reported-by: Harry Sintonen
+  Closes #6970
 
-Jay Satiro (10 Mar 2021)
-- [Jun-ya Kato brought this change]
+- [Kevin Burke brought this change]
 
-  ngtcp2: Fix build error due to change in ngtcp2_addr_init
+  c-hyper: don't write to set.writeheader if null
   
-  ngtcp2/ngtcp2@b8d90a9 changed the function prototype.
+  Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
+  CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
+  the data->set.writeheader header buffer, even though it is null.  This
+  led to NPE segfaults attempting to use libcurl+Hyper with Git, for
+  example.
   
-  Closes https://github.com/curl/curl/pull/6716
-
-Daniel Stenberg (10 Mar 2021)
-- [ejanchivdorj brought this change]
+  Instead, process the client write for the status line using the same
+  logic we use to process the client write for the later HTTP headers,
+  which contains the appropriate guard logic. As a side benefit,
+  data->set.writeheader is now only read in one file instead of two.
+  
+  Fixes #6619
+  Fixes abetterinternet/crustls#49
+  Fixes hyperium/hyper#2438
+  Closes #6971
 
-  multi: update pending list when removing handle
+- wolfssl: handle SSL_write() returns 0 for error
   
-  when removing a handle, most of the lists are updated but pending list
-  is not updated. Updating now.
+  Reported-by: Timo Lange
   
-  Closes #6713
-
-- [kokke brought this change]
+  Closes #6967
 
-  lib1536: check ptr against NULL before dereferencing it
+- easy: ignore sigpipe in curl_easy_send
   
-  Closes #6710
-
-- [kokke brought this change]
+  Closes #6965
 
-  lib1537: check ptr against NULL before dereferencing it
+- sigpipe: ignore SIGPIPE when using wolfSSL as well
   
-  Fixes #6707
-  Closes #6708
+  Closes #6966
 
-- travis: make torture tests skip TLS-SRP tests
-  
-  ... as it seems to often hang.
-  
-  Also: skip the "normal" tests as they're already run by many other
-  builds.
+- libcurl-security.3: don't try to filter IPv4 hosts based on the URL
   
-  Closes #6705
+  Closes #6942
 
-- openssl: adapt to v3's new const for a few API calls
-  
-  Closes #6703
+- [Harry Sintonen brought this change]
 
-- quiche: fix crash when failing to connect
+  nss_set_blocking: avoid static for sock_opt
   
-  Reported-by: ウさん
-  Fixes #6664
-  Closes #6701
+  Reviewed-by: Kamil Dudka
+  Closes #6945
 
 - RELEASE-NOTES: synced
-  
-  Fixed the release counter and added a missing contributor
 
-- RELEASE-NOTES: synced
+- [Yusuke Nakamura brought this change]
 
-- dynbuf: bump the max HTTP request to 1MB
+  docs/HTTP3.md: fix nghttp2's HTTP/3 server port
   
-  Raised from 128KB to allow longer request headers.
+  Port 8443 does not work now.
+  Correct origin is in the quicwg's wiki.
+  https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
   
-  Reported-by: Carl Zogheib
-  Fixes #6681
-  Closes #6685
+  Closes #6964
 
-Jay Satiro (6 Mar 2021)
-- schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
-  
-  - Change use of those options from CURLOPT_SSL_OPTIONS that are not
-    already evaluated via SSL_SET_OPTION in schannel and secure transport
-    to use that instead of data->set.ssl.optname.
-  
-  Example:
-  
-  Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
-  
-  This change is because options set via CURLOPT_SSL_OPTIONS
-  (data->set.ssl.optname) are separate from those set for HTTPS proxy via
-  CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
-  SSL_SET_OPTION macro determines whether the connection is for HTTPS
-  proxy and based on that which option to evaluate.
+- krb5: don't use 'static' to store PBSZ size response
   
-  Since neither Schannel nor Secure Transport backends currently support
-  HTTPS proxy in libcurl, this change is for posterity and has no other
-  effect.
+  ... because it makes the knowledge and usage cross-transfer in funny and
+  unexpected ways.
   
-  Closes https://github.com/curl/curl/pull/6690
+  Reported-by: Harry Sintonen
+  Closes #6963
 
-- [kokke brought this change]
+- [Kevin Burke brought this change]
 
-  c-hyper: Remove superfluous pointer check
-  
-  `n` pointer is never NULL once set. Found by static analysis.
-  
-  Ref: https://github.com/curl/curl/issues/6696
+  m4: add security frameworks on Mac when compiling rustls
   
-  Closes https://github.com/curl/curl/pull/6697
-
-- version.d: Add missing features to the features list
+  Previously compiling rustls on Mac would only complete if you also
+  compiled the SecureTransport TLS backend, which curl would prefer to
+  the Rust backend.
   
-  - Add missing entries for gsasl, Kerberos, NTLM_WB, TrackMemory,
-    Unicode and zstd.
+  Appending these flags to LDFLAGS makes it possible to compile the
+  Rustls backend on Mac without the SecureTransport backend, which means
+  this patch will make it possible for Mac users to use the Rustls
+  backend for TLS.
   
-  - Remove krb4 since it's no longer a feature.
+  Reviewed-by: Jacob Hoffman-Andrews
   
-  Reported-by: Ádler Jonas Gross
+  Fixes #6955
+  Cloes #6956
+
+- krb5: remove the unused 'overhead' function
   
-  Fixes https://github.com/curl/curl/issues/6677
-  Closes https://github.com/curl/curl/pull/6687
+  Closes #6947
 
-- [Vladimir Varlamov brought this change]
+- [Johann150 brought this change]
 
-  docs: add missing Arg tag to --stderr
-  
-  Prior to this change the required argument was not shown.
-  
-  curl.1 before: --stderr
-  curl.1 after: --stderr <file>
+  curl_url_set.3: add memory management information
   
-  curl --help before:
-       --stderr        Where to redirect stderr
+  wording taken from man page for CURLOPT_URL.3
   
-  curl --help after:
-       --stderr <file>  Where to redirect stderr
+  As far as I can see, the URL part is either malloc'ed before due to
+  encoding or it is strdup'ed.
   
-  Closes https://github.com/curl/curl/pull/6692
+  Closes #6953
 
-- projects: Update VS projects for OpenSSL 1.1.x
-  
-  - Update VS project templates to use the OpenSSL lib names and include
-    directories for OpenSSL 1.1.x.
-  
-  This change means the VS project files will now build only with OpenSSL
-  1.1.x when an OpenSSL configuration is chosen. Prior to this change the
-  project files built only with OpenSSL 1.0.x (end-of-life) when an
-  OpenSSL configuration was chosen.
-  
-  The template changes in this commit were made by script:
-  
-  libeay32.lib => libcrypto.lib
-  ssleay32.lib => libssl.lib
-  ..\..\..\..\..\openssl\inc32 => ..\..\..\..\..\openssl\include
-  
-  And since the output directory now contains the includes it's prepended:
-  ..\..\..\..\..\openssl\build\Win{32,64}\VC{6..15}\{DLL,LIB}
-  {Debug,Release}\include
-  
-  - Change build-openssl.bat to copy the build's include directory to the
-    output directory (as seen above).
-  
-  Each build has its own opensslconf.h which is different so we can't just
-  include the source include directory any longer.
-  
-  Note the include directory in the output directory is a full copy from
-  the build so technically we don't need to include the OpenSSL source
-  include directory in the template. However, I left it last in case the
-  user made a custom OpenSSL build using the old method which would put
-  opensslconf in the OpenSSL source include directory.
-  
-  - Change build-openssl.bat to use a temporary install directory that is
-    different from the temporary build directory.
-  
-  For OpenSSL 1.1.x the temporary paths must be separate not a descendant
-  of the other, otherwise pdb files will be lost between builds.
-  
-  Ref: https://curl.se/mail/lib-2018-10/0049.html
-  Ref: https://gist.github.com/jay/125191c35bbeb894444eff827651f755
-  Ref; https://github.com/openssl/openssl/issues/10005
-  
-  Fixes https://github.com/curl/curl/issues/984
-  Closes https://github.com/curl/curl/pull/6675
+- [Jacob Hoffman-Andrews brought this change]
 
-- doh: Inherit CURLOPT_STDERR from user's easy handle
-  
-  Prior to this change if the user set their easy handle's error stream
-  to something other than stderr it was not inherited by the doh handles,
-  which meant that they would still write to the default standard error
-  stream (stderr) for verbose output.
-  
-  Bug: https://github.com/curl/curl/issues/6605
-  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
+  c-hpyer: fix handling of zero-byte chunk from hyper
   
-  Closes https://github.com/curl/curl/pull/6661
+  Closes #6951
 
-Marc Hoersken (1 Mar 2021)
-- CI/azure: replace python-impacket with python3-impacket
-  
-  As of this month Azure DevOps uses Ubuntu 20.04 LTS which
-  no longer supports Python 2 and instead ships Python 3.
+- CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
   
-  Closes #6678
+  Ref: https://curl.se/mail/lib-2021-04/0085.html
+  Closes #6943
 
-- runtests.pl: kill processes locking test log files
-  
-  Introduce a new runtests.pl command option: -rm
-  
-  For now only required and implemented for Windows.
-  Ignore stunnel logs due to long running processes.
-  
-  Requires Sysinternals handle[64].exe to be on PATH.
-  
-  Reviewed-by: Jay Satiro
-  
-  Ref: #6058
-  Closes #6179
+- [Ralph Langendam brought this change]
 
-- pathhelp.pm: fix use of pwd -L in Msys environment
-  
-  While Msys2 has a pwd binary which supports -L,
-  Msys1 only has a shell built-in with that feature.
-  
-  Reviewed-by: Jay Satiro
+  cmake: make libcurl output filename configurable
   
-  Part of #6179
+  Reviewed-by: Jakub Zakrzewski
+  Closes #6933
 
-Daniel Gustafsson (1 Mar 2021)
-- ldap: use correct memory free function
+- [Patrick Monnerat brought this change]
+
+  vtls: reset ssl use flag upon negotiation failure
   
-  unescaped is coming from Curl_urldecode and not a unicode conversion
-  function, so reclaiming its memory should be performed with a normal
-  call to free rather than curlx_unicodefree.  In reality, this is the
-  same thing as curlx_unicodefree is implemented as a call to free but
-  that's not guaranteed to always hold.  Using the curlx macro present
-  issues with memory debugging as well.
+  Fixes the segfault in ldaps disconnect.
   
-  Closes #6671
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reported-by: Illarion Taev
+  Fixes #6934
+  Closes #6937
 
-- url: fix typo in comment
+- configure: fix typo in TLS error message
   
-  Correct a small typo which snuck in with a304051620.
+  Reported-by: Pontus Lundkvist
 
-Jay Satiro (28 Feb 2021)
-- tool_help: Increase space between option and description
-  
-  - Increase the minimum number of spaces between the option and the
-    description from 1 to 2.
+- README: link to the commercial support option
+
+Jay Satiro (22 Apr 2021)
+- [Martin Halle brought this change]
+
+  version: add gsasl_version to curl_version_info_data
   
-  Before:
-  ~~~
-   -u, --user <user:password> Server user and password
-   -A, --user-agent <name> Send User-Agent <name> to server
-   -v, --verbose       Make the operation more talkative
-   -V, --version       Show version number and quit
-   -w, --write-out <format> Use output FORMAT after completion
-       --xattr         Store metadata in extended file attributes
-  ~~~
+  - Add gsasl_version string and bump to CURLVERSION_TENTH.
   
-  After:
-  ~~~
-   -u, --user <user:password>  Server user and password
-   -A, --user-agent <name>  Send User-Agent <name> to server
-   -v, --verbose       Make the operation more talkative
-   -V, --version       Show version number and quit
-   -w, --write-out <format>  Use output FORMAT after completion
-       --xattr         Store metadata in extended file attributes
-  ~~~
+  Ref: https://curl.se/mail/lib-2021-04/0003.html
   
-  Closes https://github.com/curl/curl/pull/6674
+  Closes https://github.com/curl/curl/pull/6843
+
+- [Morten Minde Neergaard brought this change]
 
-Daniel Stenberg (27 Feb 2021)
-- curl: set CURLOPT_NEW_FILE_PERMS if requested
+  schannel: Support strong crypto option
   
-  The --create-file-mode code logic accepted the value but never actually
-  passed it on to libcurl!
+  - Support enabling strong crypto via optional user cipher list when
+    USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
   
-  Follow-up to a7696c73436f (shipped in 7.75.0)
-  Reported-by: Johannes Lesr
-  Fixes #6657
-  Closes #6666
-
-- tool_operate: check argc before accessing argv[1]
+  MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
+  weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
+  versions that may be otherwise enabled for better interoperability."
   
-  Follow-up to 09363500b
-  Reported-by: Emil Engler
-  Reviewed-by: Daniel Gustafsson
-  Closes #6668
+  Ref: https://curl.se/mail/lib-2021-02/0066.html
+  Ref: https://curl.se/docs/manpage.html#--ciphers
+  Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
+  Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
+  
+  Closes https://github.com/curl/curl/pull/6734
+
+Daniel Stenberg (22 Apr 2021)
+- RELEASE-NOTES: synced
 
-Daniel Gustafsson (26 Feb 2021)
-- [Jean-Philippe Menil brought this change]
+- ci: adapt to configure requiring an explicit TLS choice
 
-  openssl: remove get_ssl_version_txt in favor of SSL_get_version
-  
-  openssl: use SSL_get_version to get connection protocol
-  
-  Replace our bespoke get_ssl_version_txt in favor of SSL_get_version.
-  We can get rid of few lines of code, since SSL_get_version achieve
-  the exact same thing
+- configure: split out each TLS library detector into its own function
   
-  Closes #6665
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+  ... and put those functions in separate m4 files per TLS library.

contrib/libs/curl/RELEASE-NOTES

@@ -1,139 +1,138 @@
-curl and libcurl 7.80.0
+curl and libcurl 7.81.0
 
- Public curl releases:         204
- Command line options:         243
- curl_easy_setopt() options:   294
+ Public curl releases:         205
+ Command line options:         244
+ curl_easy_setopt() options:   295
  Public functions in libcurl:  86
- Contributors:                 2533
+ Contributors:                 2558
 
 This release includes the following changes:
 
- o CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse [25]
- o CURLOPT_PREREQFUNCTION: add new callback [17]
- o libssh2: add SHA256 fingerprint support [4]
- o urlapi: add curl_url_strerror() [21]
- o urlapi: support UNC paths in file: URLs on Windows [20]
- o wolfssl: allow setting of groups/curves [22]
+ o mime: use percent-escaping for multipart form field and file names [1]
 
 This release includes the following bugfixes:
 
- o .github: retry macos "brew install" command on failure [125]
- o aws-sigv4: make signature work when post data is binary [68]
- o BINDINGS: URL updates [30]
- o build: remove checks for WinSock 1 [36]
- o c-hyper: don't abort CONNECT responses early when auth-in-progress [71]
- o c-hyper: make Curl_http propagate errors better [50]
- o c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work [97]
- o c-hyper: make test 217 run [74]
- o c-hyper: use hyper_request_set_uri_parts to make h2 better [39]
- o checksrc: ignore preprocessor lines [64]
- o CI/makefiles: introduce dedicated test target [34]
- o ci: update Lift config to match requirements of curl build [1]
- o cirrus: remove FreeBSD 11.4 from the matrix [62]
- o cirrus: switch to openldap24-client [63]
- o cleanup: constify unmodified static structs [2]
- o cmake: add CURL_ENABLE_SSL option [46]
- o cmake: fix error getting LOCATION property on non-imported target [59]
- o CMake: restore support for SecureTransport on iOS [103]
- o cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED [14]
- o cmdline-opts: made the 'Added:' field mandatory [37]
- o configure.ac: replace krb5-config with pkg-config [80]
- o configure: when hyper is selected, deselect nghttp2 [94]
- o connect: use sysaddr_un from sys/un.h or custom-defined for windows [23]
- o curl-confopts.m4:  remove --enable/disable-hidden-symbols [70]
- o curl-openssl.m4: modify library order for openssl linking [40]
- o curl-openssl: pass argument to sed single-quoted [15]
- o curl.1: remove mentions of really old version changes [38]
- o curl: actually append "-" to --range without number only [57]
- o curl: correct grammar in generated libcurl code [53]
- o curl: print help descriptions in an aligned right column [16]
- o curl_gssapi: fix link error on macOS Monterey [55]
- o curl_multi_socket_action.3: add a "RETURN VALUE" section [106]
- o curl_ntlm_core: use OpenSSL only if DES is available [42]
- o Curl_updateconninfo: store addresses for QUIC connections too [90]
- o CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred [126]
- o CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required [114]
- o CURLOPT_HTTPHEADER.3: add descripion for specific headers [35]
- o docs/HTTP3: improve build instructions [102]
- o docs/Makefile.am: repair 'make html' [52]
- o docs: fix typo in CURLOPT_TRAILERFUNCTION example [93]
- o docs: provide "RETURN VALUE" section for more func manpages [105]
- o docs: reduce use of "very" [107]
- o doh: remove experimental code for DoH with GET [61]
- o examples/htmltidy: correct wrong printf() use [66]
- o examples/imap-append: fix end-of-data check [7]
- o ftp: make the MKD retry to retry once per directory [113]
- o gen.pl: insert the current date and version in generated man page [11]
- o gen.pl: replace leading single quotes with \(aq [110]
- o http2: make getsock not wait for write if there's no remote window [56]
- o HTTP3: fix the HTTP/3 Explained book link [27]
- o http: fix Basic auth with empty name field in URL [24]
- o http: reject HTTP response codes < 100 [92]
- o http: remove assert that breaks hyper [47]
- o http: set content length earlier [67]
- o http_proxy: make hyper CONNECT() return the correct error code [51]
- o http_proxy: multiple CONNECT with hyper done better [78]
- o hyper: disable test 1294 since hyper doesn't allow such crazy headers [96]
- o hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING [72]
- o hyper: pass the CONNECT line to the debug callback [79]
- o imap: display quota information [115]
- o INSTALL: update symbol hiding option [77]
- o lib/mk-ca-bundle.pl: skip certs passed Not Valid After date [18]
- o lib: avoid fallthrough cases in switch statements [33]
- o libcurl.rc: switch out the copyright symbol for plain ASCII [5]
- o libssh2: Get the version at runtime if possible [12]
- o limit-rate.d: this is average over several seconds [119]
- o llist: remove redundant code, branch will not be executed [10]
- o Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options [100]
- o maketgz: redirect updatemanpages.pl output to /dev/null
- o man pages: require all to use the same section header order [101]
- o manpage: adjust the asterisk in some SYNOPSIS sections [82]
- o md5: fix compilation with OpenSSL 3.0 API [43]
- o misc: fix a few issues on MidnightBSD [28]
- o misc: fix typos in docs and comments [3]
- o ngtcp2: advertise h3 as well as h3-29 [109]
- o ngtcp2: compile with the latest nghttp3 [117]
- o ngtcp2: specify the missing required callback functions [108]
- o ngtcp2: use latest QUIC TLS RFC9001 [122]
- o NTLM: use DES_set_key_unchecked with OpenSSL [13]
- o openssl: if verifypeer is not requested, skip the CA loading [69]
- o openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway [44]
- o Revert "src/tool_filetime: disable -Wformat on mingw for this file" [88]
- o sasl: binary messages [31]
- o schannel: fix memory leak due to failed SSL connection [89]
- o scripts/delta: count command line options in the new file
- o sendf: accept zero-length data in Curl_client_write() [95]
- o sha256: use high-level EVP interface for OpenSSL [41]
- o smooth-gtk-thread.c: enhance the mutex lock use [112]
- o sws: fix memory leak on exit [49]
- o test1160: edited to work with hyper [83]
- o test1173: make manpage-syntax.pl spot \n errors in examples
- o test1185: verify checksrc [58]
- o test1266/1267: disabled on hyper: no HTTP/0.9 support [99]
- o test1287: make work on hyper [98]
- o test207: accept a different error code for hyper [76]
- o test262: don't attempt with hyper [73]
- o test552: updated to work with hyper [87]
- o test559: add 'HTTP' in keywords [86]
- o tests/smbserver.py: fix compatibility with impacket 0.9.23+ [104]
- o tests: add Schannel-specific tests and disable unsupported ones [91]
- o tests: disable test 2043 [54]
- o tests: kill some test servers afterwards to avoid locked logfiles [111]
- o tests: use python3 in test 1451 [48]
- o tls: remove newline from three infof() calls [85]
- o tool_cb_prg: make resumed upload progress bar show better [9]
- o tool_listhelp: easier generated with gen.pl [19]
- o tool_main: fix typo in comment [29]
- o tool_operate: a failed etag save now only fails that transfer [124]
- o URL-SYNTAX: add IMAP UID SEARCH example [81]
- o url: check the return value of curl_url() [75]
- o url: set "k->size" -1 at start of request [60]
- o urlapi: skip a strlen(), pass in zero [65]
- o urlapi: URL decode percent-encoded host names [26]
- o version_win32: use actual version instead of manifested version [45]
- o vtls: Fix a memory leak if an SSL session cannot be added to the cache [8]
- o wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity [32]
- o zuul: pin the quiche build to use an older cmake-rs [84]
+ o asyn-ares: ares_getaddrinfo needs no happy eyeballs timer [73]
+ o azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper [12]
+ o BINDINGS: add cURL client for PostgreSQL [68]
+ o BINDINGS: add one from Everything curl and update a link
+ o checksrc: detect more kinds of NULL comparisons we avoid [105]
+ o CI: build examples for additional code verification [75]
+ o CI: bump job to use mbedtls 3.1.0 [90]
+ o cmake: don't set _USRDLL on a static Windows build [22]
+ o cmake: prevent dev warning due to mismatched arg [94]
+ o cmake: private identifiers use CURL_ instead of CMAKE_ prefix [40]
+ o config.d: update documentation to match the path search
+ o configure: add -lm to configure for rustls build. [13]
+ o configure: better diagnostics if hyper is built wrong [6]
+ o configure: don't enable TLS when --without-* flags are used [17]
+ o configure: fix runtime-lib detection on macOS [21]
+ o curl.1: require "see also" for every documented option [27]
+ o curl: improve error message for --head with -J [42]
+ o curl_easy_cleanup.3: remove from multi handle first [3]
+ o curl_easy_escape.3: call curl_easy_cleanup in example [58]
+ o curl_easy_unescape.3: call curl_easy_cleanup in example [57]
+ o curl_multi_init.3: fix EXAMPLE formatting
+ o curl_multi_perform/socket_action.3: clarify what errors mean [70]
+ o curl_share_setopt.3: split out options into their own manpages [14]
+ o CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL [51]
+ o digest: compute user:realm:pass digest w/o userhash [45]
+ o docs/checksrc: Add documentation for STRERROR [18]
+ o docs/cmdline-opts: do not say "protocols: all" [26]
+ o docs/examples: workaround broken -Wno-pedantic-ms-format
+ o docs/HTTP3: describe how to setup a h3 reverse-proxy for testing [88]
+ o docs/INSTALL.md: typo fix : added missing "get" verb [31]
+ o docs/URL-SYNTAX.md: space is not fine in a given URL
+ o docs: add known bugs list to HTTP3.md [83]
+ o docs: address proselint nits [16]
+ o docs: consistent manpage SYNOPSIS [47]
+ o docs: fix dead links, remove ECH.md
+ o docs: fix typo in OpenSSL 3 build instructions [80]
+ o docs: Update the Reducing Size section
+ o example/progressfunc: remove code for old libcurls [78]
+ o examples/multi-single.c: remove WAITMS() [98]
+ o FAQ: typo fix : "yout" ➤ "your" [30]
+ o ftp: disable warning 4706 in MSVC [85]
+ o gen.pl: improve example output format [29]
+ o github workflow: add wolfssl (removed from zuul) [103]
+ o github/workflows: add mbedtls and mbedtls-clang (removed from zuul) [92]
+ o gtls: check return code for gnutls_alpn_set_protocols [86]
+ o hash: lazy-alloc the table in Curl_hash_add() [54]
+ o http2:set_transfer_url() return early on OOM [53]
+ o HTTP3: update quiche build instructions [37]
+ o http: enable haproxy support for hyper backend [20]
+ o http: Fix CURLOPT_HTTP200ALIASES [89]
+ o http_proxy: don't close the socket (too early) [100]
+ o insecure.d: detail its use for SFTP and SCP as well [32]
+ o insecure.d: expand and clarify [28]
+ o libcurl-multi.3: "SOCKS proxy handshakes" are not blocking
+ o libcurl-security.3: mention address and URL mitigations
+ o libssh2: fix error message for sha256 mismatch
+ o libtest: avoid "assignment within conditional expression" [84]
+ o lift: ignore is a deprecated config option, use ignoreRules [35]
+ o linkcheck.yml: add CI job that checks markdown links [82]
+ o m4/curl-compilers: tell clang -Wno-pointer-bool-conversion [99]
+ o Makefile.m32: rename -winssl option to -schannel and tidy up [33]
+ o mbedTLS: add support for CURLOPT_CAINFO_BLOB [44]
+ o mbedtls: fix CURLOPT_SSLCERT_BLOB [72]
+ o mbedtls: fix private member designations for v3.1.0 [93]
+ o misc: remove unused doh flags when CURL_DISABLE_DOH is defined [71]
+ o misc: s/e-mail/email [74]
+ o multi: cleanup the socket hash when destroying it [55]
+ o multi: handle errors returned from socket/timer callbacks [52]
+ o multi: shut down CONNECT in Curl_detach_connnection [2]
+ o netrc.d: edit the .netrc example to look nicer [24]
+ o ngtcp2: verify the server cert on connect (quictls) [102]
+ o ngtcp2: verify the server certificate for the gnutls case [101]
+ o nss:set_cipher don't clobber the cipher list [38]
+ o openldap: implement STARTTLS [56]
+ o openldap: process search query response messages one by one [50]
+ o openldap: several minor improvements [69]
+ o openldap: simplify ldif generation code [77]
+ o openssl: check the return value of BIO_new() [43]
+ o openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
+ o openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
+ o openssl: remove usage of deprecated `SSL_get_peer_certificate`
+ o openssl: use non-deprecated API to read key parameters
+ o page-footer: add a mention of how to report bugs to the man page
+ o page-footer: document more environment variables [23]
+ o request.d: refer to 'method' rather than 'command' [59]
+ o retry-all-errors.d: make the example complete
+ o runtests: make the SSH library a testable feature
+ o rustls: read of zero bytes might be okay [9]
+ o rustls: remove comment about checking handshaking [15]
+ o rustls: remove incorrect EOF check [10]
+ o sha256/md5: return errors when init fails [79]
+ o socks5: use appropriate ATYP for numerical IP address host names [91]
+ o test1156: enable for hyper [65]
+ o test1156: fixup the stdout check for Windows [60]
+ o test1525: tweaked for hyper [64]
+ o test1526: enable for hyper [63]
+ o test1527: enable for hyper [62]
+ o test1528: enable for hyper [61]
+ o test1554: adjust for hyper [49]
+ o test1556: adjust for hyper [48]
+ o test302[12]: run only with the libssh2 backend [8]
+ o test661: enable for hyper [66]
+ o tests/CI.md: add more information on CI environments [39]
+ o tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256 [76]
+ o tftp: mark protocol as not possible to do over CONNECT [25]
+ o tool_findfile: updated search for a file in the homedir [46]
+ o tool_operate: only set SSH related libcurl options for SSH URLs [11]
+ o tool_operate: warn if too many output arguments were found [87]
+ o url.c: fix the SIGPIPE comment for Curl_close [4]
+ o url: check ssl_config when re-use proxy connection [81]
+ o url: reduce ssl backend count for CURL_DISABLE_PROXY builds [96]
+ o urlapi: accept port number zero [34]
+ o urlapi: if possible, shorten given numerical IPv6 addresses [95]
+ o urlapi: provide more detailed return codes [36]
+ o urlapi: reject short file URLs [41]
+ o version_win32: Check build number and platform id
+ o vtls/rustls: adapt to the updated rustls_version proto [19]
+ o writeout: fix %{http_version} for HTTP/3 [7]
+ o x509asn1: return early on errors [67]
+ o zuul.d: update rustls-ffi to version 0.8.2 [5]
+ o zuul: fix quiche build pointing to wrong Cargo [104]
 
 This release includes the following known bugs:
 
@@ -142,146 +141,124 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  8U61ife on github, a1346054 on github, Abhinav Singh, Alexander Chuykov,
-  Alexander Kanavin, Amaury Denoyelle, Anthony Hu, Axel Morawietz,
-  beslick5 on github, billionai on github, Bo Anderson, Boris Rasin,
-  Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, David Cook, David Hu,
-  Earnestly on github, Eddie Lumpkin, Érico Nogueira, Erik Stenlund,
-  Gisle Vanem, Gleb Ivanovsky, Godwin Stewart, h1zzz on github, Harry Sintonen,
-  Hayden Roche, Jakub Zakrzewski, Jan Mazur, Jeffrey Tolar, Jerome Mao,
-  Joel Depooter, Jonathan Cardoso Machado, Josip Medved, Jun-ya Kato,
-  Kerem Kat, Kevin Burke, Kirill Efimov, Lucas Holt, Malik Idrees Hasan Khan,
-  Marcel Raad, Marc Hörsken, Mats Lindestam, Max Dymond, Michael Afanasiev,
-  Michael Baentsch, Michael Kaufmann, Momoka Yamamoto, Noam Moshe,
-  orycho on github, Patrick Monnerat, Rafał Mikrut, Randall S. Becker,
-  Raul Onitza-Klugman, Ray Satiro, Ricardo Martins, Rick Lane,
-  Rikard Falkeborn, Roger Young, Roy Li, ryancaicse on github, Ryan Mast,
-  Samuel Henrique, Sean Molenaar, Sergey Markelov, Sergio Durigan Junior,
-  sergio-nsk on github, Sharon Brizinov, Stathis Kapnidis,
-  Steini2000 on github, Tatsuhiro Tsujikawa, Thomas M. DuBuisson,
-  tlahn on github, Viktor Szakats, Vitaly Varyvdin, Wyatt O'Day,
-  x2018 on github, Борис Верховский,
-  (78 contributors)
+  Alessandro Ghedini, Bernat Mut, Bernhard Walle, Boris Rasin,
+  Brad Fitzpatrick, Bruno Baguette, Damien Walsh, Dan Fandrich,
+  Daniel Stenberg, David Bohman, Don J Olmstead, Eric Musser, Even Rouault,
+  Florian Van Heghe, gclinch on github, Glenn Strauss, Jacob Hoffman-Andrews,
+  James Fuller, Jeff Luszcz, jeffrson on github, Jun Tseng, Kevin Burke,
+  Leszek Kubik, lllaffer on github, Marcelo Juchem, Marcel Raad, Marc Hörsken,
+  Mark Dodgson, Matt Holt, Melroy van den Berg, Michał Antoniak,
+  Nicolas Sterchele, nimaje on github, Patrick Monnerat, Paul Howarth,
+  Peter Piekarski, Ray Satiro, RekGRpth on github, Rikard Falkeborn,
+  Ryan Sleevi, Stan Hu, Stefan Eissing, Stefan Huber, Stephane Pellegrino,
+  Stephen M. Coakley, Tobias Nießen, Valentin Richter, Viktor Szakats,
+  Vincent Grande, Vladimir Panteleev, Wyatt O'Day, x2018 on github,
+  Yongkang Huang,
+  (53 contributors)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.se/bug/?i=7761
- [2] = https://curl.se/bug/?i=7759
- [3] = https://curl.se/bug/?i=7747
- [4] = https://curl.se/bug/?i=7646
- [5] = https://curl.se/bug/?i=7765
- [7] = https://curl.se/bug/?i=7774
- [8] = https://curl.se/bug/?i=7683
- [9] = https://curl.se/bug/?i=7760
- [10] = https://curl.se/bug/?i=7770
- [11] = https://curl.se/bug/?i=7782
- [12] = https://curl.se/bug/?i=7768
- [13] = https://curl.se/bug/?i=7779
- [14] = https://curl.se/bug/?i=7767
- [15] = https://curl.se/bug/?i=7758
- [16] = https://curl.se/bug/?i=7792
- [17] = https://curl.se/bug/?i=7477
- [18] = https://curl.se/bug/?i=7801
- [19] = https://curl.se/bug/?i=7787
- [20] = https://curl.se/bug/?i=7366
- [21] = https://curl.se/bug/?i=7605
- [22] = https://curl.se/bug/?i=7728
- [23] = https://curl.se/bug/?i=7737
- [24] = https://curl.se/bug/?i=7819
- [25] = https://curl.se/mail/lib-2021-09/0058.html
- [26] = https://curl.se/bug/?i=7830
- [27] = https://curl.se/bug/?i=7813
- [28] = https://curl.se/bug/?i=7812
- [29] = https://curl.se/bug/?i=7811
- [30] = https://curl.se/bug/?i=7809
- [31] = https://curl.se/bug/?i=6930
- [32] = https://curl.se/bug/?i=7806
- [33] = https://curl.se/bug/?i=7322
- [34] = https://curl.se/bug/?i=7785
- [35] = https://curl.se/bug/?i=7829
- [36] = https://curl.se/bug/?i=7778
- [37] = https://curl.se/bug/?i=7786
- [38] = https://curl.se/bug/?i=7786
- [39] = https://curl.se/bug/?i=7679
- [40] = https://curl.se/bug/?i=7826
- [41] = https://curl.se/bug/?i=7808
- [42] = https://curl.se/bug/?i=7808
- [43] = https://curl.se/bug/?i=7808
- [44] = https://curl.se/bug/?i=7840
- [45] = https://curl.se/bug/?i=7742
- [46] = https://curl.se/bug/?i=7822
- [47] = https://curl.se/bug/?i=7852
- [48] = https://curl.se/bug/?i=7899
- [49] = https://curl.se/bug/?i=7849
- [50] = https://curl.se/bug/?i=7851
- [51] = https://curl.se/bug/?i=7825
- [52] = https://curl.se/bug/?i=7853
- [53] = https://curl.se/bug/?i=7802
- [54] = https://curl.se/bug/?i=7845
- [55] = https://curl.se/bug/?i=7657
- [56] = https://curl.se/bug/?i=7821
- [57] = https://curl.se/bug/?i=7837
- [58] = https://curl.se/bug/?i=7866
- [59] = https://curl.se/bug/?i=7885
- [60] = https://curl.se/bug/?i=7871
- [61] = https://curl.se/bug/?i=7870
- [62] = https://curl.se/bug/?i=7869
- [63] = https://curl.se/bug/?i=7868
- [64] = https://curl.se/bug/?i=7863
- [65] = https://curl.se/bug/?i=7862
- [66] = https://curl.se/bug/?i=7860
- [67] = https://github.com/curl/curl/commit/8a16e54#r57374914
- [68] = https://curl.se/bug/?i=7844
- [69] = https://curl.se/bug/?i=7892
- [70] = https://curl.se/bug/?i=7891
- [71] = https://curl.se/bug/?i=7889
- [72] = https://curl.se/bug/?i=7889
- [73] = https://curl.se/bug/?i=7889
- [74] = https://curl.se/bug/?i=7889
- [75] = https://curl.se/bug/?i=7917
- [76] = https://curl.se/bug/?i=7889
- [77] = https://curl.se/bug/?i=7890
- [78] = https://curl.se/bug/?i=7888
- [79] = https://curl.se/bug/?i=7887
- [80] = https://curl.se/bug/?i=7916
- [81] = https://github.com/curl/curl/issues/7626
- [82] = https://curl.se/bug/?i=7884
- [83] = https://curl.se/bug/?i=7912
- [84] = https://curl.se/bug/?i=7927
- [85] = https://curl.se/bug/?i=7879
- [86] = https://curl.se/bug/?i=7911
- [87] = https://curl.se/bug/?i=7911
- [88] = https://curl.se/bug/?i=7941
- [89] = https://curl.se/bug/?i=7877
- [90] = https://curl.se/bug/?i=7939
- [91] = https://curl.se/bug/?i=7968
- [92] = https://curl.se/bug/?i=7909
- [93] = https://curl.se/bug/?i=7910
- [94] = https://curl.se/bug/?i=7908
- [95] = https://curl.se/bug/?i=7898
- [96] = https://curl.se/bug/?i=7905
- [97] = https://curl.se/bug/?i=7905
- [98] = https://curl.se/bug/?i=7905
- [99] = https://curl.se/bug/?i=7905
- [100] = https://curl.se/bug/?i=7895
- [101] = https://curl.se/bug/?i=7904
- [102] = https://curl.se/bug/?i=7842
- [103] = https://curl.se/bug/?i=7501
- [104] = https://curl.se/bug/?i=7924
- [105] = https://curl.se/bug/?i=7902
- [106] = https://curl.se/bug/?i=7901
- [107] = https://curl.se/bug/?i=7936
- [108] = https://curl.se/bug/?i=7929
- [109] = https://curl.se/bug/?i=7979
- [110] = https://curl.se/bug/?i=7933
- [111] = https://curl.se/bug/?i=7925
- [112] = https://curl.se/bug/?i=7926
- [113] = https://curl.se/bug/?i=7967
- [114] = https://curl.se/bug/?i=7923
- [115] = https://curl.se/bug/?i=6973
- [117] = https://curl.se/bug/?i=7978
- [119] = https://curl.se/bug/?i=7970
- [122] = https://curl.se/bug/?i=7960
- [124] = https://curl.se/bug/?i=7945
- [125] = https://curl.se/bug/?i=7955
- [126] = https://curl.se/bug/?i=7957
+ [1] = https://curl.se/bug/?i=7789
+ [2] = https://curl.se/bug/?i=7982
+ [3] = https://curl.se/bug/?i=7983
+ [4] = https://curl.se/bug/?i=7984
+ [5] = https://curl.se/bug/?i=8013
+ [6] = https://curl.se/bug/?i=8001
+ [7] = https://curl.se/bug/?i=8072
+ [8] = https://curl.se/bug/?i=8009
+ [9] = https://curl.se/bug/?i=8003
+ [10] = https://curl.se/bug/?i=8003
+ [11] = https://curl.se/bug/?i=8040
+ [12] = https://curl.se/bug/?i=8006
+ [13] = https://curl.se/bug/?i=8002
+ [14] = https://curl.se/bug/?i=7998
+ [15] = https://curl.se/bug/?i=8038
+ [16] = https://curl.se/bug/?i=8060
+ [17] = https://curl.se/bug/?i=7994
+ [18] = https://curl.se/bug/?i=7991
+ [19] = https://curl.se/bug/?i=7956
+ [20] = https://curl.se/bug/?i=8034
+ [21] = https://curl.se/bug/?i=8028
+ [22] = https://curl.se/bug/?i=8030
+ [23] = https://curl.se/bug/?i=8027
+ [24] = https://curl.se/bug/?i=8025
+ [25] = https://curl.se/bug/?i=8018
+ [26] = https://curl.se/bug/?i=8021
+ [27] = https://curl.se/bug/?i=8019
+ [28] = https://curl.se/bug/?i=8017
+ [29] = https://curl.se/bug/?i=8016
+ [30] = https://curl.se/bug/?i=8059
+ [31] = https://curl.se/bug/?i=8058
+ [32] = https://curl.se/bug/?i=8056
+ [33] = https://curl.se/bug/?i=8053
+ [34] = https://curl.se/bug/?i=8090
+ [35] = https://curl.se/bug/?i=8082
+ [36] = https://curl.se/bug/?i=8049
+ [37] = https://curl.se/bug/?i=8076
+ [38] = https://curl.se/bug/?i=8160
+ [39] = https://curl.se/bug/?i=8012
+ [40] = https://curl.se/bug/?i=7988
+ [41] = https://curl.se/bug/?i=8042
+ [42] = https://curl.se/bug/?i=7987
+ [43] = https://curl.se/bug/?i=8078
+ [44] = https://curl.se/bug/?i=8071
+ [45] = https://curl.se/bug/?i=8066
+ [46] = https://curl.se/bug/?i=8033
+ [47] = https://curl.se/bug/?i=8062
+ [48] = https://curl.se/bug/?i=8105
+ [49] = https://curl.se/bug/?i=8104
+ [50] = https://curl.se/bug/?i=8101
+ [51] = https://curl.se/bug/?i=8103
+ [52] = https://curl.se/bug/?i=8083
+ [53] = https://curl.se/bug/?i=8100
+ [54] = https://curl.se/bug/?i=8132
+ [55] = https://curl.se/bug/?i=8129
+ [56] = https://curl.se/bug/?i=8065
+ [57] = https://curl.se/bug/?i=8097
+ [58] = https://curl.se/bug/?i=8097
+ [59] = https://curl.se/bug/?i=8094
+ [60] = https://curl.se/bug/?i=8134
+ [61] = https://curl.se/bug/?i=8128
+ [62] = https://curl.se/bug/?i=8128
+ [63] = https://curl.se/bug/?i=8128
+ [64] = https://curl.se/bug/?i=8128
+ [65] = https://curl.se/bug/?i=8127
+ [66] = https://curl.se/bug/?i=8126
+ [67] = https://curl.se/bug/?i=8147
+ [68] = https://curl.se/bug/?i=8125
+ [69] = https://curl.se/bug/?i=8140
+ [70] = https://curl.se/bug/?i=8120
+ [71] = https://curl.se/bug/?i=8148
+ [72] = https://curl.se/bug/?i=8146
+ [73] = https://curl.se/bug/?i=8142
+ [74] = https://curl.se/bug/?i=8159
+ [75] = https://curl.se/bug/?i=7922
+ [76] = https://curl.se/bug/?i=8084
+ [77] = https://curl.se/bug/?i=8136
+ [78] = https://curl.se/bug/?i=8137
+ [79] = https://curl.se/bug/?i=8133
+ [80] = https://curl.se/bug/?i=8162
+ [81] = https://curl.se/bug/?i=8141
+ [82] = https://curl.se/bug/?i=8158
+ [83] = https://curl.se/bug/?i=8156
+ [84] = https://curl.se/bug/?i=8218
+ [85] = https://curl.se/bug/?i=8218
+ [86] = https://curl.se/bug/?i=8181
+ [87] = https://curl.se/bug/?i=8210
+ [88] = https://curl.se/bug/?i=8177
+ [89] = https://curl.se/bug/?i=8171
+ [90] = https://curl.se/bug/?i=8215
+ [91] = https://curl.se/bug/?i=8216
+ [92] = https://curl.se/bug/?i=8215
+ [93] = https://curl.se/bug/?i=8214
+ [94] = https://curl.se/bug/?i=8207
+ [95] = https://curl.se/bug/?i=8206
+ [96] = https://curl.se/bug/?i=8212
+ [98] = https://curl.se/bug/?i=8200
+ [99] = https://curl.se/bug/?i=8197
+ [100] = https://curl.se/bug/?i=8193
+ [101] = https://curl.se/bug/?i=8178
+ [102] = https://curl.se/bug/?i=8178
+ [103] = https://curl.se/bug/?i=8196
+ [104] = https://curl.se/bug/?i=8184
+ [105] = https://curl.se/bug/?i=8180

contrib/libs/curl/include/curl/curl.h

@@ -2132,6 +2132,9 @@ typedef enum {
    * (in seconds) */
   CURLOPT(CURLOPT_MAXLIFETIME_CONN, CURLOPTTYPE_LONG, 314),
 
+  /* Set MIME option flags. */
+  CURLOPT(CURLOPT_MIME_OPTIONS, CURLOPTTYPE_LONG, 315),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -2291,6 +2294,9 @@ CURL_EXTERN int curl_strnequal(const char *s1, const char *s2, size_t n);
 typedef struct curl_mime      curl_mime;      /* Mime context. */
 typedef struct curl_mimepart  curl_mimepart;  /* Mime part context. */
 
+/* CURLMIMEOPT_ defines are for the CURLOPT_MIME_OPTIONS option. */
+#define CURLMIMEOPT_FORMESCAPE  (1<<0) /* Use backslash-escaping for forms. */
+
 /*
  * NAME curl_mime_init()
  *

contrib/libs/curl/include/curl/curlver.h

@@ -30,12 +30,12 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.80.0"
+#define LIBCURL_VERSION "7.81.0"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 80
+#define LIBCURL_VERSION_MINOR 81
 #define LIBCURL_VERSION_PATCH 0
 
 /* This is the numeric version of the libcurl version number, meant for easier
@@ -57,7 +57,7 @@
    CURL_VERSION_BITS() macro since curl's own configure script greps for it
    and needs it to contain the full number.
 */
-#define LIBCURL_VERSION_NUM 0x075000
+#define LIBCURL_VERSION_NUM 0x075100
 
 /*
  * This is the date and time when the full source package was created. The
@@ -68,7 +68,7 @@
  *
  * "2007-11-23"
  */
-#define LIBCURL_TIMESTAMP "2021-11-10"
+#define LIBCURL_TIMESTAMP "2022-01-05"
 
 #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
 #define CURL_AT_LEAST_VERSION(x,y,z) \

contrib/libs/curl/include/curl/multi.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -73,7 +73,8 @@ typedef enum {
   CURLM_RECURSIVE_API_CALL, /* an api function was called from inside a
                                callback */
   CURLM_WAKEUP_FAILURE,  /* wakeup is unavailable or failed */
-  CURLM_BAD_FUNCTION_ARGUMENT,  /* function called with a bad parameter */
+  CURLM_BAD_FUNCTION_ARGUMENT, /* function called with a bad parameter */
+  CURLM_ABORTED_BY_CALLBACK,
   CURLM_LAST
 } CURLMcode;
 

contrib/libs/curl/include/curl/urlapi.h

@@ -48,6 +48,18 @@ typedef enum {
   CURLUE_NO_PORT,             /* 15 */
   CURLUE_NO_QUERY,            /* 16 */
   CURLUE_NO_FRAGMENT,         /* 17 */
+  CURLUE_NO_ZONEID,           /* 18 */
+  CURLUE_BAD_FILE_URL,        /* 19 */
+  CURLUE_BAD_FRAGMENT,        /* 20 */
+  CURLUE_BAD_HOSTNAME,        /* 21 */
+  CURLUE_BAD_IPV6,            /* 22 */
+  CURLUE_BAD_LOGIN,           /* 23 */
+  CURLUE_BAD_PASSWORD,        /* 24 */
+  CURLUE_BAD_PATH,            /* 25 */
+  CURLUE_BAD_QUERY,           /* 26 */
+  CURLUE_BAD_SCHEME,          /* 27 */
+  CURLUE_BAD_SLASHES,         /* 28 */
+  CURLUE_BAD_USER,            /* 29 */
   CURLUE_LAST
 } CURLUcode;
 

contrib/libs/curl/lib/asyn-ares.c

@@ -111,7 +111,9 @@ struct thread_data {
   struct Curl_addrinfo *temp_ai; /* intermediary result while fetching c-ares
                                     parts */
   int last_status;
+#ifndef HAVE_CARES_GETADDRINFO
   struct curltime happy_eyeballs_dns_time; /* when this timer started, or 0 */
+#endif
 };
 
 /* How long we are willing to wait for additional parallel responses after
@@ -377,6 +379,7 @@ CURLcode Curl_resolver_is_resolved(struct Curl_easy *data,
 
   waitperform(data, 0);
 
+#ifndef HAVE_CARES_GETADDRINFO
   /* Now that we've checked for any last minute results above, see if there are
      any responses still pending when the EXPIRE_HAPPY_EYEBALLS_DNS timer
      expires. */
@@ -399,6 +402,7 @@ CURLcode Curl_resolver_is_resolved(struct Curl_easy *data,
     ares_cancel((ares_channel)data->state.async.resolver);
     DEBUGASSERT(res->num_pending == 0);
   }
+#endif
 
   if(res && !res->num_pending) {
     (void)Curl_addrinfo_callback(data, res->last_status, res->temp_ai);