CONTRIB-2513 Update contrib/libs/curl to 7.80.0

ref:9f073731f38021df100328c1b343280bf6632e23

contrib/libs/curl/.yandex_meta/devtools.copyrights.report

@@ -33,7 +33,7 @@ KEEP     COPYRIGHT_SERVICE_LABEL 01785bd64237dea815d6d9ed22d8812c
 BELONGS ya.make
     License text:
          * Copyright (C) 2017, Florin Petriuc, <petriuc.florin@gmail.com>
-         * Copyright (C) 2018 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+         * Copyright (C) 2018 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
     Scancode info:
         Original SPDX id: COPYRIGHT_SERVICE_LABEL
         Score           : 100.00
@@ -206,6 +206,7 @@ BELONGS ya.make
         lib/sendf.c [8:8]
         lib/sendf.h [10:10]
         lib/setopt.c [8:8]
+        lib/setup-win32.h [10:10]
         lib/share.c [8:8]
         lib/share.h [10:10]
         lib/sigpipe.h [10:10]
@@ -474,7 +475,6 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         include/curl/options.h [10:10]
-        lib/curl_sha256.h [10:11]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 520dfafb050652350468b32c3d62b5cd
 BELONGS ya.make
@@ -649,7 +649,6 @@ BELONGS ya.make
         lib/psl.h [10:10]
         lib/rand.h [10:10]
         lib/setopt.h [10:10]
-        lib/setup-win32.h [10:10]
         lib/slist.c [8:8]
         lib/slist.h [10:10]
         lib/sockaddr.h [10:10]
@@ -705,6 +704,17 @@ BELONGS ya.make
         lib/socketpair.h [10:10]
         lib/vssh/wolfssh.c [8:8]
 
+KEEP     COPYRIGHT_SERVICE_LABEL 90cdf298ce2c585659435307b15f1c38
+BELONGS ya.make
+    License text:
+         * Copyright (C) 2015 - 2021, Steve Holme, <steve_holme@hotmail.com>.
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        lib/curl_des.c [8:8]
+
 KEEP     COPYRIGHT_SERVICE_LABEL 90ce0ec9551a9d561300240060256dff
 BELONGS ya.make
     License text:
@@ -749,7 +759,6 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/curl_des.c [8:8]
         lib/curl_des.h [10:10]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 9d962b7054a48ee0efeaca166b582707
@@ -774,7 +783,6 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         lib/system_win32.h [10:10]
-        lib/version_win32.c [8:8]
         lib/version_win32.h [10:10]
 
 KEEP     COPYRIGHT_SERVICE_LABEL a708a3265e6d737aa48aa8db4c364178
@@ -954,6 +962,7 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         lib/system_win32.c [8:8]
+        lib/version_win32.c [8:8]
 
 KEEP     COPYRIGHT_SERVICE_LABEL e0d1701a5a15c429dd6d54ccbadea738
 BELONGS ya.make
@@ -997,8 +1006,8 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/md4.c [217:222]
-        lib/md5.c [205:210]
+        lib/md4.c [226:231]
+        lib/md5.c [220:225]
 
 KEEP     COPYRIGHT_SERVICE_LABEL f5681c9f9526985592061799304792ee
 BELONGS ya.make
@@ -1021,6 +1030,7 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         include/curl/urlapi.h [10:10]
+        lib/curl_sha256.h [10:11]
         lib/doh.c [8:8]
         lib/doh.h [10:10]
         lib/sha256.c [8:9]

contrib/libs/curl/.yandex_meta/devtools.licenses.report

@@ -38,14 +38,14 @@ BELONGS ya.make
         Match type      : NOTICE
         Links           : http://www.linfo.org/publicdomain.html, https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/public-domain.LICENSE
     Files with this license:
-        lib/md5.c [200:217]
+        lib/md5.c [215:232]
     Scancode info:
         Original SPDX id: LicenseRef-scancode-other-permissive
         Score           : 98.04
         Match type      : NOTICE
         Links           : https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/other-permissive.LICENSE
     Files with this license:
-        lib/md5.c [200:217]
+        lib/md5.c [215:232]
 
 KEEP     Public-Domain        18ed429b519e9abeeb3f768979574386
 BELONGS ya.make
@@ -56,14 +56,14 @@ BELONGS ya.make
         Match type      : NOTICE
         Links           : http://www.linfo.org/publicdomain.html, https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/public-domain.LICENSE
     Files with this license:
-        lib/md4.c [212:229]
+        lib/md4.c [221:238]
     Scancode info:
         Original SPDX id: LicenseRef-scancode-other-permissive
         Score           : 97.06
         Match type      : NOTICE
         Links           : https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/other-permissive.LICENSE
     Files with this license:
-        lib/md4.c [212:229]
+        lib/md4.c [221:238]
 
 KEEP     curl                 22ab1475a8e38f13b0b81e2e769b5d69
 BELONGS ya.make
@@ -437,7 +437,7 @@ BELONGS ya.make
         Match type      : TEXT
         Links           : http://www.linfo.org/publicdomain.html, https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/public-domain.LICENSE
     Files with this license:
-        lib/sha256.c [215:216]
+        lib/sha256.c [251:252]
 
 KEEP     ISC                  e6a382fc7564fdd1a5e46b2d97b3221f
 BELONGS ya.make

contrib/libs/curl/.yandex_meta/licenses.list.txt

@@ -171,6 +171,10 @@
  * Copyright (C) 2012 - 2014, Linus Nielsen Feltzing, <linus@haxx.se>
 
 
+====================COPYRIGHT====================
+ * Copyright (C) 2015 - 2021, Steve Holme, <steve_holme@hotmail.com>.
+
+
 ====================COPYRIGHT====================
  * Copyright (C) 2016 - 2020, Steve Holme, <steve_holme@hotmail.com>.
 
@@ -195,7 +199,7 @@
 
 ====================COPYRIGHT====================
  * Copyright (C) 2017, Florin Petriuc, <petriuc.florin@gmail.com>
- * Copyright (C) 2018 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2018 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
 
 
 ====================COPYRIGHT====================

contrib/libs/curl/CHANGES

@@ -6,8271 +6,8295 @@
 
                                   Changelog
 
-Version 7.79.1 (22 Sep 2021)
+Version 7.80.0 (10 Nov 2021)
 
-Daniel Stenberg (22 Sep 2021)
+Daniel Stenberg (10 Nov 2021)
 - RELEASE-NOTES: synced
   
-  curl 7.79.1 release
+  for curl 7.80.0
 
-- THANKS: added names from the 7.79.1 release
+- THANKS: add contributors from the 7.80.0 cycle
 
-- test897: verify delivery of IMAP post-body header content
-  
-  The "content" is delivered as "body" by curl, but the envelope continues
-  after the body and the rest of it should be delivered as header.
-  
-  The IMAP server can now get 'POSTFETCH' set to include more data to
-  include after the body and test 897 is done to verify that such "extra"
-  header data is in fact delivered by curl as header.
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: advertise h3 as well as h3-29
   
-  Ref: #7284 but fails to reproduce the issue
+  Advertise h3 as well as h3-29 since some servers out there require h3
+  for QUIC v1.
   
-  Closes #7748
+  Closes #7979
 
-- KNOWN_BUGS: connection migration doesn't work
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: use QUIC v1 consistently
   
-  Closes #7695
+  Since we switched to v1 quic_transport_parameters codepoint in #7960
+  with quictls, lets use QUIC v1 consistently.
+  
+  Closes #7979
 
-- RELEASE-NOTES: synced
+- [Tatsuhiro Tsujikawa brought this change]
 
-- http: fix the broken >3 digit response code detection
+  ngtcp2: compile with the latest nghttp3
   
-  When the "reason phrase" in the HTTP status line starts with a digit,
-  that was treated as the forth response code digit and curl would claim
-  the response to be non-compliant.
+  Closes #7978
+
+Marc Hoersken (9 Nov 2021)
+- tests: add Schannel-specific tests and disable unsupported ones
   
-  Added test 1466 to verify this case.
+  Adds Schannel variants of SSLpinning tests that include the option
+  --ssl-revoke-best-effort to ignore certificate revocation check
+  failures which is required due to our custom test CA certificate.
   
-  Regression brought by 5dc594e44f73b17
-  Reported-by: Glenn de boer
-  Fixes #7738
-  Closes #7739
-
-Jay Satiro (17 Sep 2021)
-- strerror: use sys_errlist instead of strerror on Windows
+  Disable the original variants if the Schannel backend is enabled.
   
-  - Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
-    retrieve the error message on Windows.
+  Also skip all IDN tests which are broken while using an msys shell.
   
-  Windows' strerror writes to a static buffer and is not thread-safe.
+  This is a step to simplify test exclusions for Windows and MinGW.
   
-  Follow-up to 2f0bb86 which removed most instances of strerror in favor
-  of calling Curl_strerror (which calls strerror_r for other platforms).
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Closes #7968
+
+Daniel Stenberg (8 Nov 2021)
+- docs: NAME fixes in easy option man pages
   
-  Ref: https://github.com/curl/curl/pull/7685
-  Ref: https://github.com/curl/curl/commit/2f0bb86
+  Closes #7975
+
+- [Roger Young brought this change]
+
+  ftp: make the MKD retry to retry once per directory
   
-  Closes https://github.com/curl/curl/pull/7735
+  Reported-by: Roger Young
+  Fixes #7967
+  Closes #7976
 
-Daniel Stenberg (16 Sep 2021)
-- dist: provide lib/.checksrc in the tarball
+- tool_operate: reorder code to avoid compiler warning
   
-  So that debug builds work (checksrc really)
+  tool_operate.c(889) : warning C4701: potentially uninitialized local
+  variable 'per' use
   
-  Reported-by: Marcel Raad
-  Reported-by: tawmoto on github
-  Fixes #7733
-  Closes #7734
+  Follow-up to cc71d352651a0d95
+  Reported-by: Marc Hörsken
+  Bug: https://github.com/curl/curl/pull/7922#issuecomment-963042676
+  Closes #7971
 
-- TODO: Improve documentation about fork safety
+- curl_easy_perform.3: add a para about recv and send data
   
-  Closes #6968
+  Reported-by: Godwin Stewart
+  Fixes #7973
+  Closes #7974
 
-- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
+- tool_operate: fclose stream only if fopened
   
-  ... and have CURLE_ABORTED_BY_CALLBACK returned.
+  Fixes torture test failures
+  Follow-up to cc71d352651
   
-  Extended test 1915 to verify.
+  Closes #7972
+
+- libcurl-easy.3: language polish
+
+- limit-rate.d: this is average over several seconds
   
-  Reported-by: Jonathan Cardoso
-  Fixes #7726
-  Closes #7729
+  Closes #7970
 
-- test1184: disable
+- docs: reduce/avoid English contractions
   
-  The test should be fine and it works for me repeated when run manually,
-  but clearly it causes CI failures and it needs more research.
+  You're => You are
+  Hasn't => Has not
+  Doesn't => Does not
+  Don't => Do not
+  You'll => You will
+  etc
   
-  Reported-by: RiderALT on github
-  Fixes #7725
-  Closes #7732
+  Closes #7930
 
-- Curl_http2_setup: don't change connection data on repeat invokes
+- tool_operate: fix torture leaks with etags
   
-  Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
-  transfer oriented inits to before the check but also erroneously moved a
-  few connection oriented ones, which causes problems.
+  Spotted by torture testing 343 344 345 347.
   
-  Reported-by: Evangelos Foutras
-  Fixes #7730
-  Closes #7731
-
-- RELEASE-NOTES: synced
+  Follow-up from cc71d352651a0
+  Pointed-out-by: Dan Fandrich
   
-  and bump to 7.79.1
+  Closes #7969
 
-Kamil Dudka (16 Sep 2021)
-- tests/sshserver.pl: make it work with openssh-8.7p1
+- [Amaury Denoyelle brought this change]
+
+  ngtcp2: support latest QUIC TLS RFC9001
   
-  ... by not using options with no argument where an argument is required:
+  QUIC Transport Parameters Extension has been changed between draft-29
+  and latest RFC9001. Most notably, its identifier has been updated from
+  0xffa5 to 0x0039. The version is selected through the QUIC TLS library
+  via the legacy codepoint.
   
-  === Start of file tests/log/ssh_server.log
-  curl_sshd_config line 6: no argument after keyword "DenyGroups"
-  curl_sshd_config line 7: no argument after keyword "AllowGroups"
-  curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
-  curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
-  curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
-  curl_sshd_config line 40: Deprecated option RSAAuthentication
-  curl_sshd_config line 41: Deprecated option ServerKeyBits
-  curl_sshd_config line 45: Deprecated option UseLogin
-  curl_sshd_config line 56: no argument after keyword "AcceptEnv"
-  curl_sshd_config: terminating, 3 bad configuration options
-  === End of file tests/log/ssh_server.log
+  Disable the usage of legacy codepoint in curl to switch to latest
+  RFC9001. This is required to be able to keep up with latest QUIC
+  implementations.
   
-  === Start of file log/sftp_server.log
-  curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
-  curl_sftp_config line 34: Unsupported option "rsaauthentication"
-  curl_sftp_config line 52: no argument after keyword "sendenv"
-  curl_sftp_config: terminating, 1 bad configuration options
-  Connection closed.
-  Connection closed
-  === End of file log/sftp_server.log
+  Acked-by: Tatsuhiro Tsujikawa
+  Closes #7960
+
+- test1173: make manpage-syntax.pl spot \n errors in examples
+
+- man pages: fix backslash-n in examples
   
-  Closes #7724
+  ... to be proper backslash-backslash-n sequences to render nicely in man
+  and on website.
+  
+  Follow-up to 24155569d8a
+  Reported-by: Sergey Markelov
+  
+  Fixes https://github.com/curl/curl-www/issues/163
+  Closes #7962
 
-Daniel Stenberg (15 Sep 2021)
-- hsts: handle unlimited expiry
+- scripts/release-notes.pl: use out of repo links verbatim in refs
+
+- tool_operate: a failed etag save now only fails that transfer
   
-  When setting a blank expire string, meaning unlimited, curl would pass
-  TIME_T_MAX to getime_r() when creating the output, while on 64 bit
-  systems such a large value cannot be convetered to a tm struct making
-  curl to exit the loop with an error instead. It can't be converted
-  because the year it would represent doesn't fit in the 'int tm_year'
-  field!
+  When failing to create the output file for saving an etag, only fail
+  that particular single transfer and allow others to follow.
   
-  Starting now, unlimited expiry is instead handled differently by using a
-  human readable expiry date spelled out as "unlimited" instead of trying
-  to use a distant actual date.
+  In a serial transfer setup, if no transfer at all is done due to them
+  all being skipped because of this error, curl will output an error
+  message and return exit code 26.
   
-  Test 1660 and 1915 have been updated to help verify this change.
+  Added test 369 and 370 to verify.
   
-  Reported-by: Jonathan Cardoso
-  Fixes #7720
-  Closes #7721
+  Reported-by: Earnestly on github
+  Ref: #7942
+  Closes #7945
 
-- curl_multi_fdset: make FD_SET() not operate on sockets out of range
+- [Kevin Burke brought this change]
+
+  .github: retry macos "brew install" command on failure
   
-  The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
-  built to use select(), even though the curl_multi_fdset() function
-  always and unconditionally uses FD_SET and needs the check.
+  Previously we saw errors attempting to run "brew install", see
+  https://github.com/curl/curl/runs/4095721123?check_suite_focus=true for
+  an example, since this command is idempotent, it is safe to run again.
   
-  Reported-by: 0xee on github
-  Fixes #7718
-  Closes #7719
-
-- FAQ: add GOPHERS + curl works on data, not files
+  Closes #7955
 
-Version 7.79.0 (14 Sep 2021)
+- CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred
+  
+  Ref: https://github.com/curl/curl/discussions/7954
+  
+  Closes #7957
 
-Daniel Stenberg (14 Sep 2021)
 - RELEASE-NOTES: synced
+
+- zuul: pin the quiche build to use an older cmake-rs
   
-  For the 7.79.0 release
+  The latest cmake-rs assumes cmake's --parallel works. That was added in
+  cmake 3.12, but a lot of our CI builds run on Ubuntu Bionic which only
+  has cmake 3.10.
+  
+  Fixes #7927
+  Closes #7952
 
-- THANKS: add contributors from 7.79.0 release cycle
+- [Marc Hoersken brought this change]
 
-- FAQ: add two dev related questions
+  Revert "src/tool_filetime: disable -Wformat on mingw for this file"
   
-    8.1 Why does curl use C89?
-    8.2 Will curl be rewritten?
+  This reverts commit 7c88fe375b15c44d77bccc9ab733b8069d228e6f.
   
-  Spell-checked-by: Paul Johnson
-  Closes #7715
+  Follow up to #6535 as the pragma is obsolete with warnf
+  
+  Closes #7941
 
-- zuul.d/jobs: disable three tests for *-openssl-disable-proxy
+Jay Satiro (2 Nov 2021)
+- schannel: fix memory leak due to failed SSL connection
   
-  ... as they mysteriously seem to permfail without being related to
-  proxy.
+  - Call schannel_shutdown if the SSL connection fails.
   
-  Closes #7714
-
-- [Patrick Monnerat brought this change]
-
-  ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
+  Prior to this change schannel_shutdown (which shuts down the SSL
+  connection as well as memory cleanup) was not called when the SSL
+  connection failed (eg due to failed handshake).
   
-  If a server pipelines future responses within the STARTTLS response, the
-  former are preserved in the pingpong cache across TLS negotiation and
-  used as responses to the encrypted commands.
+  Co-authored-by: Gisle Vanem
   
-  This fix detects pipelined STARTTLS responses and rejects them with an
-  error.
+  Fixes https://github.com/curl/curl/issues/7877
+  Closes https://github.com/curl/curl/pull/7878
+
+Daniel Stenberg (2 Nov 2021)
+- Curl_updateconninfo: store addresses for QUIC connections too
   
-  CVE-2021-22947
+  So that CURLINFO_PRIMARY_IP etc work for HTTP/3 like for other HTTP
+  versions.
   
-  Bug: https://curl.se/docs/CVE-2021-22947.html
+  Reported-by: Jerome Mao
+  Fixes #7939
+  Closes #7944
 
-- [Patrick Monnerat brought this change]
+- [Sergio Durigan Junior brought this change]
 
-  ftp,imap,pop3: do not ignore --ssl-reqd
+  curl.1: fix typos in the manpage
   
-  In imap and pop3, check if TLS is required even when capabilities
-  request has failed.
+  s/transfering/transferring/
+  s/transfered/transferred/
   
-  In ftp, ignore preauthentication (230 status of server greeting) if TLS
-  is required.
+  Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
+  Closes #7937
+
+Marc Hoersken (1 Nov 2021)
+- tests/smbserver.py: fix compatibility with impacket 0.9.23+
   
-  Bug: https://curl.se/docs/CVE-2021-22946.html
+  impacket now performs sanity checks if the requested and to
+  be served file path actually is inside the real share path.
   
-  CVE-2021-22946
+  Ref: https://github.com/SecureAuthCorp/impacket/pull/1066
+  
+  Fixes #7924
+  Closes #7935
 
-- [z2_ on hackerone brought this change]
+Daniel Stenberg (1 Nov 2021)
+- docs: reduce use of "very"
+  
+  "Very" should be avoided in most texts. If intensifiers are needed, try
+  find better words instead.
+  
+  Closes #7936
 
-  mqtt: clear the leftovers pointer when sending succeeds
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: specify the missing required callback functions
   
-  CVE-2021-22945
+  Closes #7929
+
+- CURLOPT_[PROXY]_SSL_CIPHER_LIST.3: bold instead of quote
   
-  Bug: https://curl.se/docs/CVE-2021-22945.html
+  Bold the example ciphers instead of using single quotes, which then also
+  avoids the problem of how to use single quotes when first in a line.
+  
+  Also rephrased the pages a little.
+  
+  Reported-by: Sergio Durigan Junior
+  Ref: #7928
+  Closes #7934
 
-- zuul: bump the rustls job to use v0.7.2
+- gen.pl: replace leading single quotes with \(aq
   
-  ... and add -lm when using a rust library.
+  ... and allow single quotes to be used "normally" in the .d files.
   
-  Closes #7701
+  Makes the output curl.1 use better nroff.
+  
+  Reported-by: Sergio Durigan Junior
+  Ref: #7928
+  Closes #7933
 
-- RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023
+Marc Hoersken (1 Nov 2021)
+- tests: kill some test servers afterwards to avoid locked logfiles
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #7925
 
-- SECURITY-PROCESS: tweak a little to match current practices
+Daniel Stenberg (1 Nov 2021)
+- smooth-gtk-thread.c: enhance the mutex lock use
   
-  Closes #7713
+  Reported-by: ryancaicse on github
+  Fixes #7926
+  Closes #7931
 
-- http_proxy: fix the User-Agent inclusion in CONNECT
+Marc Hoersken (31 Oct 2021)
+- CI/runtests.pl: restore -u flag, but remove it from CI runs
   
-  It should not refer to the uagent string that is allocated and created
-  for the end server http request, as that pointer may be cleared on
-  subsequent CONNECT requests.
+  This makes it possible to use -u again for local testing,
+  but removes the flag from CI config files and make targets.
   
-  Added test case 1184 to verify.
+  Reviewed-by: Daniel Stenberg
   
-  Reported-by: T200proX7 on github
-  Fixes #7705
-  Closes #7707
+  Partially reverts #7841
+  Closes #7921
 
-- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
+Daniel Stenberg (29 Oct 2021)
+- [Jonathan Cardoso Machado brought this change]
+
+  CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required
   
-  Reported-by: Jonathan Cardoso
-  Fixes #7710
-  Closes #7711
+  Closes #7923
 
-- [Tatsuhiro Tsujikawa brought this change]
+- [Axel Morawietz brought this change]
 
-  ngtcp2: fix build with ngtcp2 and nghttp3
+  imap: display quota information
   
-  ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
-  Check the wrapped functions instead.
+  Show response to "GETQUOTAROOT INBOX" command.
   
-  ngtcp2_stream_close callback now takes flags parameter.
+  Closes #6973
+
+- RELEASE-NOTES: synced
+
+- [Boris Rasin brought this change]
+
+  cmake: fix error getting LOCATION property on non-imported target
   
-  Closes #7709
+  Closes #7885
 
-- write-out.d: clarify size_download/upload
+- [x2018 brought this change]
+
+  url: check the return value of curl_url()
   
-  They show the number of "body" bytes transfered.
-  Fixes #7702
-  Closes #7706
+  Closes #7917
 
-- http2: Curl_http2_setup needs to init stream data in all invokes
+- [Roy Li brought this change]
+
+  configure.ac: replace krb5-config with pkg-config
   
-  Thus function was written to avoid doing multiple connection data
-  initializations, which is fine, but since it also initiates stream
-  related data it is crucial that it doesn't skip those even if called
-  again for the same connection. Solved by moving the stream
-  initializations before the "doing-it-again" check.
+  The rationale is that custom *-config tools don't work well when
+  cross-compiling or using sysroots (such as when using Yocto project) and
+  require custom fixing for each of them; pkg-config on the other hand
+  works similarly everywhere.
   
-  Reported-by: Inho Oh
-  Fixes #7630
-  Closes #7692
+  Signed-off-by: Roy Li <rongqing.li@windriver.com>
+  Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+  
+  Closes #7916
 
-- url: fix compiler warning in no-verbose builds
+- test1160: edited to work with hyper
   
-  Follow-up from 2f0bb864c12
+  Closes #7912
+
+- data/DISABLED: enable tests that now work with hyper
   
-  Closes #7700
+  Closes #7911
 
-- non-ascii: fix build errors from strerror fix
+- test559: add 'HTTP' in keywords
   
-  Follow-up to 2f0bb864c12
+  Makes it run fine with hyper
   
-  Closes #7697
+  Closes #7911
 
-- parse_args: redo the warnings for --remote-header-name combos
+- test552: updated to work with hyper
   
-  ... to avoid the memory leak risk pointed out by scan-build.
+  Closes #7911
+
+Marc Hoersken (27 Oct 2021)
+- github: fix incomplete permission to label PRs for Hacktoberfest
   
-  Follow-up from 7a3e981781d6c18a
+  Unfortunately the GitHub API requires a token with write permission
+  for both issues and pull-requests to edit labels on even just PRs.
   
-  Closes #7698
+  Follow up to #7897
 
-- ngtcp2: adapt to new size defintions upstream
+Daniel Stenberg (27 Oct 2021)
+- opt-manpages: use 'Added in' instead of 'Since'
   
-  Reviewed-by: Tatsuhiro Tsujikawa
-  Closes #7699
+  Closes #7913
 
-- rustls: add strerror.h include
+Marc Hoersken (27 Oct 2021)
+- github: fix missing permission to label PRs for Hacktoberfest
   
-  Follow-up to 2f0bb864c12
+  Follow up to #7897
+  
+  Test references to see if permissions are now sufficient:
+  
+  Closes #7832
+  Closes #7897
 
-- docs: the security list is reached at security at curl.se now
+- CI: more use of test-ci make target and verbose output
   
-  Also update the FAQ section a bit to encourage users to rather submit
-  security issues on hackerone than sending email.
+  Replace test-nonflaky with test-ci and enable verbose output
+  in all remaining CIs except Zuul which is customized a lot.
   
-  Closes #7689
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  
+  Follow up to #7785
+  Closes #7832
 
-Marc Hoersken (9 Sep 2021)
-- runtests: add option -u to error on server unexpectedly alive
+- github: add support for Hacktoberfest using labels
   
-  Let's try to actually handle the server unexpectedly alive
-  case by first making them visible on CI builds as failures.
+  Automatically add hacktoberfest-accepted label to PRs opened between
+  September 30th and November 1st once a commit with a close reference
+  to it is pushed onto the master branch.
   
-  This is needed to detect issues with killing of the test
-  servers completely including nested process chains with
-  multiple PIDs per test server (including bash and perl).
+  With this workflow we can participate in Hacktoberfest while not
+  relying on GitHub to identify PRs as merged due to our rebasing.
   
-  On Windows/cygwin platforms this is especially helpful with
-  debugging PID mixups due to cygwin using its own PID space.
+  Requires hacktoberfest-accepted labels to exist for PRs on the
+  participating repository. Also requires hacktoberfest topic on
+  the participating repository to avoid applying to forked repos.
   
   Reviewed-by: Daniel Stenberg
-  Closes #7180
+  
+  Fixes #7865
+  Closes #7897
 
-Daniel Stenberg (9 Sep 2021)
-- opts docs: unify phrasing in NAME header
+Daniel Stenberg (27 Oct 2021)
+- http: reject HTTP response codes < 100
   
-  - avoid writing "set ..." or "enable/disable ..." or "specify ..."
-    *All* options for curl_easy_setopt() are about setting or enabling
-    things and most of the existing options didn't use that way of
-    description.
+  ... which then also includes negative ones as test 1430 uses.
   
-  - start with lowercase letter, unless abbreviation. For consistency.
+  This makes native + hyper backend act identically on this and therefore
+  test 1430 can now be enabled when building with hyper. Adjust test 1431
+  as well.
   
-  - Some additional touch-ups
+  Closes #7909
+
+- [Kerem Kat brought this change]
+
+  docs: fix typo in CURLOPT_TRAILERFUNCTION example
   
-  Closes #7688
+  Closes #7910
 
-- strerror.h: remove the #include from files not using it
+- docs/HYPER: remove some remaining issues, add HTTP/0.9 limitation
 
-- lib: don't use strerror()
+- configure: when hyper is selected, deselect nghttp2
   
-  We have and provide Curl_strerror() internally for a reason: strerror()
-  is not necessarily thread-safe so we should always try to avoid it.
+  Closes #7908
+
+- [Patrick Monnerat brought this change]
+
+  sendf: accept zero-length data in Curl_client_write()
   
-  Extended checksrc to warn for this, but feature the check disabled by
-  default and only enable it in lib/
+  Historically, Curl_client_write() used a length value of 0 as a marker
+  for a null-terminated data string. This feature has been removed in
+  commit f4b85d2. To detect leftover uses of the feature, a DEBUGASSERT
+  statement rejecting a length with value 0 was introduced, effectively
+  precluding use of this function with zero-length data.
   
-  Closes #7685
-
-Daniel Gustafsson (8 Sep 2021)
-- cirrus: Add FreeBSD 13.0 job and disable sanitizer build
+  The current commit removes the DEBUGASSERT and makes the function to
+  return immediately if length is 0.
   
-  As alluded to the in the now removed comment, a 13.0 image became
-  available and is now ready to be used.
+  A direct effect is to fix trying to output a zero-length distinguished
+  name in openldap.
   
-  The sanitizer builds were running on the 12.1 image which since has
-  been removed from the config, leaving the builds not running at all.
-  When enabled it turns out that they don't actually work due to very
-  long timeouts in executing the tests, so keep the disabled for now
-  but a bit more controlled.
+  Another DEBUGASSERT statement is also rephrased for better readability.
   
-  Closes #7592
-
-Daniel Stenberg (8 Sep 2021)
-- copyrights: update copyright year ranges
+  Closes #7898
 
-- RELEASE-NOTES: synced
+- hyper: disable test 1294 since hyper doesn't allow such crazy headers
+  
+  Closes #7905
 
-- INTERNALS: c-ares has a new home: c-ares.org
+- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
+  
+  Verified by the enabled test 1288
+  
+  Closes #7905
 
-- docs: remove experimental mentions from HSTS and MQTT
+- test1287: make work on hyper
   
-  Reported-by: Jonathan Cardoso
-  Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
-  Closes #7681
+  Closes #7905
 
-- [Cao ZhenXiang brought this change]
+- test1266/1267: disabled on hyper: no HTTP/0.9 support
+  
+  Closes #7905
 
-  curl: add warning for incompatible parameters usage
+Viktor Szakats (25 Oct 2021)
+- Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options
   
-  --continue-at - and --remote-header-name are known incompatible parameters
+  Previously, -libssh2/-rtmp options assumed that OpenSSL is also enabled
+  (and then failed with an error when not finding expected OpenSSL headers),
+  but this isn't necessarly true, e.g. when building both libssh2 and curl
+  against Schannel. This patch makes sure to only enable the OpenSSL backend
+  with -libssh2/-rtmp, when there was no SSL option explicitly selected.
   
-  Closes #7674
-
-- [git-bruh brought this change]
+  - Re-implement the logic as a single block of script.
+  - Also fix an indentation while there.
+  
+  Assisted-by: Jay Satiro
+  
+  Closes #7895
 
-  examples/*hiperfifo.c: fix calloc arguments to match function proto
+Daniel Stenberg (25 Oct 2021)
+- docs: consistent use of "Added in"
   
-  Closes #7678
+  Make them all say "Added in [version]" without using 'curl' or 'libcurl'
+  in that phrase.
 
-- INTERNALS: bump c-ares requirement to 1.16.0
+- man pages: require all to use the same section header order
   
-  Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0
+  This is the same order we already enforce among the options' man pages:
+  consistency is good. Add lots of previously missing examples.
+  
+  Adjust the manpage-syntax script for this purpose, used in test 1173.
+  
+  Closes #7904
 
-- curl: stop retry if Retry-After: is longer than allowed
+- [David Hu brought this change]
+
+  docs/HTTP3: improve build instructions
   
-  If Retry-After: specifies a period that is longer than what fits within
-  --retry-max-time, then stop retrying immediately.
+  1. If writing to a system path if the command is not prefixed with
+  `sudo` it will cause a permission denied error
   
-  Added test 366 to verify.
+  2. The patched OpenSSL branch has been updated to `openssl-3.0.0+quic`
+  to match upstream OpenSSL version.
   
-  Reported-by: Kari Pahula
-  Fixes #7675
-  Closes #7676
+  3. We should not disable GnuTLS docs.
+  
+  Updated some commands about `make install`
+  
+  Closes #7842
 
-- [Michał Antoniak brought this change]
+- [Ricardo Martins brought this change]
 
-  mbedtls: avoid using a large buffer on the stack
+  CMake: restore support for SecureTransport on iOS
   
-  Use dynamic memory allocation for the buffer used in checking "pinned
-  public key". The PUB_DER_MAX_BYTES parameter with default settings is
-  set to a value greater than 2kB.
+  Restore support for building curl for iOS with SecureTransport enabled.
   
-  Co-authored-by: Daniel Stenberg
-  Closes #7586
+  Closes #7501
 
-- configure: make --disable-hsts work
+- tests: enable more tests with hyper
   
-  The AC_ARG_ENABLE() macro itself uses a variable called
-  'enable_[option]', so when our script also used a variable with that
-  name for the purpose of storing what the user wants, it also
-  accidentally made it impossible to switch off the feature with
-  --disable-hsts. Fix this by renaming our variable.
+  Adjusted 1144, 1164 and 1176.
   
-  Reported-by: Michał Antoniak
-  Fixes #7669
-  Closes #7672
+  Closes #7900
 
-Jay Satiro (5 Sep 2021)
-- config.d: note that curlrc is used even when --config
+- docs: provide "RETURN VALUE" section for more func manpages
   
-  Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751
-  Reported-by: Viktor Szakats
+  Three were missing, one used a non-standard name for the header.
   
-  Closes https://github.com/curl/curl/pull/7667
+  Closes #7902
 
-Daniel Stenberg (4 Sep 2021)
+Jay Satiro (25 Oct 2021)
+- curl_multi_socket_action.3: add a "RETURN VALUE" section
+  
+  .. because it may not be immediately clear to the user what
+  curl_multi_socket_action returns.
+  
+  Ref: https://curl.se/mail/lib-2021-10/0035.html
+  
+  Closes https://github.com/curl/curl/pull/7901
+
+Daniel Stenberg (24 Oct 2021)
 - RELEASE-NOTES: synced
 
-- test1173: check references to libcurl options
+- [Samuel Henrique brought this change]
+
+  tests: use python3 in test 1451
   
-  ... that they refer to actual existing libcurl options.
+  This is a continuation of commit ec91b5a69000bea0794bbb3 in which
+  changing this test was missed.  There are no other python2 leftovers
+  now.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7656
+  Based on a Debian patch originally written by Alessandro Ghedini
+  <ghedo@debian.org>
+  
+  Closes #7899
 
-- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
+- [Eddie Lumpkin brought this change]
+
+  lib: fixing comment spelling typos in lib files
   
-  Closes #7656
+  Closes #7894
+  Signed-off-by: ewlumpkin <ewlumpkin@gmail.com>
 
-- opt-docs: verify man page sections + order
+- openssl: if verifypeer is not requested, skip the CA loading
   
-  In every libcurl option man page there are now 8 mandatory sections that
-  must use the right name in the correct order and test 1173 verifies
-  this. Only 14 man pages needed adjustments.
+  It was previously done mostly to show a match/non-match in the verbose
+  output even when verification was not asked for. This change skips the
+  loading of the CA certs unless verifypeer is set to save memory and CPU.
   
-  The sections and the order is as follows:
+  Closes #7892
+
+- curl-confopts.m4:  remove --enable/disable-hidden-symbols
   
-   - NAME
-   - SYNOPSIS
-   - DESCRIPTION
-   - PROTOCOLS
-   - EXAMPLE
-   - AVAILABILITY
-   - RETURN VALUE
-   - SEE ALSO
+  These configure options have been saying "deprecated" since 9e24b9c7af
+  (April 2012). It was about time we remove them.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7656
+  Closes #7891
 
-- opt-docs: make sure all man pages have examples
+- c-hyper: don't abort CONNECT responses early when auth-in-progress
   
-  Extended manpage-syntax.pl (run by test 1173) to check that every man
-  page for a libcurl option has an EXAMPLE section that is more than two
-  lines. Then fixed all errors it found and added examples.
+  ... and make sure to stop ignoring the body once the CONNECT is done.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7656
+  This should make test 206 work proper again and not be flaky.
+  
+  Closes #7889
 
-- get.d: provide more useful examples
+- hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING
   
-  Closes #7668
+  Simply because hyper doesn't have this ability. Mentioned in docs now.
+  
+  Skip test 326 then
+  
+  Closes #7889
 
-- page-header: add GOPHERS, simplify wording in the 1st para
+- test262: don't attempt with hyper
   
-  Closes #7665
+  This test verifies that curl works with binary zeroes in HTTP response
+  headers and hyper refuses such. They're not kosher http.
+  
+  Closes #7889
 
-- connect: get local port + ip also when reusing connections
+- c-hyper: make test 217 run
   
-  Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage
-  (connection + easy handle), so this info needs be extracted again even
-  for re-used connections.
+  Closes #7889
+
+- DISABLED: enable test 209+213 for hyper
   
-  Add test 435 to verify
+  Follow-up to 823d3ab855c
   
-  Reported-by: Max Dymond
-  Fixes #7660
-  Closes #7662
+  Closes #7889
 
-Marcel Raad (2 Sep 2021)
-- multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
+- test207: accept a different error code for hyper
   
-  `use_wakeup` is unused in this case.
+  It returns HYPERE_UNEXPECTED_EOF for this case which we convert to the
+  somewhat generic CURLE_RECV_ERROR.
   
-  Closes https://github.com/curl/curl/pull/7661
+  Closes #7889
 
-Daniel Stenberg (1 Sep 2021)
-- tests: adjust the tftpd output to work with hyper mode
+- [Érico Nogueira brought this change]
+
+  INSTALL: update symbol hiding option
   
-  By making them look less like http headers, the hyper mode "tweak"
-  doesn't interfere.
+  --enable-hidden-symbols was deprecated in
+  9e24b9c7afbcb81120af4cf3f6cdee49a06d8224.
   
-  Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated
-  but should be enabled).
+  Closes #7890
+
+- http_proxy: multiple CONNECT with hyper done better
   
-  Closes #7658
+  Enabled test 206
+  
+  Closes #7888
 
-Daniel Gustafsson (1 Sep 2021)
-- [Gisle Vanem brought this change]
+- hyper: pass the CONNECT line to the debug callback
+  
+  Closes #7887
 
-  openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
+- mailmap: Malik Idrees Hasan Khan
+
+Jay Satiro (21 Oct 2021)
+- [Malik Idrees Hasan Khan brought this change]
+
+  build: fix typos
   
-  This adds support for the previously unhandled supplemental data which
-  in -v output was printed like:
+  Closes https://github.com/curl/curl/pull/7886
+
+- URL-SYNTAX: add IMAP UID SEARCH example
   
-      TLSv1.2 (IN), TLS header, Unknown (23):
+  - Explain the difference between IMAP search via URL (which returns
+    message sequence numbers) and IMAP search via custom request (which
+    can return UID numbers if prefixed with UID, eg "UID SEARCH ...").
   
-  These will now be printed with proper annotation:
+  Bug: https://github.com/curl/curl/issues/7626
+  Reported-by: orycho@users.noreply.github.com
   
-      TLSv1.2 (OUT), TLS header, Supplemental data (23):
+  Ref: https://github.com/curl/curl/issues/2789
   
-  Closes #7652
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes https://github.com/curl/curl/pull/7881
 
-Daniel Stenberg (1 Sep 2021)
-- curl.1: provide examples for each option
+Daniel Stenberg (20 Oct 2021)
+- manpage: adjust the asterisk in some SYNOPSIS sections
   
-  The file format for each option now features a "Example:" header that
-  can provide one or more examples that get rendered appropriately in the
-  output. All options MUST have at least one example or gen.pl complains
-  at build-time.
+  Closes #7884
+
+- curl_multi_perform.3: polish wording
   
-  This fix also does a few other minor format and consistency cleanups.
+   - simplify the example by using curl_multi_poll
   
-  Closes #7654
-
-- progress: make trspeed avoid floats
+   - mention curl_multi_add_handle in the text
   
-  and compiler warnings for data conversions.
+   - cut out the description of pre-7.20.0 return code behavior - that version
+     is now more than eleven years old and is basically no longer out there
   
-  Reported-by: Michał Antoniak
-  Fixes #7645
-  Closes #7653
+   - adjust the "typical usage" to mention curl_multi_poll
+  
+  Closes #7883
 
-- test365: verify response with chunked AND Content-Length headers
+- docs/THANKS: removed on request
 
-- http: ignore content-length if any transfer-encoding is used
-  
-  Fixes #7643
-  Closes #7649
+- FAQ: polish the explanation of libcurl
 
-- RELEASE-NOTES: synced
+- curl_easy_perform.3: minor wording tweak
 
-- Revert "http2: skip immediate parsing of payload following protocol switch"
+- [Erik Stenlund brought this change]
+
+  mime: mention CURL_DISABLE_MIME in comment
   
-  This reverts commit 455a63c66f188598275e87d32de2c4e8e26b80cb.
+  CURL_DISABLE_MIME is not mentioned in the comment describing the if else
+  preprocessor directive.
   
-  Reported-by: Tk Xiong
-  Fixes #7633
-  Closes #7648
+  Closes #7882
 
-- KNOWN_BUGS: HTTP/3 doesn't support client certs
+- tls: remove newline from three infof() calls
   
-  Closes #7625
+  Follow-up to e7416cf
+  
+  Reported-by: billionai on github
+  Fixes #7879
+  Closes #7880
 
-- mailing lists: move from cool.haxx.se to lists.haxx.se
+- RELEASE-NOTES: synced
 
-- http_proxy: only wait for writable socket while sending request
+- curl_gssapi: fix build warnings by removing const
   
-  Otherwise it would wait socket writability even after the entire CONNECT
-  request has sent and make curl basically busy-loop while waiting for a
-  response to come back.
+  Follow-up to 20e980f85b0ea6
   
-  The previous fix attempt in #7484 (c27a70a591a4) was inadequate.
+  In #7875 these inits were modified but I get two warnings that these new
+  typecasts are necessary for.
   
-  Reported-by: zloi-user on github
-  Reported-by: Oleguer Llopart
-  Fixes #7589
-  Closes #7647
+  Closes #7876
 
-- http: disallow >3-digit response codes
-  
-  Make the built-in HTTP parser behave similar to hyper and reject any
-  HTTP response using more than 3 digits for the response code.
-  
-  Updated test 1432 accordingly.
-  Enabled test 1432 in the hyper builds.
+- [Bo Anderson brought this change]
+
+  curl_gssapi: fix link error on macOS Monterey
   
-  Closes #7641
+  Fixes #7657
+  Closes #7875
 
-- [Tatsuhiro Tsujikawa brought this change]
+- test1185: verify checksrc
+  
+  Closes #7866
 
-  ngtcp2: stop buffering crypto data
+- checksrc: improve the SPACESEMICOLON error message
   
-  Stop buffering crypto data because libngtcp2 now buffers submitted
-  crypto data.
+  and adjust the MULTISPACE one to use plural
   
-  Closes #7637
+  Closes #7866
 
-- test1280: CRLFify the response to please hyper
+- url: set "k->size" -1 at start of request
   
-  Closes #7639
+  The size of the transfer is unknown at that point.
+  
+  Fixes #7871
+  Closes #7872
 
-- tests: enable test 1129 for hyper builds
+Daniel Gustafsson (18 Oct 2021)
+- doh: remove experimental code for DoH with GET
   
-  Closes #7638
+  The code for sending DoH requests with GET was never enabled in a way
+  such that it could be used or tested. As there haven't been requests
+  for this feature, and since it at this is effectively dead, remove it
+  and favor reimplementing the feature in case anyone is interested.
+  
+  Closes #7870
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- curl: better error message when -O fails to get a good name
+Daniel Stenberg (18 Oct 2021)
+- cirrus: remove FreeBSD 11.4 from the matrix
   
-  Due to how this currently works internally, it needs a working initial
-  file name to store contents in, so it may still fail even with -J is
-  used (and thus accepting a name from content-disposition:) if the file
-  name part of the URL isn't "good enough".
+  It has reached End-Of-Life and causes some LDAP CI issues.
   
-  Fixes #7628
-  Closes #7635
+  Closes #7869
 
-- curl_easy_setopt: tweak the string copy wording
+- cirrus: switch to openldap24-client
   
-  Reported-by: Yaobin Wen
-  Fixes #7632
-  Closes #7634
-
-- RELEASE-NOTES: synced
-
-- [Don J Olmstead brought this change]
+  ... as it seems openldap-client doesn't exist anymore.
+  
+  Reported-by: Jay Satiro
+  Fixes #7868
+  Closes #7869
 
-  cmake: sync CURL_DISABLE options
+- checksrc: ignore preprocessor lines
   
-  Adds the full listing of CURL_DISABLE options to the CMake build. Moves
-  all option code, except for CURL_DISABLE_OPENSSL_AUTO_LOA_CONFIG which
-  resides near OpenSSL configuration, to the same block of code. Also
-  sorts the options here and in the cmake config header.
+  In order to check the actual code better, checksrc now ignores
+  everything that look like preprocessor instructions. It also means
+  that code in macros are now longer checked.
   
-  Additionally sorted the CURL-DISABLE listing and fixed the
-  CURL_DISABLE_POP3 option.
+  Note that some rules then still don't need to be followed when code is
+  exactly below a cpp instruction.
   
-  Closes #7624
+  Removes two checksrc exceptions we needed previously because of
+  preprocessor lines being checked.
+  
+  Reported-by: Marcel Raad
+  Fixes #7863
+  Closes #7864
 
-Jay Satiro (25 Aug 2021)
-- KNOWN_BUGS: FTPS upload data loss with TLS 1.3
+- urlapi: skip a strlen(), pass in zero
   
-  Bug: https://github.com/curl/curl/issues/6149
-  Reported-by: Bylon2@users.noreply.github.com
+  ... to let curl_easy_escape() itself do the strlen. This avoids a (false
+  positive) Coverity warning and it avoids us having to store the strlen()
+  return value in an int variable.
   
-  Closes https://github.com/curl/curl/pull/7623
+  Reviewed-by: Daniel Gustafsson
+  Closes #7862
 
-Daniel Stenberg (24 Aug 2021)
-- cmake: avoid poll() on macOS
+- misc: update copyright years
+
+- examples/htmltidy: correct wrong printf() use
   
-  ... like we do in configure builds. Since poll() on macOS is not
-  reliable enough.
+  ... and update the includes to match how current htmltidy wants them
+  used.
   
-  Reported-by: marc-groundctl
-  Fixes #7595
-  Closes #7619
+  Reported-by: Stathis Kapnidis
+  Fixes #7860
+  Closes #7861
 
-- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
+Jay Satiro (15 Oct 2021)
+- http: set content length earlier
   
-  Enable test 1074
+  - Make content length (ie download size) accessible to the user in the
+    header callback, but only after all headers have been processed (ie
+    only in the final call to the header callback).
   
-  Closes #7617
-
-- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
+  Background:
   
-  Enable test 1130 and 1131
+  For a long time the content length could be retrieved in the header
+  callback via CURLINFO_CONTENT_LENGTH_DOWNLOAD_T as soon as it was parsed
+  by curl.
   
-  Closes #7616
+  Changes were made in 8a16e54 (precedes 7.79.0) to ignore content length
+  if any transfer encoding is used. A side effect of that was that
+  content length was not set by libcurl until after the header callback
+  was called the final time, because until all headers are processed it
+  cannot be determined if content length is valid.
+  
+  This change keeps the same intention --all headers must be processed--
+  but now the content length is available before the final call to the
+  header function that indicates all headers have been processed (ie
+  a blank header).
+  
+  Bug: https://github.com/curl/curl/commit/8a16e54#r57374914
+  Reported-by: sergio-nsk@users.noreply.github.com
+  
+  Co-authored-by: Daniel Stenberg
+  
+  Fixes https://github.com/curl/curl/issues/7804
+  Closes https://github.com/curl/curl/pull/7803
 
-- [a1346054 brought this change]
+Daniel Stenberg (15 Oct 2021)
+- [Abhinav Singh brought this change]
 
-  tests: be explicit about using 'python3' instead of 'python'
+  aws-sigv4: make signature work when post data is binary
   
-  This fixes running tests in virtualenvs (or on distros) that no longer
-  have a symlink from python to python2 or python3.
+  User sets the post fields size for binary data.  Hence, we should not be
+  using strlen on it.
   
-  Closes #7602
+  Added test 1937 and 1938 to verify.
+  
+  Closes #7844
 
 - [a1346054 brought this change]
 
-  scripts: invoke interpreters through /usr/bin/env
+  MacOSX-Framework: remove redundant ';'
   
-  Closes #7602
+  Closes #7859
 
-- DISABLED: enable 11 more tests for hyper builds
+- RELEASE-NOTES: synced
+
+- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
   
-  Closes #7612
+  One reason we know it can fail is if a provider is used that doesn't do
+  a proper job or is wrongly configured.
+  
+  Reported-by: Michael Baentsch
+  Fixes #7840
+  Closes #7856
 
-- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
+Marcel Raad (14 Oct 2021)
+- [Ryan Mast brought this change]
+
+  cmake: add CURL_ENABLE_SSL option and make CMAKE_USE_* SSL backend options depend on it
   
-  Since this option is also used for FTP, it needs to work to set for
-  applications even if hyper doesn't support it for HTTP. Verified by test
-  1137.
+  Closes https://github.com/curl/curl/pull/7822
+
+Daniel Stenberg (14 Oct 2021)
+- http: remove assert that breaks hyper
   
-  Updated docs to specify that the option doesn't work for HTTP when using
-  the hyper backend.
+  Reported-by: Jay Satiro
+  Fixes #7852
+  Closes #7855
+
+- http_proxy: fix one more result assign for hyper
   
-  Closes #7614
+  and remove the bad assert again, since it was run even with no error!
+  
+  Closes #7854
 
-- test1138: remove trailing space to make work with hyper
+Jay Satiro (14 Oct 2021)
+- sws: fix memory leak on exit
   
-  Closes #7613
+  - Free the allocated http request struct on cleanup.
+  
+  Prior to this change if sws was built with leak sanitizer it would
+  report a memory leak error during testing.
+  
+  Closes https://github.com/curl/curl/pull/7849
 
-- libcurl-errors.3: clarify two CURLUcode errors
+Daniel Stenberg (14 Oct 2021)
+- c-hyper: make Curl_http propagate errors better
   
-  CURLUE_BAD_HANDLE and CURLUE_BAD_PARTPOINTER should be for "bad" or
-  wrong pointers in a generic sense, not just for NULL pointers.
+  Pass on better return codes when errors occur within Curl_http instead
+  of insisting that CURLE_OUT_OF_MEMORY is the only possible one.
   
-  Reviewed-by: Jay Satiro
+  Pointed-out-by: Jay Satiro
+  Closes #7851
+
+- http_proxy: make hyper CONNECT() return the correct error code
   
-  Ref: #7605
-  Closes #7611
+  For every 'goto error', make sure the result variable holds the error
+  code for what went wrong.
+  
+  Reported-by: Rafał Mikrut
+  Fixes #7825
+  Closes #7846
 
-Jay Satiro (23 Aug 2021)
-- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
+- docs/Makefile.am: repair 'make html'
   
-  ... and also change the 'Removed' column name to 'Last' since that
-  column is for the last version to contain the symbol.
+  by removing index.html which isn't around anymore
   
-  Closes https://github.com/curl/curl/pull/7609
+  Closes #7853
 
-Daniel Stenberg (23 Aug 2021)
-- urlapi.c:seturl: assert URL instead of using if-check
+- [Борис Верховский brought this change]
+
+  curl: correct grammar in generated libcurl code
   
-  There's no code flow possible where this can happen. The assert makes
-  sure it also won't be introduced undetected in the future.
+  Closes #7802
+
+- tests: disable test 2043
   
-  Closes #7610
+  It uses revoked.badssl.com which now is expired and therefor this now
+  permafails. We should not use external sites for tests, this test should
+  be converted to use our own infra.
+  
+  Closes #7845
 
-- curl-openssl.m4: show correct output for OpenSSL v3
+- runtests: split out ignored tests
   
-  Using 3.0.0 versions configure should now show this:
+  Report ignore tests separately from the actual fails.
   
-  checking for OpenSSL headers version... 3.0.0 - 0x300
-  checking for OpenSSL library version... 3.0.0
-  checking for OpenSSL headers and library versions matching... yes
+  Don't exit non-zero if test servers couldn't get killed.
   
-  This output doesn't actually change what configure generates but is only
-  "cosmetic".
+  Assisted-by: Jay Satiro
   
-  Reported-by: Randall S. Becker
-  Fixes #7606
-  Closes #7608
+  Fixes #7818
+  Closes #7841
 
-Jay Satiro (22 Aug 2021)
-- mksymbolsmanpage.pl: Fix showing symbol's last used version
+- http2: make getsock not wait for write if there's no remote window
   
-  Prior to this change the symbol's deprecated version was erroneously
-  shown as its last used version.
+  While uploading, check for remote window availability in the getsock
+  function so that we don't wait for a writable socket if no data can be
+  sent.
   
-  Bug: https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509
-  Reported-by: i-ky@users.noreply.github.com
+  Reported-by: Steini2000 on github
+  Fixes #7821
+  Closes #7839
 
-Daniel Stenberg (21 Aug 2021)
-- mksymbolsmanpage.pl: match symbols case insenitively
+- test368: verify dash is appended for "-r [num]"
   
-  Follow-up to 4e53b9430c750 which made this bug show.
+  Follow-up to 8758a26f8878
+
+- [Борис Верховский brought this change]
+
+  curl: actually append "-" to --range without number only
   
-  Reported-by: i-ky
-  Bug: https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253
-  Closes #7607
+  Closes #7837
 
-- asyn-ares: call ares_freeaddrinfo() to clean up addrinfo results
+- RELEASE-NOTES: synced
+
+- urlapi: URL decode percent-encoded host names
   
-  As this leaks memory otherwise
+  The host name is stored decoded and can be encoded when used to extract
+  the full URL. By default when extracting the URL, the host name will not
+  be URL encoded to work as similar as possible as before. When not URL
+  encoding the host name, the '%' character will however still be encoded.
   
-  Follow-up to ba904db0705c931
+  Getting the URL with the CURLU_URLENCODE flag set will percent encode
+  the host name part.
   
-  Closes #7599
+  As a bonus, setting the host name part with curl_url_set() no longer
+  accepts a name that contains space, CR or LF.
+  
+  Test 1560 has been extended to verify percent encodings.
+  
+  Reported-by: Noam Moshe
+  Reported-by: Sharon Brizinov
+  Reported-by: Raul Onitza-Klugman
+  Reported-by: Kirill Efimov
+  Fixes #7830
+  Closes #7834
 
-- [Ehren Bendler brought this change]
+Marc Hoersken (8 Oct 2021)
+- CI/makefiles: introduce dedicated test target
+  
+  Make it easy to use the same set of test flags
+  throughout all current and future CI builds.
+  
+  Reviewed-by: Jay Satiro
+  
+  Follow up to #7690
+  Closes #7785
 
-  wolfssl: clean up wolfcrypt error queue
+Daniel Stenberg (8 Oct 2021)
+- maketgz: redirect updatemanpages.pl output to /dev/null
+
+- CURLOPT_HTTPHEADER.3: add descripion for specific headers
   
-  If wolfSSL is built in certain ways (OPENSSL_EXTRA or Debug), the error
-  queue gets added on to for each session and never freed. Fix it by
-  calling ERR_clear_error() like in vtls/openssl when needed. This func is
-  a no-op in wolfcrypt if the error queue is not enabled.
+  Settting Host: or Transfer-Encoding: chunked actually have special
+  meanings to libcurl. This change tries to document them
   
-  Closes #7594
+  Closes #7829
 
-- man pages: remove trailing whitespaces
+- c-hyper: use hyper_request_set_uri_parts to make h2 better
   
-  Extended test 1173 (via the manpage-syntax.pl script) to detect and warn
-  for them.
+  and make sure to not send Host: over h2.
   
-  Ref: #7602
-  Reported-by: a1346054 on github
-  Closes #7604
+  Fixes #7679
+  Reported-by: David Cook
+  Closes #7827
 
-- mailmap: add Gleb Ivanovsky
+- [Michael Afanasiev brought this change]
 
-- config.d: escape the backslash properly
+  curl-openssl.m4: modify library order for openssl linking
   
-  Closes #7603
+  lcrypto may depend on lz, and configure corrently fails with when
+  statically linking as the order is "-lz -lcrypto". This commit switches
+  the order to "-lcrypto -lz".
+  
+  Closes #7826
 
-- [Don J Olmstead brought this change]
+Marcel Raad (7 Oct 2021)
+- sha256: use high-level EVP interface for OpenSSL
+  
+  Available since OpenSSL 0.9.7. The low-level SHA256 interface is
+  deprecated in OpenSSL v3, and its usage was discouraged even before.
+  
+  Closes https://github.com/curl/curl/pull/7808
 
-  curl_setup.h: sync values for HTTP_ONLY
+- curl_ntlm_core: use OpenSSL only if DES is available
   
-  The values for HTTP_ONLY differed between CMakeLists.txt and
-  curl_setup.h. Sync them and sort the values in curl_setup.h to make it
-  easier to spot differences.
+  This selects another SSL backend then if available, or otherwise at
+  least gives a meaningful error message.
   
-  Closes #7601
+  Closes https://github.com/curl/curl/pull/7808
 
-Jay Satiro (21 Aug 2021)
-- configure: set classic mingw minimum OS version to XP
+- md5: fix compilation with OpenSSL 3.0 API
   
-  - If the user has not specified a minimum OS version (via WINVER or
-    _WIN32_WINNT macros) then set it to Windows XP.
+  Only use OpenSSL's MD5 code if it's available.
   
-  Prior to this change classic MinGW defaulted the minimum OS version
-  to Windows NT 4.0 which is way too old. At least Windows XP is needed
-  for getaddrinfo (which resolves hostnames to IPv6 addresses).
+  Also fix wolfSSL build with `NO_MD5`, in which case neither the
+  wolfSSL/OpenSSL implementation nor the fallback implementation was
+  used.
   
-  Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
+  Closes https://github.com/curl/curl/pull/7808
+
+Daniel Stenberg (7 Oct 2021)
+- print_category: printf %*s needs an int argument
   
-  Closes https://github.com/curl/curl/pull/7581
+  ... not a size_t!
+  
+  Detected by Coverity: CID 1492331.
+  Closes #7823
 
-- schannel: Work around typo in classic mingw macro
+Jay Satiro (7 Oct 2021)
+- version_win32: use actual version instead of manifested version
   
-  - Define ALG_CLASS_DHASH (the typo from the include) to ALG_CLASS_HASH.
+  - Use RtlVerifyVersionInfo instead of VerifyVersionInfo, when possible.
   
-  Prior to this change there was an incomplete fix to ignore the
-  CALG_TLS1PRF macro on those versions of MinGW where it uses the
-  ALG_CLASS_DHASH typoed macro.
+  Later versions of Windows have normal version functions that compare and
+  return versions based on the way the application is manifested, instead
+  of the actual version of Windows the application is running on. We
+  prefer the actual version of Windows so we'll now call the Rtl variant
+  of version functions (RtlVerifyVersionInfo) which does a proper
+  comparison of the actual version.
   
-  Ref: 48cf45c
-  Ref: https://osdn.net/projects/mingw/ticket/38391
-  Ref: https://github.com/curl/curl/issues/2924
+  Reported-by: Wyatt O'Day
   
-  Closes https://github.com/curl/curl/pull/7580
+  Ref: https://github.com/curl/curl/pull/7727
+  
+  Fixes https://github.com/curl/curl/issues/7742
+  Closes https://github.com/curl/curl/pull/7810
 
-Daniel Stenberg (20 Aug 2021)
+Daniel Stenberg (6 Oct 2021)
 - RELEASE-NOTES: synced
 
-- http_proxy: fix user-agent and custom headers for CONNECT with hyper
+- http: fix Basic auth with empty name field in URL
   
-  Enable test 287
+  Add test 367 to verify.
   
-  Closes #7598
+  Reported-by: Rick Lane
+  Fixes #7819
+  Closes #7820
 
-- c-hyper: initial support for "dumping" 1xx HTTP responses
+- [Jeffrey Tolar brought this change]
+
+  CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
   
-  With the use hyper_request_on_informational()
+  ... and close connections that are too old instead of reusing them.
   
-  Enable test 155 and 158
+  By default, this behavior is disabled.
   
-  Closes #7597
+  Bug: https://curl.se/mail/lib-2021-09/0058.html
+  Closes #7751
 
-Marc Hoersken (18 Aug 2021)
-- tests/*server.pl: flush output before executing subprocess
+Daniel Gustafsson (6 Oct 2021)
+- docs/examples: add missing binaries to gitignore
   
-  Also avoid shell processes staying around by using exec.
-  This is necessary to avoid output data being buffering
-  inside the process chain of Perl, Bash/Shell and our
-  test server binaries. On non-Windows systems the exec
-  will also make the subprocess replace the intermediate
-  shell, but on Windows it will at least bind the processes
-  together since there is no real fork or exec available.
+  Commit f65d7889b added getreferrer, and commit ae8e11ed5 multi-legacy,
+  both of which missed adding .gitignore clauses for the built binaries.
   
-  See: https://cygwin.com/cygwin-ug-net/highlights.html
-  and: https://docs.microsoft.com/cpp/c-runtime-library/exec-wexec-functions
-  Ref: https://github.com/curl/curl/pull/7530#issuecomment-900949010
+  Closes #7817
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (5 Oct 2021)
+- [Josip Medved brought this change]
+
+  HTTP3: fix the HTTP/3 Explained book link
   
-  Reviewed-by: Daniel Stenberg
-  Reviewed-by: Jay Satiro
-  Closes #7530
+  Closes #7813
 
-- CI: use GitHub Container Registry instead of Docker Hub
+- [Lucas Holt brought this change]
+
+  misc: fix a few issues on MidnightBSD
   
-  Avoid limits on Docker Hub and improve image pull/download speed.
+  Closes #7812
+
+Daniel Gustafsson (4 Oct 2021)
+- [8U61ife brought this change]
+
+  tool_main: fix typo in comment
   
-  Closes #7587
+  Closes: #7811
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-Daniel Stenberg (18 Aug 2021)
-- openssl: when creating a new context, there cannot be an old one
+Daniel Stenberg (4 Oct 2021)
+- [Ryan Mast brought this change]
+
+  BINDINGS: URL updates
   
-  Remove the previous handling that would call SSL_CTX_free(), and instead
-  add an assert that halts a debug build if there ever is a context
-  already set at this point.
+  For cpr, BBHTTP, Eiffel, Harbour, Haskell, Mono, and Rust
   
-  Closes #7585
+  Closes #7809
 
-Jay Satiro (18 Aug 2021)
-- KNOWN_BUGS: Renegotiate from server may cause hang for OpenSSL backend
+- scripts/delta: hide a git error message we don't care about
   
-  Closes https://github.com/curl/curl/issues/6785
+  fatal: path 'src/tool_listhelp.c' exists on disk, but not in [tag]
 
-Viktor Szakats (17 Aug 2021)
-- docs/BINDINGS: URL update
+- [Patrick Monnerat brought this change]
 
-Marc Hoersken (17 Aug 2021)
-- tests/server/*.c: align handling of portfile argument and file
+  sasl: binary messages
   
-  1. Call the internal variable portname (like pidname) everywhere.
-  2. Have a variable wroteportfile (like wrotepidfile) everywhere.
-  3. Make sure the file is cleaned up on exit (like pidfile).
-  4. Add parameter --portfile to usage outputs everywhere.
+  Capabilities of sasl module are extended to exchange messages in binary
+  as an alternative to base64.
   
-  Reviewed-by: Daniel Stenberg
+  If http authentication flags have been set, those are used as sasl
+  default preferred mechanisms.
   
-  Replaces #7523
-  Closes #7574
+  Closes #6930
 
-Daniel Gustafsson (17 Aug 2021)
-- KNOWN_BUGS: Fix a number of typos in KNOWN_BUGS
-  
-  Fixes a set of typos found in section 11.3.
+- [Hayden Roche brought this change]
 
-Daniel Stenberg (17 Aug 2021)
-- getparameter: fix the --local-port number parser
+  wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
   
-  It could previously get tricked into parsing the uninitialized stack
-  based buffer.
+  Prior to this commit, OpenSSL could be used for all these functions, but
+  not wolfSSL. This commit makes it so wolfSSL will be used if USE_WOLFSSL
+  is defined.
   
-  Reported-by: Brian Carpenter
-  Closes #7582
+  Closes #7806
 
-- KNOWN_BUGS: Can't use Secure Transport with Crypto Token Kit
+- scripts/delta: count command line options in the new file
   
-  Closes #7048
+  ... which makes the shown delta number wrong until next release.
 
-- [Jan Verbeek brought this change]
+- RELEASE-NOTES: synced
 
-  curl: add warning for ignored data after quoted form parameter
+- print_category: print help descriptions aligned
   
-  In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc`
-  is ignored. This adds a warning if the ignored data isn't all
-  whitespace.
+  Adjust the description position to make an aligned column when doing
+  help listings, which is more pleasing to the eye.
   
-  Closes #7394
+  Suggested-by: Gisle Vanem
+  Closes #7792
 
-Jay Satiro (17 Aug 2021)
-- codeql: fix error "Resource not accessible by integration"
-  
-  - Enable codeql writing security-events.
+- lib/mk-ca-bundle.pl: skip certs passed Not Valid After date
   
-  GitHub set the default permissions to read, apparently since earlier
-  this year.
+  With this change applied, the now expired 'DST Root CA X3' cert will no
+  longer be included in the output.
   
-  Ref: https://github.com/github/codeql-action/issues/464
-  Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+  Details: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
   
-  Fixes https://github.com/curl/curl/issues/7575
-  Closes https://github.com/curl/curl/pull/7576
+  Closes #7801
 
-- tool_operate: Fix --fail-early with parallel transfers
+- tool_listhelp: easier to generate with gen.pl
   
-  - Abort via progress callback to fail early during parallel transfers.
+  tool_listhelp.c is now a separate file with only the command line --help
+  output, exactly as generated by gen.pl. This makes it easier to generate
+  updates according to what's in the docs/cmdline-opts docs.
   
-  When a critical error occurs during a transfer (eg --fail-early
-  constraint) then other running transfers will be aborted via progress
-  callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this
-  case, the callback error does not become the most recent error and a
-  custom error message is used for those transfers:
+    cd $srcroot/docs/cmdline-opts
+    ./gen.pl listhelp *.d > $srcroot/src/tool_listhelp.c
   
-  curld --fail --fail-early --parallel
-  https://httpbin.org/status/404 https://httpbin.org/delay/10
+  With a configure build, this also works:
   
-  curl: (22) The requested URL returned error: 404
-  curl: (42) Transfer aborted due to critical error in another transfer
+    make -C src listhelp
   
-  > echo %ERRORLEVEL%
-  22
+  Closes #7787
+
+- [Anthony Hu brought this change]
+
+  wolfssl: allow setting of groups/curves
   
-  Fixes https://github.com/curl/curl/issues/6939
-  Closes https://github.com/curl/curl/pull/6984
+  In particular, the quantum safe KEM and hybrid curves if wolfSSL is
+  built to support them.
+  
+  Closes #7728
 
-Daniel Stenberg (17 Aug 2021)
-- [Sergey Markelov brought this change]
+- [Jan Mazur brought this change]
 
-  sectransp: support CURLINFO_CERTINFO
+  connnect: use sysaddr_un fron sys/un.h or custom-defined for windows
   
-  Fixes #4130
-  Closes #7372
+  Closes #7737
 
-- ngtcp2: remove the acked_crypto_offset struct field init
+Jay Satiro (30 Sep 2021)
+- [Rikard Falkeborn brought this change]
+
+  hostip: Move allocation to clarify there is no memleak
   
-  ... as it is gone from the API upstream.
+  By just glancing at the code, it looks like there is a memleak if the
+  call to Curl_inet_pton() fails. Looking closer, it is clear that the
+  call to Curl_inet_pton() can not fail, so the code will never leak
+  memory. However, we can make this obvious by moving the allocation
+  after the if-statement.
   
-  Closes #7578
+  Closes https://github.com/curl/curl/pull/7796
 
-- misc: update incorrect copyright year ranges
+Daniel Stenberg (30 Sep 2021)
+- gen.pl: make the output date format work better
   
-  Closes #7577
+  Follow-up to 15910dfd143dd
+  
+  The previous strftime format used didn't work correctly on Windows, so
+  change to %B %d %Y which today looks like "September 29 2021".
+  
+  Reported-by: Gisle Vanem
+  Bug: #7782
+  Closes #7793
 
-- KNOWN_BUGS: HTTP/3 quiche upload large file fails
+- typecheck-gcc.h: add CURLOPT_PREREQDATA awareness
   
-  Closes #7532
+  Follow-up to a517378de58358a
+  
+  To make test 1912 happy again
+  
+  Closes #7799
 
-- KNOWN_BUGS: CMake build with MIT Kerberos does not work
+Marcel Raad (29 Sep 2021)
+- configure: remove `HAVE_WINSOCK_H` definition
   
-  Closes #6904
+  It's not used anymore.
+  
+  Closes https://github.com/curl/curl/pull/7795
 
-- TODO: add asynch getaddrinfo support
+- CMake: remove `HAVE_WINSOCK_H` definition
   
-  Closes #6746
+  It's not used anymore.
+  
+  Closes https://github.com/curl/curl/pull/7795
 
-- RELEASE-NOTES: synced
+- config: remove `HAVE_WINSOCK_H` definition
+  
+  It's not used anymore.
+  
+  Closes https://github.com/curl/curl/pull/7795
 
-- [Artur Sinila brought this change]
+- lib: remove `HAVE_WINSOCK_H` usage
+  
+  WinSock v1 is not supported anymore. Exclusively use `HAVE_WINSOCK2_H`
+  instead.
+  
+  Closes https://github.com/curl/curl/pull/7795
 
-  http2: revert call the handle-closed function correctly on closed stream
+Daniel Stenberg (29 Sep 2021)
+- easyoptions: add the two new PRE* options
   
-  Reverts 252790c5335a221
+  Follow-up to a517378de58358a
   
-  Assisted-by: Gergely Nagy
-  Fixes #7400
-  Closes #7525
+  Also fix optiontable.pl to do the correct remainder on the entry.
+  
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/a517378de58358a85b7cfe9efecb56051268f629#commitcomment-57224830
+  Closes #7791
+
+- Revert "build: remove checks for WinSock 1"
+  
+  Due to CI issues
+  
+  This reverts commit c2ea04f92b00b6271627cb218647527b5a50f2fc.
+  
+  Closes #7790
+
+Daniel Gustafsson (29 Sep 2021)
+- lib: avoid fallthrough cases in switch statements
+  
+  Commit b5a434f7f0ee4d64857f8592eced5b9007d83620 inhibits the warning
+  on implicit fallthrough cases, since the current coding of indicating
+  fallthrough with comments is falling out of fashion with new compilers.
+  This attempts to make the issue smaller by rewriting fallthroughs to no
+  longer fallthrough, via either breaking the cases or turning switch
+  statements into if statements.
+  
+    lib/content_encoding.c: the fallthrough codepath is simply copied
+      into the case as it's a single line.
+    lib/http_ntlm.c: the fallthrough case skips a state in the state-
+      machine and fast-forwards to NTLMSTATE_LAST. Do this before the
+      switch statement instead to set up the states that we actually
+      want.
+    lib/http_proxy.c: the fallthrough is just falling into exiting the
+      switch statement which can be done easily enough in the case.
+    lib/mime.c: switch statement rewritten as if statement.
+    lib/pop3.c: the fallthrough case skips to the next state in the
+      statemachine, do this explicitly instead.
+    lib/urlapi.c: switch statement rewritten as if statement.
+    lib/vssh/wolfssh.c: the fallthrough cases fast-forwards the state
+      machine, do this by running another iteration of the switch
+      statement instead.
+    lib/vtls/gtls.c: switch statement rewritten as if statement.
+    lib/vtls/nss.c: the fallthrough codepath is simply copied into the
+      case as it's a single line. Also twiddle a comment to not be
+      inside a non-brace if statement.
+  
+  Closes: #7322
+  See-also: #7295
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- [Patrick Monnerat brought this change]
+Marcel Raad (28 Sep 2021)
+- config-win32ce: enable WinSock 2
+  
+  WinSock 2.2 is supported by Windows CE .NET 4.1 (from 2002, out of
+  support since 2013).
+  
+  Ref: https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms899586(v=msdn.10)
+  
+  Closes https://github.com/curl/curl/pull/7778
 
-  auth: do not append zero-terminator to authorisation id in kerberos
+- externalsocket: use WinSock 2.2
   
-  RFC4752 Section 3.1 states "The authorization identity is not terminated
-  with a zero-valued (%x00) octet". Although a comment in code said it may
-  be needed anyway, nothing confirms it. In addition, servers may consider
-  it as part of the identity, causing a failure.
+  That's the only version we support.
   
-  Closes #7008
+  Closes https://github.com/curl/curl/pull/7778
 
-- [Patrick Monnerat brought this change]
+- build: remove checks for WinSock 1
+  
+  It's not supported anymore.
+  
+  Closes https://github.com/curl/curl/pull/7778
 
-  auth: use sasl authzid option in kerberos
+Daniel Stenberg (28 Sep 2021)
+- scripts/copyright: .muse is .lift now
   
-  ... instead of deriving it from active ticket.
-  Closes #7008
+  And update 5 files with old copyright year range
 
-- [Patrick Monnerat brought this change]
+- cmdline-opts: made the 'Added:' field mandatory
+  
+  Since "too old" versions are no longer included in the generated man
+  page, this field is now mandatory so that it won't be forgotten and then
+  not included in the documentation.
+  
+  Closes #7786
 
-  auth: we do not support a security layer after kerberos authentication
+- curl.1: remove mentions of really old version changes
   
-  Closes #7008
+  To make the man page more readable, this change removes all references
+  to changes in support/versions etc that happened before 7.30.0 from the
+  curl.1 output file. 7.30.0 was released on Apr 12 2013. This particular
+  limit is a bit arbitrary but was fairly easy to grep for.
+  
+  It is handled like this: the 'Added' keyword is only used in output if
+  it refers to 7.30.0 or later. All occurances of "(Added in $VERSION)" in
+  description will be stripped out if the mentioned $VERSION is from
+  before 7.30.0. It is therefore important that the "Added in..."
+  references are always written exactly like that - and on a single line,
+  not split over two.
+  
+  This change removes about 80 version number references from curl.1, down
+  to 138 from 218.
+  
+  Closes #7786
 
-- [Patrick Monnerat brought this change]
+- RELEASE-NOTES: synced
 
-  auth: properly handle byte order in kerberos security message
+- tool_cb_prg: make resumed upload progress bar show better
   
-  Closes #7008
+  This is a regression that was *probably* injected in the larger progress
+  bar overhaul in 2018.
+  
+  Reported-by: beslick5 on github
+  Fixes #7760
+  Closes #7777
 
-- [z2_ brought this change]
+- gen.pl: insert the current date and version in generated man page
+  
+  Reported-by: Gisle Vanem
+  Ref: #7780
+  Closes #7782
 
-  x509asn1: fix heap over-read when parsing x509 certificates
+- NTLM: use DES_set_key_unchecked with OpenSSL
   
-  Assisted-by: Patrick Monnerat
-  Closes #7536
+  ... as the previously used function DES_set_key() will in some cases
+  reject using a key that it deems "weak" which will cause curl to
+  continue using the unitialized buffer content as key instead.
+  
+  Assisted-by: Harry Sintonen
+  Fixes #7779
+  Closes #7781
 
-- KNOWN_BUGS: Disconnects don't do verbose
+Marc Hoersken (27 Sep 2021)
+- CI: align make and test flags in various config files
   
-  Closes #6995
+  1. Use Makefile target to run tests in autotools builds on AppVeyor.
+  2. Disable testing of SCP protocol on native Windows environments.
+  3. Remove redundant parameters -a -p from target test-nonflaky.
+  4. Don't use -vc parameter which is reserved for debugging.
+  
+  Replaces #7591
+  Closes #7690
 
-- mailmap: fixup Michał Antoniak
+Daniel Stenberg (27 Sep 2021)
+- mailmap: unify Max!
 
-- [Michał Antoniak brought this change]
+- [Max Dymond brought this change]
 
-  build: fix compiler warnings
-  
-  For when CURL_DISABLE_VERBOSE_STRINGS and DEBUGBUILD flags are both
-  active.
+  CURLOPT_PREREQFUNCTION: add new callback
   
-  - socks.c : warning C4100: 'lineno': unreferenced formal parameter
-    (co-authored by Daniel Stenberg)
+  Triggered before a request is made but after a connection is set up
   
-  - mbedtls.c: warning C4189: 'port': local variable is initialized but
-    not referenced
+  Changes:
   
-  - schannel.c: warning C4189: 'hostname': local variable is initialized
-    but not referenced
+  - callback: Update docs and callback for pre-request callback
+  - Add documentation for CURLOPT_PREREQDATA and CURLOPT_PREREQFUNCTION,
+  - Add redirect test and callback failure test
+  - Note that the function may be called multiple times on a redirection
+  - Disable new 2086 test due to Windows weirdness
   
-  Cloes #7528
+  Closes #7477
 
-- [Gleb Ivanovsky brought this change]
-
-  CODE_STYLE-md: fix bold font style
-  
-  Markdown gets confused with abundance of asterisks, so use underscores
-  instead.
+- KNOWN_BUGS: HTTP/2 connections through HTTPS proxy frequently stall
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7569
+  Closes #6936
 
-- [Gleb Ivanovsky brought this change]
-
-  CODE_STYLE-md: add missing comma
+- TODO: make configure use --cache-file more and better
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7570
+  Closes #7753
 
-- [Daniel Gustafsson brought this change]
+- [Sergey Markelov brought this change]
 
-  examples/ephiperfifo.c: simplify signal handler
+  urlapi: support UNC paths in file: URLs on Windows
   
-  The signal handler registered for SIGINT is only handling SIGINT
-  so there isn't much need for inspecting the signo.  While there,
-  rename the handler to be more specific.
+  - file://host.name/path/file.txt is a valid UNC path
+    \\host.name\path\files.txt to a non-local file transformed into URI
+    (RFC 8089 Appendix E.3)
   
-  g_should_exit should really be of sig_atomic_t type, but relying
-  on autoconf in the examples seems like a bad idea so keep that
-  for now.
+  - UNC paths on other OSs must be smb: URLs
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7310
+  Closes #7366
 
-- c-hyper: initial step for 100-continue support
+- [Gleb Ivanovsky brought this change]
+
+  urlapi: add curl_url_strerror()
   
-  Enabled test 154
+  Add curl_url_strerror() to convert CURLUcode into readable string and
+  facilitate easier troubleshooting in programs using URL API.
+  Extend CURLUcode with CURLU_LAST for iteration in unit tests.
+  Update man pages with a mention of new function.
+  Update example code and tests with new functionality where it fits.
   
-  Closes #7568
+  Closes #7605
 
-- [Ikko Ashimine brought this change]
+- RELEASE-NOTES: synced
 
-  vtls: fix typo in schannel_verify.c
+- [Mats Lindestam brought this change]
+
+  libssh2: add SHA256 fingerprint support
   
-  occurence -> occurrence
+  Added support for SHA256 fingerprint in command line curl and in
+  libcurl.
   
-  Closes #7566
+  Closes #7646
 
-- [Emil Engler brought this change]
+- libcurl.rc: switch out the copyright symbol for plain ASCII
+  
+  Reported-by: Vitaly Varyvdin
+  Assisted-by: Viktor Szakats
+  Fixes #7765
+  Closes #7776
 
-  curl_url_get.3: clarify about path and query
+- [Jun-ya Kato brought this change]
+
+  ngtcp2: fix QUIC transport parameter version
   
-  The current man-page lacks some details regarding the obtained path and
-  query.
+  fix inappropriate version setting for QUIC transport parameters.
+  this patch keeps curl with ngtcp2 uses QUIC draft version (h3-29).
   
-  Closes #7563
+  Closes #7771
 
-- c-hyper: fix header value passed to debug callback
+- examples/imap-append: fix end-of-data check
   
-  Closes #7567
+  Reported-by: Alexander Chuykov
+  Fixes #7774
+  Closes #7775
 
-Viktor Szakats (12 Aug 2021)
-- cleanup: URL updates
+Michael Kaufmann (24 Sep 2021)
+- vtls: Fix a memory leak if an SSL session cannot be added to the cache
   
-  - replace broken URL with the one it was most probably pointing to
-    when added (lib/tftp.c)
-  - replace broken URL with archive.org link (lib/curl_ntlm_wb.c)
-  - delete unnecessary protocol designator from archive.org URL
-    (docs/BINDINGS.md)
+  On connection shutdown, a new TLS session ticket may arrive after the
+  SSL session cache has already been destructed. In this case, the new
+  SSL session cannot be added to the SSL session cache.
   
-  Closes #7562
+  The callers of Curl_ssl_addsessionid() need to know whether the SSL
+  session has been added to the cache. If it has not been added, the
+  reference counter of the SSL session must not be incremented, or memory
+  used by the SSL session must be freed. This is now possible with the new
+  output parameter "added" of Curl_ssl_addsessionid().
+  
+  Fixes #7683
+  Closes #7752
 
-Daniel Stenberg (12 Aug 2021)
-- [April King brought this change]
+Daniel Stenberg (24 Sep 2021)
+- [Momoka Yamamoto brought this change]
 
-  DEPRECATE.md: linkify curl-library mailing list
+  HTTP3.md: use 'autoreconf -fi' instead of buildconf
   
-  Closes #7561
+  buildconf is not used since #5853
+  
+  Closes #7746
 
-- [Barry Pollard brought this change]
+- GIT-INFO: rephrase to adapt to s/buildconf/autoreconf
 
-  output.d: add method to suppress response bodies
-  
-  Closes #7560
+- [h1zzz brought this change]
 
-- TODO: remove 'c-ares deviates on http://1346569778'
+  llist: remove redundant code, branch will not be executed
   
-  Fixed since 56a037cc0ad1b2 (7.77.0)
+  Closes #7770
 
-- [Colin O'Dell brought this change]
+- [tlahn brought this change]
 
-  BINDINGS.md: update links to use https where available
+  HTTP-COOKIES.md: remove duplicate 'each'
   
-  Closes #7558
+  Closes #7772
 
-- asyn-ares.c: move all version number checks to the top
-  
-  ... and use #ifdef [feature] in the code as per our guidelines.
+Jay Satiro (24 Sep 2021)
+- [Joel Depooter brought this change]
 
-- ares: use ares_getaddrinfo()
-  
-  ares_getaddrinfo() is the getaddrinfo() cloned provided by c-ares, introduced
-  in version 1.16.0.
+  libssh2: Get the version at runtime if possible
   
-  With older c-ares versions, curl invokes ares_gethostbyname() twice - once for
-  IPv4 and once for IPv6 to resolve both addresses, and then combines the
-  returned results.
+  Previously this code used a compile time constant, meaning that libcurl
+  always reported the libssh2 version that libcurl was built with. This
+  could differ from the libssh2 version actually being used. The new code
+  uses the CURL_LIBSSH2_VERSION macro, which is defined in ssh.h. The
+  macro calls the libssh2_version function if it is available, otherwise
+  it falls back to the compile time version.
   
-  Reported-by: jjandesmet
-  Fixes #7364
-  Closes #7552
+  Closes https://github.com/curl/curl/pull/7768
 
-- [Tatsuhiro Tsujikawa brought this change]
+- [Joel Depooter brought this change]
 
-  ngtcp2: utilize crypto API functions to simplify
+  schannel: fix typo
   
-  Closes #7551
-
-- [megatronking brought this change]
+  Closes https://github.com/curl/curl/pull/7769
 
-  ngtcp2: reset the oustanding send buffer again when drained
+Daniel Stenberg (23 Sep 2021)
+- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
   
-  Closes #7538
+  To avoid the "... is deprecated" warnings brought by OpenSSL v3.
+  (We need to address the underlying code at some point of course.)
+  
+  Assisted-by: Jakub Zakrzewski
+  Closes #7767
 
-Michael Kaufmann (10 Aug 2021)
-- progress: fix a compile warning on some systems
+- curl-openssl: pass argument to sed single-quoted
   
-  lib/progress.c:380:40: warning: conversion to 'long double' from
-  'curl_off_t {aka long long int}' may alter its value [-Wconversion]
+  ... instead of using an escaped double-quote. This is an attempt to make
+  this work better with ksh that otherwise would insist on a double
+  escape!
   
-  Closes #7549
+  Reported-by: Randall S. Becker
+  Fixes #7758
+  Closes #7764
 
-Daniel Stenberg (10 Aug 2021)
 - RELEASE-NOTES: synced
+  
+  Bumped curlver to 7.80.0-dev
 
-- http: consider cookies over localhost to be secure
+- [a1346054 brought this change]
+
+  misc: fix typos in docs and comments
   
-  Updated test31.
-  Added test 392 to verify secure cookies used for http://localhost
+  No user facing output from curl/libcurl is changed by this, just
+  comments.
   
-  Reviewed-by: Daniel Gustafsson
-  Fixes #6733
-  Closes #7263
+  Closes #7747
 
-- TODO: erase secrets from heap/stack after use
-  
-  Closes #7268
+- [Thomas M. DuBuisson brought this change]
 
-Jay Satiro (10 Aug 2021)
-- hostip: Make Curl_ipv6works function independent of getaddrinfo
+  ci: update Lift config to match requirements of curl build
   
-  - Do not assume IPv6 is not working when getaddrinfo is not present.
+  Also renamed Muse -> Lift, the new tool name.
   
-  The check to see if IPv6 actually works is now independent of whether
-  there is any resolver that can potentially resolve a hostname to IPv6.
+  Closes #7761
+
+- [Rikard Falkeborn brought this change]
+
+  cleanup: constify unmodified static structs
   
-  Prior to this change if getaddrinfo() was not found at compile time then
-  Curl_ipv6works() would be defined as a macro that returns FALSE.
+  Constify a number of static structs that are never modified. Make them
+  const to show this.
   
-  When getaddrinfo is not found then libcurl is built with CURLRES_IPV4
-  defined instead of CURLRES_IPV6, meaning that it cannot do IPv6 lookups
-  in the traditional way. With this commit if libcurl is built with IPv6
-  support (ENABLE_IPV6) but without getaddrinfo (CURLRES_IPV6), and the
-  IPv6 stack is actually working, then it is possible for libcurl to
-  resolve IPv6 addresses by using DoH.
-  
-  Ref: https://github.com/curl/curl/issues/7483#issuecomment-890765378
-  
-  Closes https://github.com/curl/curl/pull/7529
-
-- test1565: fix windows build errors
-  
-  - Use our wait_ms() instead of sleep() since Windows doesn't have the
-    latter.
-  
-  - Use a separate variable to keep track of whether the pthread_t thread
-    id is valid.
-  
-  On Windows pthread_t is not an integer type. pthread offers no macro for
-  invalid pthread_t thread id, so validity is kept track of separately.
-  
-  Closes https://github.com/curl/curl/pull/7527
-
-- [Jeremy Falcon brought this change]
-
-  winbuild/README.md: clarify GEN_PDB option
-  
-  - Document that GEN_PDB option creates an external database.
-  
-  Ref: https://github.com/curl/curl/issues/7502
+  Closes #7759
 
-Daniel Stenberg (9 Aug 2021)
-- [Tatsuhiro Tsujikawa brought this change]
+Version 7.79.1 (22 Sep 2021)
 
-  ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
+Daniel Stenberg (22 Sep 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7546
-
-- [Tatsuhiro Tsujikawa brought this change]
+  curl 7.79.1 release
 
-  ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
-  
-  Rework the return value handling of ngtcp2_conn_writev_stream and treat
-  NGTCP2_ERR_STREAM_SHUT_WR separately.
-  
-  Closes #7546
+- THANKS: added names from the 7.79.1 release
 
-- configure: error out if both ngtcp2 and quiche are specified
+- test897: verify delivery of IMAP post-body header content
   
-  Reported-by: Vincent Grande
-  See #7539
-  Closes #7545
-
-- [Jeff Mears brought this change]
-
-  easy: use a custom implementation of wcsdup on Windows
+  The "content" is delivered as "body" by curl, but the envelope continues
+  after the body and the rest of it should be delivered as header.
   
-  ... so that malloc/free overrides from curl_global_init are used for
-  wcsdup correctly.
+  The IMAP server can now get 'POSTFETCH' set to include more data to
+  include after the body and test 897 is done to verify that such "extra"
+  header data is in fact delivered by curl as header.
   
-  Closes #7540
-
-- zuul: add an mbedtls3 CI job
+  Ref: #7284 but fails to reproduce the issue
   
-  Closes #7544
-
-- [Benau brought this change]
+  Closes #7748
 
-  mbedTLS: initial 3.0.0 support
+- KNOWN_BUGS: connection migration doesn't work
   
-  Closes #7428
+  Closes #7695
 
 - RELEASE-NOTES: synced
 
-- configure.ac: revert bad nghttp2 library detection improvements
-  
-  This reverts commit b4b34db65f9f8, 673753344c5f and 29c7cf79e8b.
-  
-  The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
-  nothing else.
-  
-  Reported-by: Rui Pinheiro
-  Reported-by: Alex Crichton
-  Fixes #7514
-  Closes #7515
-
-- happy-eyeballs-timeout-ms.d: polish the wording
-  
-  Reported-by: Josh Soref
-  Fixes #7433
-  Closes #7542
-
-- [modbw brought this change]
-
-  mbedtls_threadlock: fix unused variable warning
-  
-  Closes #7393
-
-- [Tatsuhiro Tsujikawa brought this change]
-
-  ngtcp2: compile with the latest ngtcp2 and nghttp3
-  
-  Closes #7541
-
-Marc Hoersken (31 Jul 2021)
-- CI/cirrus: reduce compile time with increased parallism
-  
-  Cirrus CI VMs have 2 CPUs, let's use them also for Windows builds.
-  
-  Reviewed-by: Daniel Stenberg
-  Closes #7505
-
-Daniel Stenberg (30 Jul 2021)
-- [Bin Lan brought this change]
-
-  tool/tests: fix potential year 2038 issues
-  
-  The length of 'long' in a 32-bit system is 32 bits, which cannot be used
-  to save timestamps after 2038. Most operating systems have extended
-  time_t to 64 bits.
-  
-  Remove the castings to long.
+- http: fix the broken >3 digit response code detection
   
-  Closes #7466
-
-- compressed.d: it's a request, not an order
+  When the "reason phrase" in the HTTP status line starts with a digit,
+  that was treated as the forth response code digit and curl would claim
+  the response to be non-compliant.
   
-  Clarified
+  Added test 1466 to verify this case.
   
-  Reported-by: Dan Jacobson
-  Reviewed-by: Daniel Gustafsson
-  Fixes #7516
-  Closes #7517
-
-- [Bernhard M. Wiedemann brought this change]
+  Regression brought by 5dc594e44f73b17
+  Reported-by: Glenn de boer
+  Fixes #7738
+  Closes #7739
 
-  tests: make three tests pass until 2037
+Jay Satiro (17 Sep 2021)
+- strerror: use sys_errlist instead of strerror on Windows
   
-  after 2038 something in test1915 fails on 32-bit OSes
+  - Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
+    retrieve the error message on Windows.
   
-  Closes #7512
-
-Daniel Gustafsson (30 Jul 2021)
-- connect: remove superfluous conditional
+  Windows' strerror writes to a static buffer and is not thread-safe.
   
-  Commit dbd16c3e2 cleaned up the logic for traversing the addrinfos,
-  but the move left a conditional on ai which no longer is needed as
-  the while loop reevaluation will cover it.
+  Follow-up to 2f0bb86 which removed most instances of strerror in favor
+  of calling Curl_strerror (which calls strerror_r for other platforms).
   
-  Closes #7511
-  Reviewed-by: Carlo Marcelo Arenas Belón
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-
-Daniel Stenberg (29 Jul 2021)
-- RELEASE-NOTES: synced
+  Ref: https://github.com/curl/curl/pull/7685
+  Ref: https://github.com/curl/curl/commit/2f0bb86
   
-  and bump curlver to 7.79.0 for next release
+  Closes https://github.com/curl/curl/pull/7735
 
-Marc Hoersken (29 Jul 2021)
-- tests/*server.py: remove pidfile on server termination
-  
-  Avoid pidfile leaking/laying around after server already exited.
+Daniel Stenberg (16 Sep 2021)
+- dist: provide lib/.checksrc in the tarball
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7506
-
-Daniel Gustafsson (27 Jul 2021)
-- tool_main: fix typo in comment
+  So that debug builds work (checksrc really)
   
-  The referred to library is NSPR, so fix the switched around characters.
-
-Daniel Stenberg (28 Jul 2021)
-- [Aleksandr Krotov brought this change]
+  Reported-by: Marcel Raad
+  Reported-by: tawmoto on github
+  Fixes #7733
+  Closes #7734
 
-  bearssl: support CURLOPT_CAINFO_BLOB
+- TODO: Improve documentation about fork safety
   
-  Closes #7468
+  Closes #6968
 
-- curl.1: mention "global" flags
+- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
   
-  Mention options that are "global". A global command line option is one
-  that doesn't get reset at --next uses and therefore don't need to be
-  used again.
+  ... and have CURLE_ABORTED_BY_CALLBACK returned.
   
-  Reported-by: Josh Soref
+  Extended test 1915 to verify.
   
-  Fixes #7457
-  Closes #7510
+  Reported-by: Jonathan Cardoso
+  Fixes #7726
+  Closes #7729
 
-- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
+- test1184: disable
   
-  Reported-by: Daniel Woelfel
-  Fixes #7441
-  Closes #7509
-
-- KNOWN_BUGS: add more HTTP/3 problems
+  The test should be fine and it works for me repeated when run manually,
+  but clearly it causes CI failures and it needs more research.
   
-  Closes #7351
-  Closes #7339
-  Closes #7125
+  Reported-by: RiderALT on github
+  Fixes #7725
+  Closes #7732
 
-Marc Hoersken (27 Jul 2021)
-- CI/azure: reduce compile time with increased parallism
+- Curl_http2_setup: don't change connection data on repeat invokes
   
-  Azure Pipelines CI VMs have 2 CPUs, let's use them.
+  Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
+  transfer oriented inits to before the check but also erroneously moved a
+  few connection oriented ones, which causes problems.
   
-  Closes #7489
-
-Jay Satiro (27 Jul 2021)
-- [Josh Soref brought this change]
+  Reported-by: Evangelos Foutras
+  Fixes #7730
+  Closes #7731
 
-  docs: fix grammar
+- RELEASE-NOTES: synced
   
-  Fixes https://github.com/curl/curl/issues/7444
-  Fixes https://github.com/curl/curl/issues/7451
-  Fixes https://github.com/curl/curl/issues/7465
-  Closes https://github.com/curl/curl/pull/7495
+  and bump to 7.79.1
 
-- mail-rcpt.d: fix grammar
-  
-  Remove confusing sentence that says to specify an e-mail address for
-  mail transfer, since that's implied.
+Kamil Dudka (16 Sep 2021)
+- tests/sshserver.pl: make it work with openssh-8.7p1
   
-  Reported-by: Josh Soref
+  ... by not using options with no argument where an argument is required:
   
-  Fixes https://github.com/curl/curl/issues/7452
-  Closes https://github.com/curl/curl/pull/7495
-
-Daniel Stenberg (27 Jul 2021)
-- c-hyper: remove the hyper_executor_poll() loop from Curl_http
+  === Start of file tests/log/ssh_server.log
+  curl_sshd_config line 6: no argument after keyword "DenyGroups"
+  curl_sshd_config line 7: no argument after keyword "AllowGroups"
+  curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
+  curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
+  curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
+  curl_sshd_config line 40: Deprecated option RSAAuthentication
+  curl_sshd_config line 41: Deprecated option ServerKeyBits
+  curl_sshd_config line 45: Deprecated option UseLogin
+  curl_sshd_config line 56: no argument after keyword "AcceptEnv"
+  curl_sshd_config: terminating, 3 bad configuration options
+  === End of file tests/log/ssh_server.log
   
-  1. it's superfluous
-  2. it didn't work identically to the Curl_hyper_stream one which could
-     cause problems like #7486
+  === Start of file log/sftp_server.log
+  curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
+  curl_sftp_config line 34: Unsupported option "rsaauthentication"
+  curl_sftp_config line 52: no argument after keyword "sendenv"
+  curl_sftp_config: terminating, 1 bad configuration options
+  Connection closed.
+  Connection closed
+  === End of file log/sftp_server.log
   
-  Pointed-out-by: David Cook
-  Closes #7499
+  Closes #7724
 
-- curl-openssl.m4: check lib64 for the pkg-config file
+Daniel Stenberg (15 Sep 2021)
+- hsts: handle unlimited expiry
   
-  OpenSSL recently started putting the libs in $prefix/lib64 on 'make
-  install', so we check that directory for pkg-config data if the 'lib'
-  check fails.
+  When setting a blank expire string, meaning unlimited, curl would pass
+  TIME_T_MAX to getime_r() when creating the output, while on 64 bit
+  systems such a large value cannot be convetered to a tm struct making
+  curl to exit the loop with an error instead. It can't be converted
+  because the year it would represent doesn't fit in the 'int tm_year'
+  field!
   
-  Closes #7503
-
-- CURLOPT_SSL_CTX_*.3: tidy up the example
+  Starting now, unlimited expiry is instead handled differently by using a
+  human readable expiry date spelled out as "unlimited" instead of trying
+  to use a distant actual date.
   
-  Use the proper code style. Don't store return codes that aren't read.
-  Copy the same example into CURLOPT_SSL_CTX_FUNCTION.3 as well.
+  Test 1660 and 1915 have been updated to help verify this change.
   
-  Closes #7500
+  Reported-by: Jonathan Cardoso
+  Fixes #7720
+  Closes #7721
 
-- example/cookie_interface: fix scan-build printf warning
-  
-  Follow-up to 4b79c4fb565
+- curl_multi_fdset: make FD_SET() not operate on sockets out of range
   
-  Fixes #7497
-  Closes #7498
-
-- [Josh Soref brought this change]
-
-  limit-rate.d: clarify base unit
+  The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
+  built to use select(), even though the curl_multi_fdset() function
+  always and unconditionally uses FD_SET and needs the check.
   
-  Fixes #7439
-  Closes #7494
+  Reported-by: 0xee on github
+  Fixes #7718
+  Closes #7719
 
-- [Carlo Marcelo Arenas Belón brought this change]
+- FAQ: add GOPHERS + curl works on data, not files
 
-  examples/cookie_interface: avoid printfing time_t directly
-  
-  time_t representation is undefined and varies on bitsize and signedness,
-  and as of C11 could be even non integer.
-  
-  instead of casting to unsigned long (which would truncate in systems
-  with a 32bit long after 2106) use difftime to get the elapsed time as a
-  double and print that (without decimals) instead.
-  
-  alternatively a cast to curl_off_t and its corresponding print
-  formatting could have been used (at least in POSIX) but portability and
-  curl agnostic code was prioritized.
-  
-  Closes #7490
+Version 7.79.0 (14 Sep 2021)
 
-Marc Hoersken (25 Jul 2021)
-- tests/servers: remove obsolete pid variable
-  
-  Variable is not used since pidfile handling moved to util.[ch]
+Daniel Stenberg (14 Sep 2021)
+- RELEASE-NOTES: synced
   
-  Reviewed-by: Jay Satiro
-  Closes #7482
+  For the 7.79.0 release
 
-- tests/servers: use our platform-aware pid for server verification
-  
-  The pid used for server verification is later stored as pid2 in
-  the hash of running test servers and therefore used for shutdown.
-  
-  The pid used for shutdown must be the platform-aware (Win32) pid
-  to avoid leaking test servers while running them using Cygwin/msys.
-  
-  Reviewed-by: Jay Satiro
-  Closes #7481
+- THANKS: add contributors from 7.79.0 release cycle
 
-- tests/runtests.pl: cleanup copy&paste mistakes and unused code
+- FAQ: add two dev related questions
   
-  Reviewed-by: Jay Satiro
-  Part of #7481
-
-Daniel Stenberg (25 Jul 2021)
-- RELEASE-NOTES: synced
+    8.1 Why does curl use C89?
+    8.2 Will curl be rewritten?
   
-  bumped to 7.78.1 for next release
+  Spell-checked-by: Paul Johnson
+  Closes #7715
 
-- http_proxy: clear 'sending' when the outgoing request is sent
-  
-  ... so that Curl_connect_getsock() will know how to wait for the socket
-  to become readable and not writable after the entire CONNECT request has
-  been issued.
+- zuul.d/jobs: disable three tests for *-openssl-disable-proxy
   
-  Regression added in 7.77.0
+  ... as they mysteriously seem to permfail without being related to
+  proxy.
   
-  Reported-by: zloi-user on github
-  Assisted-by: Jay Satiro
-  Fixes #7155
-  Closes #7484
+  Closes #7714
 
-Jay Satiro (25 Jul 2021)
-- [Josh Soref brought this change]
+- [Patrick Monnerat brought this change]
 
-  openssl: fix grammar
+  ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
   
-  Closes https://github.com/curl/curl/pull/7480
-
-- configure.ac: tweak nghttp2 library name fix again
+  If a server pipelines future responses within the STARTTLS response, the
+  former are preserved in the pingpong cache across TLS negotiation and
+  used as responses to the encrypted commands.
   
-  - Change extraction to handle multiple library names returned by
-    pkg-config (eg a possible scenario with pkg-config --static).
+  This fix detects pipelined STARTTLS responses and rejects them with an
+  error.
   
-  Ref: https://github.com/curl/curl/pull/7472
+  CVE-2021-22947
   
-  Closes https://github.com/curl/curl/pull/7485
+  Bug: https://curl.se/docs/CVE-2021-22947.html
 
-Dan Fandrich (23 Jul 2021)
-- Get rid of the unused HAVE_SIG_ATOMIC_T et. al.
-  
-  It was added in 2006 but I see no evidence it was ever used.
+- [Patrick Monnerat brought this change]
 
-Jay Satiro (23 Jul 2021)
-- docs: change max-filesize caveat again
-  
-  - Add protocols field to max-filesize.d.
+  ftp,imap,pop3: do not ignore --ssl-reqd
   
-  - Revert wording on unknown file size caveat and do not discuss specific
-    protocols in that section.
+  In imap and pop3, check if TLS is required even when capabilities
+  request has failed.
   
-  Partial revert of ecf0225. All max-filesize options now have the list of
-  protocols and it's clearer just to have that list without discussing
-  specific protocols in the caveat.
+  In ftp, ignore preauthentication (230 status of server greeting) if TLS
+  is required.
   
-  Reported-by: Josh Soref
+  Bug: https://curl.se/docs/CVE-2021-22946.html
   
-  Ref: https://github.com/curl/curl/issues/7453#issuecomment-884128762
+  CVE-2021-22946
 
-Daniel Stenberg (22 Jul 2021)
-- [Christian Weisgerber brought this change]
+- [z2_ on hackerone brought this change]
 
-  configure: tweak nghttp2 library name fix
+  mqtt: clear the leftovers pointer when sending succeeds
   
-  commit 29c7cf79e8b44cf (shipped in 7.78.0) introduced a problem by
-  assuming that LIB_H2 does not have any leading whitespace.  At least
-  OpenBSD's native pkg-config can produce such whitespace, though:
+  CVE-2021-22945
   
-      $ pkg-config --libs-only-l libnghttp2
-       -lnghttp2
+  Bug: https://curl.se/docs/CVE-2021-22945.html
+
+- zuul: bump the rustls job to use v0.7.2
   
-  As a result, the configure check for libnghttp2 will erroneously fail.
+  ... and add -lm when using a rust library.
   
-  Bug: https://curl.se/mail/lib-2021-07/0050.html
-  Closes #7472
+  Closes #7701
 
-- [Bastian Krause brought this change]
+- RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023
 
-  docs/MQTT: update state of username/password support
+- SECURITY-PROCESS: tweak a little to match current practices
   
-  PR #7243 implemented username/password support for MQTT, so let's drop
-  these items from the caveats.
+  Closes #7713
+
+- http_proxy: fix the User-Agent inclusion in CONNECT
   
-  Signed-off-by: Bastian Krause <bst@pengutronix.de>
+  It should not refer to the uagent string that is allocated and created
+  for the end server http request, as that pointer may be cleared on
+  subsequent CONNECT requests.
   
-  Closes #7474
-
-- [Oleg Pudeyev brought this change]
-
-  CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
+  Added test case 1184 to verify.
   
-  Closes #7470
-
-Version 7.78.0 (21 Jul 2021)
+  Reported-by: T200proX7 on github
+  Fixes #7705
+  Closes #7707
 
-Daniel Stenberg (21 Jul 2021)
-- RELEASE-NOTES: synced
+- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
   
-  curl 7.78.0 release
+  Reported-by: Jonathan Cardoso
+  Fixes #7710
+  Closes #7711
 
-- winbuild/MakefileBuild.vc: bump copyright year
+- [Tatsuhiro Tsujikawa brought this change]
 
-Jay Satiro (21 Jul 2021)
-- docs: mention max-filesize options also apply to MQTT transfers
+  ngtcp2: fix build with ngtcp2 and nghttp3
   
-  Also make it clearer that the caveat 'if the file size is unknown it
-  the option will have no effect' may apply to protocols other than FTP
-  and HTTP.
+  ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
+  Check the wrapped functions instead.
   
-  Reported-by: Josh Soref
+  ngtcp2_stream_close callback now takes flags parameter.
   
-  Fixes https://github.com/curl/curl/issues/7453
-
-- [Josh Soref brought this change]
-
-  docs/cmdline: fix grammar and typos
-
-- [Josh Soref brought this change]
+  Closes #7709
 
-  dump-header.d: Drop suggestion to use for cookie storage
+- write-out.d: clarify size_download/upload
   
-  Since --cookie-jar is the preferred way to store cookies, no longer
-  suggest using --dump-header to do so.
+  They show the number of "body" bytes transfered.
+  Fixes #7702
+  Closes #7706
+
+- http2: Curl_http2_setup needs to init stream data in all invokes
   
-  Co-authored-by: Daniel Stenberg
+  Thus function was written to avoid doing multiple connection data
+  initializations, which is fine, but since it also initiates stream
+  related data it is crucial that it doesn't skip those even if called
+  again for the same connection. Solved by moving the stream
+  initializations before the "doing-it-again" check.
   
-  Closes https://github.com/curl/curl/issues/7414
-
-- [Josh Soref brought this change]
+  Reported-by: Inho Oh
+  Fixes #7630
+  Closes #7692
 
-  doc/cmdline: fix grammar and typos
+- url: fix compiler warning in no-verbose builds
   
-  Closes https://github.com/curl/curl/pull/7454
-  Closes https://github.com/curl/curl/pull/7455
-  Closes https://github.com/curl/curl/pull/7456
-  Closes https://github.com/curl/curl/pull/7459
-  Closes https://github.com/curl/curl/pull/7460
-  Closes https://github.com/curl/curl/pull/7461
-  Closes https://github.com/curl/curl/pull/7462
-  Closes https://github.com/curl/curl/pull/7463
+  Follow-up from 2f0bb864c12
+  
+  Closes #7700
 
-Daniel Stenberg (20 Jul 2021)
-- vtls: fix connection reuse checks for issuer cert and case sensitivity
+- non-ascii: fix build errors from strerror fix
   
-  CVE-2021-22924
+  Follow-up to 2f0bb864c12
   
-  Reported-by: Harry Sintonen
-  Bug: https://curl.se/docs/CVE-2021-22924.html
+  Closes #7697
 
-- sectransp: check for client certs by name first, then file
+- parse_args: redo the warnings for --remote-header-name combos
   
-  CVE-2021-22926
+  ... to avoid the memory leak risk pointed out by scan-build.
   
-  Bug: https://curl.se/docs/CVE-2021-22926.html
+  Follow-up from 7a3e981781d6c18a
   
-  Assisted-by: Daniel Gustafsson
-  Reported-by: Harry Sintonen
+  Closes #7698
 
-- telnet: fix option parser to not send uninitialized contents
+- ngtcp2: adapt to new size defintions upstream
   
-  CVS-2021-22925
+  Reviewed-by: Tatsuhiro Tsujikawa
+  Closes #7699
+
+- rustls: add strerror.h include
   
-  Reported-by: Red Hat Product Security
-  Bug: https://curl.se/docs/CVE-2021-22925.html
+  Follow-up to 2f0bb864c12
 
-Jay Satiro (20 Jul 2021)
-- connect: fix wrong format specifier in connect error string
+- docs: the security list is reached at security at curl.se now
   
-  0842175 (not in any release) used the wrong format specifier (long int)
-  for timediff_t. On an OS such as Windows libcurl's timediff_t (usually
-  64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the
-  upper 32-bits of the timediff_t were erroneously then used by the next
-  format specifier. Usually since the timeout isn't larger than 32-bits
-  this would result in null as a pointer to the string with the reason for
-  the connection failing. On other OSes or maybe other compilers it could
-  probably result in garbage values (ie crash on deref).
+  Also update the FAQ section a bit to encourage users to rather submit
+  security issues on hackerone than sending email.
   
-  Before:
-  Failed to connect to localhost port 12345 after 1201 ms: (nil)
+  Closes #7689
+
+Marc Hoersken (9 Sep 2021)
+- runtests: add option -u to error on server unexpectedly alive
   
-  After:
-  Failed to connect to localhost port 12345 after 1203 ms: Connection refused
+  Let's try to actually handle the server unexpectedly alive
+  case by first making them visible on CI builds as failures.
   
-  Closes https://github.com/curl/curl/pull/7449
-
-- winbuild: support alternate nghttp2 static lib name
+  This is needed to detect issues with killing of the test
+  servers completely including nested process chains with
+  multiple PIDs per test server (including bash and perl).
   
-  - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2.
+  On Windows/cygwin platforms this is especially helpful with
+  debugging PID mixups due to cygwin using its own PID space.
   
-  nghttp2 briefly changed its static lib name to nghttp2_static, but then
-  made the _static suffix optional.
+  Reviewed-by: Daniel Stenberg
+  Closes #7180
+
+Daniel Stenberg (9 Sep 2021)
+- opts docs: unify phrasing in NAME header
   
-  Ref: https://github.com/nghttp2/nghttp2/pull/1394
-  Ref: https://github.com/nghttp2/nghttp2/pull/1418
-  Ref: https://github.com/nghttp2/nghttp2/issues/1466
+  - avoid writing "set ..." or "enable/disable ..." or "specify ..."
+    *All* options for curl_easy_setopt() are about setting or enabling
+    things and most of the existing options didn't use that way of
+    description.
   
-  Reported-by: Pierre Yager
+  - start with lowercase letter, unless abbreviation. For consistency.
   
-  Fixes https://github.com/curl/curl/issues/7446
-  Closes https://github.com/curl/curl/pull/7447
+  - Some additional touch-ups
+  
+  Closes #7688
 
-- [Josh Soref brought this change]
+- strerror.h: remove the #include from files not using it
 
-  docs/cmdline: fix grammar and typos
+- lib: don't use strerror()
   
-  Closes https://github.com/curl/curl/pull/7432
-  Closes https://github.com/curl/curl/pull/7436
-  Closes https://github.com/curl/curl/pull/7438
-  Closes https://github.com/curl/curl/pull/7440
-  Closes https://github.com/curl/curl/pull/7445
-
-- [Josh Soref brought this change]
+  We have and provide Curl_strerror() internally for a reason: strerror()
+  is not necessarily thread-safe so we should always try to avoid it.
+  
+  Extended checksrc to warn for this, but feature the check disabled by
+  default and only enable it in lib/
+  
+  Closes #7685
 
-  delegation.d: mention what happens when used multiple times
+Daniel Gustafsson (8 Sep 2021)
+- cirrus: Add FreeBSD 13.0 job and disable sanitizer build
   
-  Closes https://github.com/curl/curl/pull/7408
+  As alluded to the in the now removed comment, a 13.0 image became
+  available and is now ready to be used.
+  
+  The sanitizer builds were running on the 12.1 image which since has
+  been removed from the config, leaving the builds not running at all.
+  When enabled it turns out that they don't actually work due to very
+  long timeouts in executing the tests, so keep the disabled for now
+  but a bit more controlled.
+  
+  Closes #7592
 
-- [Josh Soref brought this change]
+Daniel Stenberg (8 Sep 2021)
+- copyrights: update copyright year ranges
 
-  create-file-mode.d: mention what happens when used multiple times
-  
-  Closes https://github.com/curl/curl/pull/7407
+- RELEASE-NOTES: synced
 
-- [Josh Soref brought this change]
+- INTERNALS: c-ares has a new home: c-ares.org
 
-  config.d: split comments and option-per line
+- docs: remove experimental mentions from HSTS and MQTT
   
-  Closes https://github.com/curl/curl/pull/7405
+  Reported-by: Jonathan Cardoso
+  Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
+  Closes #7681
 
-Daniel Stenberg (19 Jul 2021)
-- misc: copyright year range updates
+- [Cao ZhenXiang brought this change]
 
-- mailmap: add Tobias and Timur
+  curl: add warning for incompatible parameters usage
+  
+  --continue-at - and --remote-header-name are known incompatible parameters
+  
+  Closes #7674
 
-Daniel Gustafsson (18 Jul 2021)
-- [Josh Soref brought this change]
+- [git-bruh brought this change]
 
-  docs: spell out directories instead of dirs in create-dirs
-  
-  Write out directories rather than using the dirs abbrevation. Also
-  use plural form consistently, even if the code in the end might just
-  create a single directory.
+  examples/*hiperfifo.c: fix calloc arguments to match function proto
   
-  Closes #7406
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Closes #7678
 
-- [Tobias Nyholm brought this change]
+- INTERNALS: bump c-ares requirement to 1.16.0
+  
+  Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0
 
-  docs: correct spelling errors and a broken link
+- curl: stop retry if Retry-After: is longer than allowed
   
-  Update grammar and spelling in docs and source code comments.
+  If Retry-After: specifies a period that is longer than what fits within
+  --retry-max-time, then stop retrying immediately.
   
-  Closes: #7427
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Added test 366 to verify.
+  
+  Reported-by: Kari Pahula
+  Fixes #7675
+  Closes #7676
 
-Marc Hoersken (18 Jul 2021)
-- CI/cirrus: install impacket from PyPI instead of FreeBSD packages
+- [Michał Antoniak brought this change]
+
+  mbedtls: avoid using a large buffer on the stack
   
-  Availability of impacket as FreeBSD package is too flaky.
+  Use dynamic memory allocation for the buffer used in checking "pinned
+  public key". The PUB_DER_MAX_BYTES parameter with default settings is
+  set to a value greater than 2kB.
   
-  Stick to legacy version of cryptography which still
-  supports OpenSSL version 1.0.2 due to FreeBSD 11.
+  Co-authored-by: Daniel Stenberg
+  Closes #7586
+
+- configure: make --disable-hsts work
   
-  Reviewed-by: Daniel Stenberg
+  The AC_ARG_ENABLE() macro itself uses a variable called
+  'enable_[option]', so when our script also used a variable with that
+  name for the purpose of storing what the user wants, it also
+  accidentally made it impossible to switch off the feature with
+  --disable-hsts. Fix this by renaming our variable.
   
-  Closes #7418
-
-Daniel Stenberg (18 Jul 2021)
-- [Josh Soref brought this change]
+  Reported-by: Michał Antoniak
+  Fixes #7669
+  Closes #7672
 
-  docs/cmdline: mention what happens when used multiple times
+Jay Satiro (5 Sep 2021)
+- config.d: note that curlrc is used even when --config
   
-  For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers
+  Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751
+  Reported-by: Viktor Szakats
   
-  Closes #7410
-  Closes #7411
-  Closes #7412
+  Closes https://github.com/curl/curl/pull/7667
 
-- [Michał Antoniak brought this change]
+Daniel Stenberg (4 Sep 2021)
+- RELEASE-NOTES: synced
 
-  lib: fix compiler warnings with CURL_DISABLE_NETRC
-  
-  warning C4189: 'netrc_user_changed': local variable is initialized but
-  not referenced
+- test1173: check references to libcurl options
   
-  warning C4189: 'netrc_passwd_changed': local variable is initialized but
-  not referenced
+  ... that they refer to actual existing libcurl options.
   
-  Closes #7423
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-- disable-epsv.d: remove duplicate "(FTP)"
+- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
   
-  ... since the tooling adds that to the output based on the "Protocols:"
-  tag.
-
-- [Max Zettlmeißl brought this change]
+  Closes #7656
 
-  docs: make the documentation for --etag-save match the program behaviour
+- opt-docs: verify man page sections + order
   
-  When using curl with the option `--etag-save` I expected it to save the
-  ETag without its surrounding quotes, as stated by the documentation in
-  the repository and by the generated man pages.
+  In every libcurl option man page there are now 8 mandatory sections that
+  must use the right name in the correct order and test 1173 verifies
+  this. Only 14 man pages needed adjustments.
   
-  My first endeavour was to fix the program, but while investigating the
-  history of the relevant parts, I discovered that curl once saved the
-  ETag without the quotes.  This was undone by Daniel Stenberg in commit
-  `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in
-  this case the documentation should be adjusted to match the behaviour of
-  curl.
+  The sections and the order is as follows:
   
-  The changed save behaviour also made parts of the `--etag-compare`
-  documentation wrong or superfluous, so I adjusted those accordingly.
+   - NAME
+   - SYNOPSIS
+   - DESCRIPTION
+   - PROTOCOLS
+   - EXAMPLE
+   - AVAILABILITY
+   - RETURN VALUE
+   - SEE ALSO
   
-  Closes #7429
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-- [Josh Soref brought this change]
+- opt-docs: make sure all man pages have examples
+  
+  Extended manpage-syntax.pl (run by test 1173) to check that every man
+  page for a libcurl option has an EXAMPLE section that is more than two
+  lines. Then fixed all errors it found and added examples.
+  
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-  write-out.d: add missing periods
+- get.d: provide more useful examples
   
-  Closes #7404
+  Closes #7668
 
-- [Josie Huddleston brought this change]
+- page-header: add GOPHERS, simplify wording in the 1st para
+  
+  Closes #7665
 
-  easy: during upkeep, attach Curl_easy to connections in the cache
+- connect: get local port + ip also when reusing connections
   
-  During the protocol-specific parts of connection upkeep, some code
-  assumes that the data->conn pointer already is set correctly.  However,
-  there's currently no guarantee of that in the code.
+  Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage
+  (connection + easy handle), so this info needs be extracted again even
+  for re-used connections.
   
-  This fix temporarily attaches each connection to the Curl_easy object
-  before performing the protocol-specific connection check on it, in a
-  similar manner to the connection checking in extract_if_dead().
+  Add test 435 to verify
   
-  Fixes #7386
-  Closes #7387
-  Reported-by: Josie Huddleston
+  Reported-by: Max Dymond
+  Fixes #7660
+  Closes #7662
 
-- [Josh Soref brought this change]
+Marcel Raad (2 Sep 2021)
+- multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
+  
+  `use_wakeup` is unused in this case.
+  
+  Closes https://github.com/curl/curl/pull/7661
 
-  cleanup: spell DoH with a lowercase o
+Daniel Stenberg (1 Sep 2021)
+- tests: adjust the tftpd output to work with hyper mode
   
-  Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
+  By making them look less like http headers, the hyper mode "tweak"
+  doesn't interfere.
   
-  Closes #7413
+  Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated
+  but should be enabled).
+  
+  Closes #7658
 
-- [Josh Soref brought this change]
+Daniel Gustafsson (1 Sep 2021)
+- [Gisle Vanem brought this change]
 
-  TheArtOfHttpScripting: polish
+  openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
   
-  - add missing backticks and comma
+  This adds support for the previously unhandled supplemental data which
+  in -v output was printed like:
   
-  - fix proxy description:
+      TLSv1.2 (IN), TLS header, Unknown (23):
   
-  * example proxy isn't local
-  * locally doesn't really make sense
+  These will now be printed with proper annotation:
   
-  Closes #7416
-
-- [Josh Soref brought this change]
-
-  form.d: add examples of `,`/`;` for file[name]
+      TLSv1.2 (OUT), TLS header, Supplemental data (23):
   
-  Fixes #7415
-  Closes #7417
+  Closes #7652
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- [Michał Antoniak brought this change]
+Daniel Stenberg (1 Sep 2021)
+- curl.1: provide examples for each option
+  
+  The file format for each option now features a "Example:" header that
+  can provide one or more examples that get rendered appropriately in the
+  output. All options MUST have at least one example or gen.pl complains
+  at build-time.
+  
+  This fix also does a few other minor format and consistency cleanups.
+  
+  Closes #7654
 
-  mbedtls: Remove unnecessary include
+- progress: make trspeed avoid floats
   
-  - curl_setup.h: all references to mbedtls_md4* functions and structures
-    are in the md4.c. This file already includes the <mbedtls/md4.h> file
-    along with the file existence control (defined (MBEDTLS_MD4_C))
+  and compiler warnings for data conversions.
   
-  - curl_ntlm_core.c: unnecessary include - repeated below
+  Reported-by: Michał Antoniak
+  Fixes #7645
+  Closes #7653
+
+- test365: verify response with chunked AND Content-Length headers
+
+- http: ignore content-length if any transfer-encoding is used
   
-  Closes #7419
+  Fixes #7643
+  Closes #7649
 
 - RELEASE-NOTES: synced
 
-Jay Satiro (16 Jul 2021)
-- [User Sg brought this change]
-
-  multi: fix crash in curl_multi_wait / curl_multi_poll
+- Revert "http2: skip immediate parsing of payload following protocol switch"
   
-  Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a
-  VALID_SOCK check to one of the loops through the sockets but not the
-  other.
+  This reverts commit 455a63c66f188598275e87d32de2c4e8e26b80cb.
   
-  Reported-by: sylgal@users.noreply.github.com
-  Authored-by: sylgal@users.noreply.github.com
+  Reported-by: Tk Xiong
+  Fixes #7633
+  Closes #7648
+
+- KNOWN_BUGS: HTTP/3 doesn't support client certs
   
-  Fixes https://github.com/curl/curl/issues/7379
-  Closes https://github.com/curl/curl/pull/7389
+  Closes #7625
 
-- [Daniel Gustafsson brought this change]
+- mailing lists: move from cool.haxx.se to lists.haxx.se
 
-  tool_help: remove unused define
+- http_proxy: only wait for writable socket while sending request
   
-  The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
-  cleaned out but one occurrence remained.
+  Otherwise it would wait socket writability even after the entire CONNECT
+  request has sent and make curl basically busy-loop while waiting for a
+  response to come back.
   
-  Closes https://github.com/curl/curl/pull/7380
-
-- [Sergey Markelov brought this change]
+  The previous fix attempt in #7484 (c27a70a591a4) was inadequate.
+  
+  Reported-by: zloi-user on github
+  Reported-by: Oleguer Llopart
+  Fixes #7589
+  Closes #7647
 
-  build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
+- http: disallow >3-digit response codes
   
-  fix compiler warnings about unused variables and parameters when
-  built with --disable-verbose.
+  Make the built-in HTTP parser behave similar to hyper and reject any
+  HTTP response using more than 3 digits for the response code.
   
-  Closes https://github.com/curl/curl/pull/7377
+  Updated test 1432 accordingly.
+  Enabled test 1432 in the hyper builds.
+  
+  Closes #7641
 
-- [Andrea Pappacoda brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  build: fix IoctlSocket FIONBIO check
+  ngtcp2: stop buffering crypto data
   
-  Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked
-  for (lowercase) ioctlsocket when it should have checked for IoctlSocket.
+  Stop buffering crypto data because libngtcp2 now buffers submitted
+  crypto data.
   
-  Closes https://github.com/curl/curl/pull/7375
-
-- [Timur Artikov brought this change]
+  Closes #7637
 
-  configure: fix nghttp2 library name for static builds
-  
-  Don't hardcode the nghttp2 library name,
-  because it can vary, be "nghttp2_static" for example.
+- test1280: CRLFify the response to please hyper
   
-  Fixes https://github.com/curl/curl/issues/7367
-  Closes https://github.com/curl/curl/pull/7368
+  Closes #7639
 
-Gisle Vanem (16 Jul 2021)
-- [PellesC] fix _lseeki64() macro
+- tests: enable test 1129 for hyper builds
+  
+  Closes #7638
 
-- [SChannel] Use '_tcsncmp()' instead
+- curl: better error message when -O fails to get a good name
   
-  Revert previous change for PellesC.
+  Due to how this currently works internally, it needs a working initial
+  file name to store contents in, so it may still fail even with -J is
+  used (and thus accepting a name from content-disposition:) if the file
+  name part of the URL isn't "good enough".
   
-  Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`.
+  Fixes #7628
+  Closes #7635
 
-- [PellesC] missing '_tcsnccmp'
+- curl_easy_setopt: tweak the string copy wording
   
-  PellesC compiler does not have this macro in it's `<tchar.h>`
+  Reported-by: Yaobin Wen
+  Fixes #7632
+  Closes #7634
 
-Daniel Gustafsson (14 Jul 2021)
-- TODO: add mention of mbedTLS 3 incompatibilities
+- RELEASE-NOTES: synced
+
+- [Don J Olmstead brought this change]
+
+  cmake: sync CURL_DISABLE options
   
-  Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
-  and curl no longer builds with it. Document the need to fix our support
-  until so has been done.
+  Adds the full listing of CURL_DISABLE options to the CMake build. Moves
+  all option code, except for CURL_DISABLE_OPENSSL_AUTO_LOA_CONFIG which
+  resides near OpenSSL configuration, to the same block of code. Also
+  sorts the options here and in the cmake config header.
   
-  Closes #7390
-  Fixes #7385
-  Reported-by: Wyatt OʼDay
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+  Additionally sorted the CURL-DISABLE listing and fixed the
+  CURL_DISABLE_POP3 option.
+  
+  Closes #7624
 
-- docs: fix inconsistencies in EGDSOCKET documentation
+Jay Satiro (25 Aug 2021)
+- KNOWN_BUGS: FTPS upload data loss with TLS 1.3
   
-  Only the OpenSSL backend actually use the EGDSOCKET, and also use
-  TLS consistently rather than mixing SSL and TLS. While there, also
-  fix a minor spelling nit.
+  Bug: https://github.com/curl/curl/issues/6149
+  Reported-by: Bylon2@users.noreply.github.com
   
-  Closes: #7391
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-
-- [Борис Верховский brought this change]
+  Closes https://github.com/curl/curl/pull/7623
 
-  docs: document missing arguments to commands
+Daniel Stenberg (24 Aug 2021)
+- cmake: avoid poll() on macOS
   
-  This is a followup to commit f410b9e538129e77607fef1 fixing a few
-  more commands which takes arguments.
+  ... like we do in configure builds. Since poll() on macOS is not
+  reliable enough.
   
-  Closes #7382
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Randolf J brought this change]
+  Reported-by: marc-groundctl
+  Fixes #7595
+  Closes #7619
 
-  docs: fix incorrect argument name reference
+- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
   
-  The documentation for the read callback was erroneously referencing
-  the nitems argument by nmemb.  The error was introduced in commit
-  ce0881edee3c7.
+  Enable test 1074
   
-  Closes #7383
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Борис Верховский brought this change]
+  Closes #7617
 
-  tool_help: Document that --tlspassword takes a password
+- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
   
-  Closes #7378
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-
-- scripts: Fix typo in release-notes instructions
+  Enable test 1130 and 1131
   
-  The command to run had a typo in the pathname which prevented copy
-  pasting it to work, which has annoyed me enough to fix this now.
+  Closes #7616
 
-- RELEASE-NOTES: synced
+- [a1346054 brought this change]
 
-Jay Satiro (10 Jul 2021)
-- write-out.d: Clarify urlnum is not unique for de-globbed URLs
+  tests: be explicit about using 'python3' instead of 'python'
   
-  Reported-by: Коваленко Анатолий Викторович
+  This fixes running tests in virtualenvs (or on distros) that no longer
+  have a symlink from python to python2 or python3.
   
-  Fixes https://github.com/curl/curl/issues/7342
-  Closes https://github.com/curl/curl/pull/7369
+  Closes #7602
 
-Daniel Gustafsson (3 Jul 2021)
-- [William Desportes brought this change]
+- [a1346054 brought this change]
 
-  docs: Fix typos
+  scripts: invoke interpreters through /usr/bin/env
   
-  Closes: #7370
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-Daniel Stenberg (8 Jul 2021)
-- [Jonathan Wernberg brought this change]
+  Closes #7602
 
-  Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
-  
-  The reverted commit introduced a logic error in code that was
-  correct.
-  
-  The client using libcurl would notice the error since FTP file
-  uploads in active transfer mode would somtimes complete with
-  success despite no transfer having been performed and the
-  "uploaded" file thus not being on the remote server afterwards.
-  
-  The FTP server would notice the error because it receives a
-  RST on the data connection it has established with the client
-  before any data was transferred at all.
-  
-  The logic error happens if the STOR response from the server have
-  arrived by the time ftp_multi_statemach() in the affected code path
-  is called, but the incoming data connection have not arrived yet.
-  In that case, the processing of the STOR response will cause
-  'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
-  in the code. Since 'complete' will also be set, later logic would
-  believe the transfer was done.
-  
-  In most cases, the STOR response will not have arrived yet when
-  the affected code path is executed, or the incoming connection will
-  also have arrived, and thus the error would not express itself.
-  But if the speed difference of the device using libcurl and the
-  FTP server is exactly right, the error may happen as often as in
-  one out of hundred file transfers.
-  
-  This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
+- DISABLED: enable 11 more tests for hyper builds
   
-  Bug: https://curl.se/mail/lib-2021-07/0025.html
-  Closes #7362
+  Closes #7612
 
-- msnprintf: return number of printed characters excluding null byte
+- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
   
-  ... even when the output is "capped" by the maximum length argument.
+  Since this option is also used for FTP, it needs to work to set for
+  applications even if hyper doesn't support it for HTTP. Verified by test
+  1137.
   
-  Clarified in the docs.
+  Updated docs to specify that the option doesn't work for HTTP when using
+  the hyper backend.
   
-  Closes #7361
+  Closes #7614
 
-- infof: remove newline from format strings, always append it
+- test1138: remove trailing space to make work with hyper
   
-  - the data needs to be "line-based" anyway since it's also passed to the
-    debug callback/application
+  Closes #7613
+
+- libcurl-errors.3: clarify two CURLUcode errors
   
-  - it makes infof() work like failf() and consistency is good
+  CURLUE_BAD_HANDLE and CURLUE_BAD_PARTPOINTER should be for "bad" or
+  wrong pointers in a generic sense, not just for NULL pointers.
   
-  - there's an assert that triggers on newlines in the format string
+  Reviewed-by: Jay Satiro
   
-  - Also removes a few instances of "..."
+  Ref: #7605
+  Closes #7611
+
+Jay Satiro (23 Aug 2021)
+- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
   
-  - Removes the code that would append "..." to the end of the data *iff*
-    it was truncated in infof()
+  ... and also change the 'Removed' column name to 'Last' since that
+  column is for the last version to contain the symbol.
   
-  Closes #7357
+  Closes https://github.com/curl/curl/pull/7609
 
-- examples/multi-single: fix scan-build warning
-  
-  warning: Value stored to 'mc' during its initialization is never read
+Daniel Stenberg (23 Aug 2021)
+- urlapi.c:seturl: assert URL instead of using if-check
   
-  Follow-up to ae8e11ed5fd2ce
+  There's no code flow possible where this can happen. The assert makes
+  sure it also won't be introduced undetected in the future.
   
-  Closes #7360
+  Closes #7610
 
-- wolfssl: failing to set a session id is not reason to error out
+- curl-openssl.m4: show correct output for OpenSSL v3
   
-  ... as it is *probably* just timed out.
+  Using 3.0.0 versions configure should now show this:
   
-  Reported-by: Francisco Munoz
+  checking for OpenSSL headers version... 3.0.0 - 0x300
+  checking for OpenSSL library version... 3.0.0
+  checking for OpenSSL headers and library versions matching... yes
   
-  Closes #7358
+  This output doesn't actually change what configure generates but is only
+  "cosmetic".
+  
+  Reported-by: Randall S. Becker
+  Fixes #7606
+  Closes #7608
 
-- docs/examples: use curl_multi_poll() in multi examples
+Jay Satiro (22 Aug 2021)
+- mksymbolsmanpage.pl: Fix showing symbol's last used version
   
-  The API is soon two years old and deserves being shown as the primary
-  way to drive multi code as it makes it much easier to write code.
+  Prior to this change the symbol's deprecated version was erroneously
+  shown as its last used version.
   
-  multi-poll: removed
+  Bug: https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509
+  Reported-by: i-ky@users.noreply.github.com
+
+Daniel Stenberg (21 Aug 2021)
+- mksymbolsmanpage.pl: match symbols case insenitively
   
-  multi-legacy: add to show how we did multi API use before
-  curl_multi_wait/poll.
+  Follow-up to 4e53b9430c750 which made this bug show.
   
-  Closes #7352
+  Reported-by: i-ky
+  Bug: https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253
+  Closes #7607
 
-- KNOWN_BUGS: flaky Windows CI builds
+- asyn-ares: call ares_freeaddrinfo() to clean up addrinfo results
   
-  Closes #6972
-
-- RELEASE-NOTES: synced
-
-- test1147: hyper doesn't allow "crazy" request headers like built-in
+  As this leaks memory otherwise
   
-  ... so strip that from the test.
+  Follow-up to ba904db0705c931
   
-  Closes #7349
+  Closes #7599
 
-- c-hyper: bail on too long response headers
+- [Ehren Bendler brought this change]
+
+  wolfssl: clean up wolfcrypt error queue
   
-  To match with built-in behaviors. Makes test 1154 work.
+  If wolfSSL is built in certain ways (OPENSSL_EXTRA or Debug), the error
+  queue gets added on to for each session and never freed. Fix it by
+  calling ERR_clear_error() like in vtls/openssl when needed. This func is
+  a no-op in wolfcrypt if the error queue is not enabled.
   
-  Closes #7350
+  Closes #7594
 
-- test1151: added missing CRLF to work with hyper
+- man pages: remove trailing whitespaces
   
-  Closes #7350
-
-- c-hyper: add support for transfer-encoding in the request
+  Extended test 1173 (via the manpage-syntax.pl script) to detect and warn
+  for them.
   
-  Closes #7348
+  Ref: #7602
+  Reported-by: a1346054 on github
+  Closes #7604
 
-- [Andrea Pappacoda brought this change]
+- mailmap: add Gleb Ivanovsky
 
-  cmake: remove libssh2 feature checks
-  
-  libssh2 features are detected based on version since commit
-  9dbbba997608f7c3c5de1c627c77c8cd2aa85b73
+- config.d: escape the backslash properly
   
-  Closes #7343
+  Closes #7603
 
-- test1116: hyper doesn't pass through "surprise-trailers"
-  
-  Closes #7344
+- [Don J Olmstead brought this change]
 
-- socks4: scan for the IPv4 address in resolve results
+  curl_setup.h: sync values for HTTP_ONLY
   
-  Follow-up to 84d2839740 which changed the resolving to always resolve
-  both address families, but since SOCKS4 only supports IPv4 it should
-  scan for and use the first available IPv4 address.
+  The values for HTTP_ONLY differed between CMakeLists.txt and
+  curl_setup.h. Sync them and sort the values in curl_setup.h to make it
+  easier to spot differences.
   
-  Reported-by: shithappens2016 on github
-  Fixes #7345
-  Closes #7346
+  Closes #7601
 
-Jay Satiro (5 Jul 2021)
-- proto.d: fix formatting for paragraphs after margin changes
+Jay Satiro (21 Aug 2021)
+- configure: set classic mingw minimum OS version to XP
   
-  Closes https://github.com/curl/curl/pull/7341
-
-- pinnedpubkey.d: fix formatting for version support lists
+  - If the user has not specified a minimum OS version (via WINVER or
+    _WIN32_WINNT macros) then set it to Windows XP.
   
-  Closes https://github.com/curl/curl/pull/7340
-
-Daniel Stenberg (2 Jul 2021)
-- TODO: "Support in-memory certs/ca certs/keys" done
+  Prior to this change classic MinGW defaulted the minimum OS version
+  to Windows NT 4.0 which is way too old. At least Windows XP is needed
+  for getaddrinfo (which resolves hostnames to IPv6 addresses).
   
-  Has been suppored for a while now with the *BLOB options.
+  Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
+  
+  Closes https://github.com/curl/curl/pull/7581
 
-- examples: safer and more proper read callback logic
+- schannel: Work around typo in classic mingw macro
   
-  The same callback code is used in:
+  - Define ALG_CLASS_DHASH (the typo from the include) to ALG_CLASS_HASH.
   
-   imap-append.c
-   smtp-authzid.c
-   smtp-mail.c
-   smtp-multi.c
-   smtp-ssl.c
-   smtp-tls.c
+  Prior to this change there was an incomplete fix to ignore the
+  CALG_TLS1PRF macro on those versions of MinGW where it uses the
+  ALG_CLASS_DHASH typoed macro.
   
-  It should not assume that it can copy full lines into the buffer as it
-  will encourage sloppy coding practices. Instead use byte-wise logic and
-  check/acknowledge the buffer size appropriately.
+  Ref: 48cf45c
+  Ref: https://osdn.net/projects/mingw/ticket/38391
+  Ref: https://github.com/curl/curl/issues/2924
   
-  Reported-by: Harry Sintonen
-  Fixes #7330
-  Closes #7331
+  Closes https://github.com/curl/curl/pull/7580
 
-- test1519: adjusted to work with hyper
-  
-  Closes #7333
+Daniel Stenberg (20 Aug 2021)
+- RELEASE-NOTES: synced
 
-- test1518: adjusted to work with hyper
+- http_proxy: fix user-agent and custom headers for CONNECT with hyper
   
-  ... by making sure the stdout output doesn't look like HTTP headers.
+  Enable test 287
   
-  Closes #7333
+  Closes #7598
 
-- test1514: add a CRLF to the response to make it correct
+- c-hyper: initial support for "dumping" 1xx HTTP responses
   
-  Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on
-  us.
+  With the use hyper_request_on_informational()
   
-  Closes #7334
+  Enable test 155 and 158
+  
+  Closes #7597
 
-- formdata: avoid "Argument cannot be negative" warning
+Marc Hoersken (18 Aug 2021)
+- tests/*server.pl: flush output before executing subprocess
   
-  ... when converting a curl_off_t to size_t, by using
-  CURL_ZERO_TERMINATED before passing the argument to the function.
+  Also avoid shell processes staying around by using exec.
+  This is necessary to avoid output data being buffering
+  inside the process chain of Perl, Bash/Shell and our
+  test server binaries. On non-Windows systems the exec
+  will also make the subprocess replace the intermediate
+  shell, but on Windows it will at least bind the processes
+  together since there is no real fork or exec available.
   
-  Detected by Coverity CID 1486590.
+  See: https://cygwin.com/cygwin-ug-net/highlights.html
+  and: https://docs.microsoft.com/cpp/c-runtime-library/exec-wexec-functions
+  Ref: https://github.com/curl/curl/pull/7530#issuecomment-900949010
   
-  Closes #7328
-  Assisted-by: Daniel Gustafsson
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  Closes #7530
 
-- lib: more %u for port and int for %*s fixes
+- CI: use GitHub Container Registry instead of Docker Hub
   
-  Detected by Coverity
+  Avoid limits on Docker Hub and improve image pull/download speed.
   
-  Closes #7329
-
-- doh: (void)-prefix call to curl_easy_setopt
+  Closes #7587
 
-- lib: fix type of len passed to *printf's %*s
+Daniel Stenberg (18 Aug 2021)
+- openssl: when creating a new context, there cannot be an old one
   
-  ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc)
+  Remove the previous handling that would call SSL_CTX_free(), and instead
+  add an assert that halts a debug build if there ever is a context
+  already set at this point.
   
-  Closes #7326
+  Closes #7585
 
-- lib: use %u instead of %ld for port number printf
-  
-  Follow-up to 764c6bd3bf which changed the type of some port number
-  fields. Detected by Coverity (CID 1486624) etc.
+Jay Satiro (18 Aug 2021)
+- KNOWN_BUGS: Renegotiate from server may cause hang for OpenSSL backend
   
-  Closes #7325
+  Closes https://github.com/curl/curl/issues/6785
 
-- version: turn version number functions into returning void
+Viktor Szakats (17 Aug 2021)
+- docs/BINDINGS: URL update
+
+Marc Hoersken (17 Aug 2021)
+- tests/server/*.c: align handling of portfile argument and file
   
-  ... as we never use the return codes from them.
+  1. Call the internal variable portname (like pidname) everywhere.
+  2. Have a variable wroteportfile (like wrotepidfile) everywhere.
+  3. Make sure the file is cleaned up on exit (like pidfile).
+  4. Add parameter --portfile to usage outputs everywhere.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7319
-
-- mqtt: extend the error message for no topic
+  Reviewed-by: Daniel Stenberg
   
-  ... and mention that it needs URL encoding.
+  Replaces #7523
+  Closes #7574
+
+Daniel Gustafsson (17 Aug 2021)
+- KNOWN_BUGS: Fix a number of typos in KNOWN_BUGS
   
-  Reported-by: Peter Körner
-  Fixes #7316
-  Closes #7317
+  Fixes a set of typos found in section 11.3.
 
-- formdata: correct typecast in curl_mime_data call
+Daniel Stenberg (17 Aug 2021)
+- getparameter: fix the --local-port number parser
   
-  Coverity pointed out it the mismatch. CID 1486590
+  It could previously get tricked into parsing the uninitialized stack
+  based buffer.
   
-  Closes #7327
+  Reported-by: Brian Carpenter
+  Closes #7582
 
-- url: (void)-prefix a curl_url_get() call
-  
-  Coverity (CID 1486645) pointed out a use of curl_url_get() in the
-  parse_proxy function where the return code wasn't checked. A
-  (void)-prefix makes the intention obvious.
+- KNOWN_BUGS: Can't use Secure Transport with Crypto Token Kit
   
-  Closes #7320
+  Closes #7048
 
-- glob: pass an 'int' as len when using printf's %*s
+- [Jan Verbeek brought this change]
+
+  curl: add warning for ignored data after quoted form parameter
   
-  Detected by Coverity CID 1486629.
+  In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc`
+  is ignored. This adds a warning if the ignored data isn't all
+  whitespace.
   
-  Closes #7324
+  Closes #7394
 
-- vtls: use free() not curl_free()
+Jay Satiro (17 Aug 2021)
+- codeql: fix error "Resource not accessible by integration"
   
-  curl_free() is provided for users of the API to free returned data,
-  there's no need to use it internally.
+  - Enable codeql writing security-events.
   
-  Closes #7318
+  GitHub set the default permissions to read, apparently since earlier
+  this year.
+  
+  Ref: https://github.com/github/codeql-action/issues/464
+  Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+  
+  Fixes https://github.com/curl/curl/issues/7575
+  Closes https://github.com/curl/curl/pull/7576
 
-- zuul: use the new rustls directory name
+- tool_operate: Fix --fail-early with parallel transfers
   
-  Follow-up to 6d972c8b1cbb3 which missed updating this directory name.
+  - Abort via progress callback to fail early during parallel transfers.
   
-  Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1
+  When a critical error occurs during a transfer (eg --fail-early
+  constraint) then other running transfers will be aborted via progress
+  callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this
+  case, the callback error does not become the most recent error and a
+  custom error message is used for those transfers:
   
-  Closes #7311
-
-Jay Satiro (29 Jun 2021)
-- http: fix crash in rate-limited upload
+  curld --fail --fail-early --parallel
+  https://httpbin.org/status/404 https://httpbin.org/delay/10
   
-  - Don't set the size of the piece of data to send to the rate limit if
-    that limit is larger than the buffer size that will hold the piece.
+  curl: (22) The requested URL returned error: 404
+  curl: (42) Transfer aborted due to critical error in another transfer
   
-  Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
-  (curl tool: --limit-rate) was set then it was possible that a temporary
-  buffer used for uploading could be written to out of bounds. A likely
-  scenario for this would be a non-trivial amount of post data combined
-  with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
+  > echo %ERRORLEVEL%
+  22
   
-  The bug was introduced in 24e469f which is in releases since 7.76.0.
+  Fixes https://github.com/curl/curl/issues/6939
+  Closes https://github.com/curl/curl/pull/6984
+
+Daniel Stenberg (17 Aug 2021)
+- [Sergey Markelov brought this change]
+
+  sectransp: support CURLINFO_CERTINFO
   
-  perl -e "print '0' x 200000" > tmp
-  curl --limit-rate 128k -d @tmp httpbin.org/post
+  Fixes #4130
+  Closes #7372
+
+- ngtcp2: remove the acked_crypto_offset struct field init
   
-  Reported-by: Richard Marion
+  ... as it is gone from the API upstream.
   
-  Fixes https://github.com/curl/curl/issues/7308
-  Closes https://github.com/curl/curl/pull/7315
+  Closes #7578
 
-Daniel Stenberg (29 Jun 2021)
-- copyright: add boiler-plate headers to CI config files
+- misc: update incorrect copyright year ranges
   
-  And whitelist .zuul.ignore
+  Closes #7577
+
+- KNOWN_BUGS: HTTP/3 quiche upload large file fails
   
-  Closes #7314
+  Closes #7532
 
-- CI: remove travis details
+- KNOWN_BUGS: CMake build with MIT Kerberos does not work
   
-  Rename still used leftovers to "zuul" as that's now the CI using them.
+  Closes #6904
+
+- TODO: add asynch getaddrinfo support
   
-  Closes #7313
+  Closes #6746
 
 - RELEASE-NOTES: synced
 
-- openssl: avoid static variable for seed flag
-  
-  Avoid the race condition risk by instead storing the "seeded" flag in
-  the multi handle. Modern OpenSSL versions handle the seeding itself so
-  doing the seeding once per multi-handle instead of once per process is
-  less of an issue.
-  
-  Reported-by: Gerrit Renker
-  Fixes #7296
-  Closes #7306
+- [Artur Sinila brought this change]
 
-- configure: inhibit the implicit-fallthrough warning on gcc-12
+  http2: revert call the handle-closed function correctly on closed stream
   
-  ... since it no longer acknowledges the comment markup we use for that
-  purpose.
+  Reverts 252790c5335a221
   
-  Reported-by: Younes El-karama
-  Fixes #7295
-  Closes #7307
+  Assisted-by: Gergely Nagy
+  Fixes #7400
+  Closes #7525
 
-Daniel Gustafsson (28 Jun 2021)
-- [Andrei Rybak brought this change]
+- [Patrick Monnerat brought this change]
 
-  misc: fix typos in comments which repeat a word
+  auth: do not append zero-terminator to authorisation id in kerberos
   
-  Fix typos in code comments which repeat various words.  In trivial
-  cases, just delete the repeated word.  Reword the affected sentence in
-  "lib/url.c" for it to make sense.
+  RFC4752 Section 3.1 states "The authorization identity is not terminated
+  with a zero-valued (%x00) octet". Although a comment in code said it may
+  be needed anyway, nothing confirms it. In addition, servers may consider
+  it as part of the identity, causing a failure.
   
-  Closes #7303
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Closes #7008
 
-Daniel Stenberg (27 Jun 2021)
-- lib677: make it survive torture testing
-  
-  Follow-up to a5ab72d5edd7
+- [Patrick Monnerat brought this change]
+
+  auth: use sasl authzid option in kerberos
   
-  Closes #7300
+  ... instead of deriving it from active ticket.
+  Closes #7008
 
-- [Tommy Chiang brought this change]
+- [Patrick Monnerat brought this change]
 
-  docs/BINDINGS: fix outdated links
-  
-  * luacurl page is now not accessible, fix it with wayback machine page
-  * Scheme one seems not providing https now, change it back to http one
+  auth: we do not support a security layer after kerberos authentication
   
-  Closes #7301
+  Closes #7008
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Patrick Monnerat brought this change]
 
-  curstls: bump crustls version and use new URL
-  
-  crustls moved to https://github.com/rustls/rustls-ffi. This also bumps
-  the expected version to 0.7.0.
+  auth: properly handle byte order in kerberos security message
   
-  Closes #7297
+  Closes #7008
 
-- RELEASE-NOTES: synced
+- [z2_ brought this change]
 
-- examples: length-limit two sscanf() uses of %s
+  x509asn1: fix heap over-read when parsing x509 certificates
   
-  Reported-by: Jishan Shaikh
-  Fixes #7293
-  Closes #7294
+  Assisted-by: Patrick Monnerat
+  Closes #7536
 
-- [Richard Whitehouse brought this change]
+- KNOWN_BUGS: Disconnects don't do verbose
+  
+  Closes #6995
 
-  multi: alter transfer timeout ordering
+- mailmap: fixup Michał Antoniak
+
+- [Michał Antoniak brought this change]
+
+  build: fix compiler warnings
   
-  - Check whether a connection has succeded before checking whether it's
-    timed out.
+  For when CURL_DISABLE_VERBOSE_STRINGS and DEBUGBUILD flags are both
+  active.
   
-    This means if we've connected quickly, but subsequently been
-    descheduled, we allow the connection to succeed. Note, if we timeout,
-    but between checking the timeout, and connecting to the server the
-    connection succeeds, we will allow it to go ahead. This is viewed as
-    an acceptable trade off.
+  - socks.c : warning C4100: 'lineno': unreferenced formal parameter
+    (co-authored by Daniel Stenberg)
   
-  - Add additional failf logging around failed connection attempts to
-    propogate the cause up to the caller.
+  - mbedtls.c: warning C4189: 'port': local variable is initialized but
+    not referenced
   
-  Co-Authored-by: Martin Howarth
-  Closes #7178
+  - schannel.c: warning C4189: 'hostname': local variable is initialized
+    but not referenced
+  
+  Cloes #7528
 
-- test677: IMAP CONNECT_ONLY, custom command and then exit
+- [Gleb Ivanovsky brought this change]
+
+  CODE_STYLE-md: fix bold font style
   
-  Adjusted ftpserver.pl to add support for the IMAP IDLE command
+  Markdown gets confused with abundance of asterisks, so use underscores
+  instead.
   
-  Adjusted test 660 to sync with the fix
+  Reviewed-by: Daniel Gustafsson
+  Closes #7569
 
-- multi: do not switch off connect_only flag when closing
+- [Gleb Ivanovsky brought this change]
+
+  CODE_STYLE-md: add missing comma
   
-  ... as it made protocol specific disconnect commands wrongly get used.
+  Reviewed-by: Daniel Gustafsson
+  Closes #7570
+
+- [Daniel Gustafsson brought this change]
+
+  examples/ephiperfifo.c: simplify signal handler
   
-  Bug: https://curl.se/mail/lib-2021-06/0024.html
-  Reported-by: Aleksander Mazur
-  Closes #7288
+  The signal handler registered for SIGINT is only handling SIGINT
+  so there isn't much need for inspecting the signo.  While there,
+  rename the handler to be more specific.
+  
+  g_should_exit should really be of sig_atomic_t type, but relying
+  on autoconf in the examples seems like a bad idea so keep that
+  for now.
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #7310
 
-- http: make the haproxy support work with unix domain sockets
+- c-hyper: initial step for 100-continue support
   
-  ... it should then pass on "PROXY UNKNOWN" since it doesn't know the
-  involved IP addresses.
+  Enabled test 154
   
-  Reported-by: Valentín Gutiérrez
-  Fixes #7290
-  Closes #7291
+  Closes #7568
 
-- [Xiang Xiao brought this change]
+- [Ikko Ashimine brought this change]
 
-  curl.h: include sys/select.h for NuttX RTOS
+  vtls: fix typo in schannel_verify.c
   
-  Closes #7287
+  occurence -> occurrence
+  
+  Closes #7566
 
-- [Bin Meng brought this change]
+- [Emil Engler brought this change]
 
-  curl.h: remove the execution bit
+  curl_url_get.3: clarify about path and query
   
-  The execution bit of curl.h file was wrongly added:
+  The current man-page lacks some details regarding the obtained path and
+  query.
   
-    commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
+  Closes #7563
+
+- c-hyper: fix header value passed to debug callback
   
-  and should be removed.
+  Closes #7567
+
+Viktor Szakats (12 Aug 2021)
+- cleanup: URL updates
   
-  Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
-  Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-  Closes #7286
+  - replace broken URL with the one it was most probably pointing to
+    when added (lib/tftp.c)
+  - replace broken URL with archive.org link (lib/curl_ntlm_wb.c)
+  - delete unnecessary protocol designator from archive.org URL
+    (docs/BINDINGS.md)
+  
+  Closes #7562
 
-- [Bin Lan brought this change]
+Daniel Stenberg (12 Aug 2021)
+- [April King brought this change]
 
-  curl.h: <sys/select.h> is supported by VxWorks7
+  DEPRECATE.md: linkify curl-library mailing list
   
-  Closes #7285
+  Closes #7561
 
-- [Bachue Zhou brought this change]
+- [Barry Pollard brought this change]
 
-  quiche: use send() instead of sendto() to avoid macOS issue
+  output.d: add method to suppress response bodies
   
-  sendto() always returns "Socket is already connected" error on macos
+  Closes #7560
+
+- TODO: remove 'c-ares deviates on http://1346569778'
   
-  Closes #7260
+  Fixed since 56a037cc0ad1b2 (7.77.0)
 
-- [Li Xinwei brought this change]
+- [Colin O'Dell brought this change]
 
-  cmake: fix support for UnixSockets feature on Win32
+  BINDINGS.md: update links to use https where available
   
-  Move the definition of sockaddr_un struct from config-win32.h to
-  curl_setup.h, so that it could be shared by all build systems.
+  Closes #7558
+
+- asyn-ares.c: move all version number checks to the top
   
-  Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use
-  unix sockets.
+  ... and use #ifdef [feature] in the code as per our guidelines.
+
+- ares: use ares_getaddrinfo()
   
-  Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS
-  is defined.
+  ares_getaddrinfo() is the getaddrinfo() cloned provided by c-ares, introduced
+  in version 1.16.0.
   
-  Closes #7034
+  With older c-ares versions, curl invokes ares_gethostbyname() twice - once for
+  IPv4 and once for IPv6 to resolve both addresses, and then combines the
+  returned results.
+  
+  Reported-by: jjandesmet
+  Fixes #7364
+  Closes #7552
 
-- [Gregory Muchka brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
+  ngtcp2: utilize crypto API functions to simplify
   
-  From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
-  dictionary of key-value pairs that represent the current internet proxy
-  settings, or NULL if no proxy settings have been defined or if an error
-  occurred. You must release the returned value."
+  Closes #7551
+
+- [megatronking brought this change]
+
+  ngtcp2: reset the oustanding send buffer again when drained
   
-  Failure to release the returned value of SCDynamicStoreCopyProxies can
-  result in a memory leak.
+  Closes #7538
+
+Michael Kaufmann (10 Aug 2021)
+- progress: fix a compile warning on some systems
   
-  Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
+  lib/progress.c:380:40: warning: conversion to 'long double' from
+  'curl_off_t {aka long long int}' may alter its value [-Wconversion]
   
-  Closes #7265
+  Closes #7549
 
+Daniel Stenberg (10 Aug 2021)
 - RELEASE-NOTES: synced
 
-Jay Satiro (21 Jun 2021)
-- vtls: fix warning due to function prototype mismatch
+- http: consider cookies over localhost to be secure
   
-  b09c8ee changed the function prototype. Caught by Visual Studio.
+  Updated test31.
+  Added test 392 to verify secure cookies used for http://localhost
+  
+  Reviewed-by: Daniel Gustafsson
+  Fixes #6733
+  Closes #7263
 
-- curl_multibyte: Remove local encoding fallbacks
+- TODO: erase secrets from heap/stack after use
   
-  - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
-    no longer fall back to assuming the string is in a local encoding.
+  Closes #7268
+
+Jay Satiro (10 Aug 2021)
+- hostip: Make Curl_ipv6works function independent of getaddrinfo
   
-  Background:
+  - Do not assume IPv6 is not working when getaddrinfo is not present.
   
-  Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
-  pass to the Windows CRT API wide-character functions since in Windows
-  UTF-8 is not a valid locale (or at least 99% of the time right now).
+  The check to see if IPv6 actually works is now independent of whether
+  there is any resolver that can potentially resolve a hostname to IPv6.
   
-  Prior to this change if the Unicode encoding conversion failed then
-  libcurl would assume, for backwards compatibility with applications that
-  may have written their code for non-Unicode builds, attempt to convert
-  the string from local encoding to UTF-16.
+  Prior to this change if getaddrinfo() was not found at compile time then
+  Curl_ipv6works() would be defined as a macro that returns FALSE.
   
-  That type of "best effort" could theoretically cause some type of
-  security or other problem if a string that was locally encoded was also
-  valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
-  could occur.
+  When getaddrinfo is not found then libcurl is built with CURLRES_IPV4
+  defined instead of CURLRES_IPV6, meaning that it cannot do IPv6 lookups
+  in the traditional way. With this commit if libcurl is built with IPv6
+  support (ENABLE_IPV6) but without getaddrinfo (CURLRES_IPV6), and the
+  IPv6 stack is actually working, then it is possible for libcurl to
+  resolve IPv6 addresses by using DoH.
   
-  Ref: https://github.com/curl/curl/pull/7246
+  Ref: https://github.com/curl/curl/issues/7483#issuecomment-890765378
   
-  Closes https://github.com/curl/curl/pull/7257
+  Closes https://github.com/curl/curl/pull/7529
 
-Daniel Stenberg (20 Jun 2021)
-- curl_endian: remove the unused Curl_write64_le function
+- test1565: fix windows build errors
   
-  The last usage was removed in cca455a36
+  - Use our wait_ms() instead of sleep() since Windows doesn't have the
+    latter.
   
-  Closes #7280
-
-- vtls: only store TIMER_APPCONNECT for non-proxy connect
+  - Use a separate variable to keep track of whether the pthread_t thread
+    id is valid.
   
-  Introducing a 'isproxy' argument to the connect function so that it
-  knows wether to store the time stamp or not.
+  On Windows pthread_t is not an integer type. pthread offers no macro for
+  invalid pthread_t thread id, so validity is kept track of separately.
   
-  Reported-by: Yongkang Huang
-  Fixes #7274
-  Closes #7274
+  Closes https://github.com/curl/curl/pull/7527
 
-- gnutls: set the preferred TLS versions in correct order
+- [Jeremy Falcon brought this change]
+
+  winbuild/README.md: clarify GEN_PDB option
   
-  Regression since 781864bedbc57 (curl 7.77.0)
+  - Document that GEN_PDB option creates an external database.
   
-  Reported-by: civodul on github
-  Assisted-by: Nikos Mavrogiannopoulos
-  Fixes #7277
-  Closes #7278
+  Ref: https://github.com/curl/curl/issues/7502
 
-- [Gergely Nagy brought this change]
+Daniel Stenberg (9 Aug 2021)
+- [Tatsuhiro Tsujikawa brought this change]
 
-  configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r
+  ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
   
-  Closes #7276
+  Closes #7546
 
-- [Gergely Nagy brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r
+  ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove unused define HAVE_PERROR
+  Rework the return value handling of ngtcp2_conn_writev_stream and treat
+  NGTCP2_ERR_STREAM_SHUT_WR separately.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Closes #7546
 
-  configure: remove unused check for gai_strerror
+- configure: error out if both ngtcp2 and quiche are specified
   
-  Closes #7276
+  Reported-by: Vincent Grande
+  See #7539
+  Closes #7545
 
-- [Gergely Nagy brought this change]
+- [Jeff Mears brought this change]
 
-  configure/cmake: remove unused define HAVE_FREEIFADDRS
+  easy: use a custom implementation of wcsdup on Windows
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove unused define HAVE_FORK
+  ... so that malloc/free overrides from curl_global_init are used for
+  wcsdup correctly.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Closes #7540
 
-  configure/cmake: remove unused define HAVE_FDOPEN
+- zuul: add an mbedtls3 CI job
   
-  Closes #7276
+  Closes #7544
 
-- [Gergely Nagy brought this change]
+- [Benau brought this change]
 
-  configure/cmake: remove checks for unused sgtty.h
+  mbedTLS: initial 3.0.0 support
   
-  Closes #7276
+  Closes #7428
 
-- [Gergely Nagy brought this change]
+- RELEASE-NOTES: synced
 
-  configure/cmake: remove remaining checks for rsa.h
+- configure.ac: revert bad nghttp2 library detection improvements
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove remaining checks for err.h
+  This reverts commit b4b34db65f9f8, 673753344c5f and 29c7cf79e8b.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
+  nothing else.
+  
+  Reported-by: Rui Pinheiro
+  Reported-by: Alex Crichton
+  Fixes #7514
+  Closes #7515
 
-  configure/cmake: remove remaining checks for crypto.h
+- happy-eyeballs-timeout-ms.d: polish the wording
   
-  Closes #7276
+  Reported-by: Josh Soref
+  Fixes #7433
+  Closes #7542
 
-- [Gergely Nagy brought this change]
+- [modbw brought this change]
 
-  configure/cmake: remove checks for unused getservbyport_r
+  mbedtls_threadlock: fix unused variable warning
   
-  Closes #7276
+  Closes #7393
 
-- --socks4[a]: clarify where the host name is resolved
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: compile with the latest ngtcp2 and nghttp3
   
-  Closes #7273
+  Closes #7541
 
-- libcurl-security.3: mention file descriptors and forks
+Marc Hoersken (31 Jul 2021)
+- CI/cirrus: reduce compile time with increased parallism
   
-  ... and move the security report section last.
+  Cirrus CI VMs have 2 CPUs, let's use them also for Windows builds.
   
-  Reported-by: Harry Sintonen
-  Closes #7270
+  Reviewed-by: Daniel Stenberg
+  Closes #7505
 
-- [Alex Xu (Hello71) brought this change]
+Daniel Stenberg (30 Jul 2021)
+- [Bin Lan brought this change]
 
-  configure.ac: make non-executable
+  tool/tests: fix potential year 2038 issues
   
-  it needs to be processed by autoconf or autoreconf, and doesn't have a
-  suitable shebang to be directly executed. other projects normally set
-  configure.ac -x.
+  The length of 'long' in a 32-bit system is 32 bits, which cannot be used
+  to save timestamps after 2038. Most operating systems have extended
+  time_t to 64 bits.
   
-  Closes #7272
+  Remove the castings to long.
+  
+  Closes #7466
 
-- configure: do not strip out debug flags
+- compressed.d: it's a request, not an order
   
-  To allow users to set them when invoking configure without using
-  --with-debug.
+  Clarified
   
-  Reported-by: Alex Xu
-  Fixes #7216
-  Closes #7267
+  Reported-by: Dan Jacobson
+  Reviewed-by: Daniel Gustafsson
+  Fixes #7516
+  Closes #7517
 
-- libssh2: limit time a disconnect can take to 1 second
-  
-  Closes #7271
+- [Bernhard M. Wiedemann brought this change]
 
-- TLS: prevent shutdown loops to get stuck
+  tests: make three tests pass until 2037
   
-  ... by making sure the loops are only allowed to read the shutdown
-  traffic a limited number of times.
+  after 2038 something in test1915 fails on 32-bit OSes
   
-  Reported-by: Harry Sintonen
-  Closes #7271
+  Closes #7512
 
-- hyper: propagate errors back up from read callbacks
-  
-  Makes test 513 work with hyper
+Daniel Gustafsson (30 Jul 2021)
+- connect: remove superfluous conditional
   
-  Closes #7266
-
-- KNOWN_BUGS: Negotiate on Windows fails
+  Commit dbd16c3e2 cleaned up the logic for traversing the addrinfos,
+  but the move left a conditional on ai which no longer is needed as
+  the while loop reevaluation will cover it.
   
-  Closes #5881
+  Closes #7511
+  Reviewed-by: Carlo Marcelo Arenas Belón
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- KNOWN_BUGS: renames instead of locking for atomic operations
+Daniel Stenberg (29 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Closes #6882
-  Closes #6884
+  and bump curlver to 7.79.0 for next release
 
-- zuul: add two missing CI jobs
+Marc Hoersken (29 Jul 2021)
+- tests/*server.py: remove pidfile on server termination
   
-  ... that were configured, just not run
+  Avoid pidfile leaking/laying around after server already exited.
   
-  Closes #7261
+  Reviewed-by: Daniel Stenberg
+  Closes #7506
 
-Viktor Szakats (15 Jun 2021)
-- idn: fix libidn2 with windows unicode builds
+Daniel Gustafsson (27 Jul 2021)
+- tool_main: fix typo in comment
   
-  Unicode Windows builds use UTF-8 strings internally in libcurl,
-  so make sure to call the UTF-8 flavour of the libidn2 API. Also
-  document that Windows builds with libidn2 and UNICODE do expect
-  CURLOPT_URL as an UTF-8 string.
+  The referred to library is NSPR, so fix the switched around characters.
+
+Daniel Stenberg (28 Jul 2021)
+- [Aleksandr Krotov brought this change]
+
+  bearssl: support CURLOPT_CAINFO_BLOB
   
-  Reported-by: dEajL3kA on github
-  Assisted-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Closes #7246
-  Fixes #7228
+  Closes #7468
 
-Daniel Stenberg (15 Jun 2021)
-- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
+- curl.1: mention "global" flags
   
-  They were never officially allowed and slipped in only due to sloppy
-  parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
-  being part of a URL.
+  Mention options that are "global". A global command line option is one
+  that doesn't get reset at --next uses and therefore don't need to be
+  used again.
   
-  The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
-  allow spaces.
+  Reported-by: Josh Soref
   
-  Updated test 1560 to verify.
+  Fixes #7457
+  Closes #7510
+
+- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
   
-  Closes #7073
+  Reported-by: Daniel Woelfel
+  Fixes #7441
+  Closes #7509
 
-- RELEASE-NOTES: synced
+- KNOWN_BUGS: add more HTTP/3 problems
   
-  ... and bump to version 7.78.0 for the next planned release.
+  Closes #7351
+  Closes #7339
+  Closes #7125
 
-Jay Satiro (15 Jun 2021)
-- docs: Remove outdated curl tool limitation
+Marc Hoersken (27 Jul 2021)
+- CI/azure: reduce compile time with increased parallism
   
-  - Document that HTTP/2 multiplexing is supported by the curl tool when
-    parallel transfers are used.
+  Azure Pipelines CI VMs have 2 CPUs, let's use them.
   
-  Supported since 7.66.0 via --parallel, but the doc wasn't updated.
+  Closes #7489
+
+Jay Satiro (27 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs: fix grammar
   
-  Closes https://github.com/curl/curl/pull/7259
+  Fixes https://github.com/curl/curl/issues/7444
+  Fixes https://github.com/curl/curl/issues/7451
+  Fixes https://github.com/curl/curl/issues/7465
+  Closes https://github.com/curl/curl/pull/7495
 
-- http2: Clarify 'Using HTTP2' verbose message
+- mail-rcpt.d: fix grammar
   
-  - Change phrasing from multi-use to multiplexing since the former may
-    not be as well understood.
+  Remove confusing sentence that says to specify an e-mail address for
+  mail transfer, since that's implied.
   
-  Before: * Using HTTP2, server supports multi-use
+  Reported-by: Josh Soref
   
-  After: * Using HTTP2, server supports multiplexing
+  Fixes https://github.com/curl/curl/issues/7452
+  Closes https://github.com/curl/curl/pull/7495
+
+Daniel Stenberg (27 Jul 2021)
+- c-hyper: remove the hyper_executor_poll() loop from Curl_http
   
-  Bug: https://github.com/curl/curl/discussions/7255
-  Reported-by: David Hu
+  1. it's superfluous
+  2. it didn't work identically to the Curl_hyper_stream one which could
+     cause problems like #7486
   
-  Closes https://github.com/curl/curl/pull/7258
+  Pointed-out-by: David Cook
+  Closes #7499
 
-Daniel Stenberg (14 Jun 2021)
-- winbuild/README: VC should be set to 6 'or larger'
+- curl-openssl.m4: check lib64 for the pkg-config file
   
-  Previously it listed all versions up to 15 (missing 16) but this new
-  phrasing is more open ended.
+  OpenSSL recently started putting the libs in $prefix/lib64 on 'make
+  install', so we check that directory for pkg-config data if the 'lib'
+  check fails.
   
-  Reported-by: Hugh Macdonald
-  Fixes #7253
-  Closes #7254
-
-- [Jacob Hoffman-Andrews brought this change]
+  Closes #7503
 
-  rustls: remove native_roots fallback
+- CURLOPT_SSL_CTX_*.3: tidy up the example
   
-  For the commandline tool, we expect to be passed
-  SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
-  trusted roots (like in other TLS backends).
+  Use the proper code style. Don't store return codes that aren't read.
+  Copy the same example into CURLOPT_SSL_CTX_FUNCTION.3 as well.
   
-  This also removes a dependency on Security.framework when building on
-  macOS.
+  Closes #7500
+
+- example/cookie_interface: fix scan-build printf warning
   
-  Closes #7250
+  Follow-up to 4b79c4fb565
+  
+  Fixes #7497
+  Closes #7498
 
-- [Albin Vass brought this change]
+- [Josh Soref brought this change]
 
-  travis: remove jobs that have migrated to zuul
+  limit-rate.d: clarify base unit
   
-  Closes #7245
+  Fixes #7439
+  Closes #7494
 
-- [Mohammed Naser brought this change]
+- [Carlo Marcelo Arenas Belón brought this change]
 
-  CI: add jobs using Zuul
-  
-  It also includes a few changes to get the builds going:
-  - Added autoconf to common dependencies
-  - Added automake to common dependencies
-  - Added libtool to common dependencies
-  - Added libssl-dev to common dependencies
+  examples/cookie_interface: avoid printfing time_t directly
   
-  Co-authored-by: Albin Vass
+  time_t representation is undefined and varies on bitsize and signedness,
+  and as of C11 could be even non integer.
   
-  Closes #7245
-
-- netrc: skip 'macdef' definitions
+  instead of casting to unsigned long (which would truncate in systems
+  with a 32bit long after 2106) use difftime to get the elapsed time as a
+  double and print that (without decimals) instead.
   
-  Add test 494 to verify
+  alternatively a cast to curl_off_t and its corresponding print
+  formatting could have been used (at least in POSIX) but portability and
+  curl agnostic code was prioritized.
   
-  Reported-by: Harry Sintonen
-  Fixes #7238
-  Closes #7244
+  Closes #7490
 
-- multi: add scan-build-6 work-around in curl_multi_fdset
-  
-  scan-build-6 otherwise warns, saying: warning: The left operand of '>='
-  is a garbage value otherwise, which is false.
+Marc Hoersken (25 Jul 2021)
+- tests/servers: remove obsolete pid variable
   
-  Later scan-builds don't claim this on the same code.
+  Variable is not used since pidfile handling moved to util.[ch]
   
-  Closes #7248
+  Reviewed-by: Jay Satiro
+  Closes #7482
 
-- asyn-ares: remove check for 'data' in Curl_resolver_cancel
+- tests/servers: use our platform-aware pid for server verification
   
-  It implied it would survive a NULL in there which it won't. Instead do
-  an assert.
+  The pid used for server verification is later stored as pid2 in
+  the hash of running test servers and therefore used for shutdown.
   
-  Pointed out by scan-build.
+  The pid used for shutdown must be the platform-aware (Win32) pid
+  to avoid leaking test servers while running them using Cygwin/msys.
   
-  Closes #7248
+  Reviewed-by: Jay Satiro
+  Closes #7481
 
-- url.c: remove two variable assigns that are never read
-  
-  Pointed out by scan-build
+- tests/runtests.pl: cleanup copy&paste mistakes and unused code
   
-  Closes #7248
-
-- [Gealber Morales brought this change]
+  Reviewed-by: Jay Satiro
+  Part of #7481
 
-  mqtt: add support for username and password
-  
-  Minor-edits-by: Daniel Stenberg
-  Added test 2200 to 2205
+Daniel Stenberg (25 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7243
+  bumped to 7.78.1 for next release
 
-- travis: remove the arm job
+- http_proxy: clear 'sending' when the outgoing request is sent
   
-  We do it on circle CI instead
-
-- CI: add .circleci/config.yml
+  ... so that Curl_connect_getsock() will know how to wait for the socket
+  to become readable and not writable after the entire CONNECT request has
+  been issued.
   
-  Assisted-by: Gabriel Simmer
+  Regression added in 7.77.0
   
-  Closes #7239
+  Reported-by: zloi-user on github
+  Assisted-by: Jay Satiro
+  Fixes #7155
+  Closes #7484
 
-- RELEASE-NOTES: synced
+Jay Satiro (25 Jul 2021)
+- [Josh Soref brought this change]
 
-- runtests: init $VERSION to avoid warnings when using -l
+  openssl: fix grammar
+  
+  Closes https://github.com/curl/curl/pull/7480
 
-- openssl: don't remove session id entry in disassociate
+- configure.ac: tweak nghttp2 library name fix again
   
-  When a connection is disassociated from a transfer, the Session ID entry
-  should remain.
+  - Change extraction to handle multiple library names returned by
+    pkg-config (eg a possible scenario with pkg-config --static).
   
-  Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
-  Reported-by: Gergely Nagy
-  Reported-by: Paul Groke
+  Ref: https://github.com/curl/curl/pull/7472
   
-  Fixes #7222
-  Closes #7230
+  Closes https://github.com/curl/curl/pull/7485
 
-- single_transfer: ignore blank --output-dir
-  
-  ... as otherwise it creates a rather unexpected target directory with a
-  leading slash.
+Dan Fandrich (23 Jul 2021)
+- Get rid of the unused HAVE_SIG_ATOMIC_T et. al.
   
-  Reported-by: Harry Sintonen
-  Fixes #7218
-  Closes #7233
+  It was added in 2006 but I see no evidence it was ever used.
 
-- tests: update README about servers and port numbers
+Jay Satiro (23 Jul 2021)
+- docs: change max-filesize caveat again
   
-  Closes #7242
-
-- conn_shutdown: if closed during CONNECT cleanup properly
+  - Add protocols field to max-filesize.d.
   
-  Reported-by: Alex Xu
-  Reported-by: Phil E. Taylor
+  - Revert wording on unknown file size caveat and do not discuss specific
+    protocols in that section.
   
-  Fixes #7236
-  Closes #7237
+  Partial revert of ecf0225. All max-filesize options now have the list of
+  protocols and it's clearer just to have that list without discussing
+  specific protocols in the caveat.
+  
+  Reported-by: Josh Soref
+  
+  Ref: https://github.com/curl/curl/issues/7453#issuecomment-884128762
 
+Daniel Stenberg (22 Jul 2021)
 - [Christian Weisgerber brought this change]
 
-  sws: malloc request struct instead of using stack
+  configure: tweak nghttp2 library name fix
   
-  ... 2MB requests is otherwise just too big for some systems.
+  commit 29c7cf79e8b44cf (shipped in 7.78.0) introduced a problem by
+  assuming that LIB_H2 does not have any leading whitespace.  At least
+  OpenBSD's native pkg-config can produce such whitespace, though:
   
-  (The allocations are not freed properly.)
+      $ pkg-config --libs-only-l libnghttp2
+       -lnghttp2
   
-  Bug: https://curl.se/mail/lib-2021-06/0018.html
+  As a result, the configure check for libnghttp2 will erroneously fail.
   
-  Closes #7235
+  Bug: https://curl.se/mail/lib-2021-07/0050.html
+  Closes #7472
 
-- [Mark Swaanenburg brought this change]
+- [Bastian Krause brought this change]
 
-  lib: don't compare fd to FD_SETSIZE when using poll
+  docs/MQTT: update state of username/password support
   
-  FD_SETSIZE is irrelevant when using poll. So ensuring that the file
-  descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
-  multi_wait to ignore perfectly valid file descriptors and simply wait
-  for 1s to avoid hammering the CPU in a busy loop.
+  PR #7243 implemented username/password support for MQTT, so let's drop
+  these items from the caveats.
   
-  Fixes #7240
-  Closes #7241
+  Signed-off-by: Bastian Krause <bst@pengutronix.de>
+  
+  Closes #7474
 
-- [zhangxiuhua brought this change]
+- [Oleg Pudeyev brought this change]
 
-  doh: fix wrong DEBUGASSERT for doh private_data
+  CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
   
-  Closes #7227
+  Closes #7470
 
-- [yb999 brought this change]
+Version 7.78.0 (21 Jul 2021)
 
-  tests: update README.md with a missing single quote
+Daniel Stenberg (21 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7231
+  curl 7.78.0 release
 
-- GHA: run all tests for hyper too
-  
-  As it lists disabled ones in DISABLED now
-  
-  Closes #7209
+- winbuild/MakefileBuild.vc: bump copyright year
 
-- tests/data/DISABLED: add tests not working with hyper
+Jay Satiro (21 Jul 2021)
+- docs: mention max-filesize options also apply to MQTT transfers
   
-  The goal is to remove them all from here over time.
+  Also make it clearer that the caveat 'if the file size is unknown it
+  the option will have no effect' may apply to protocols other than FTP
+  and HTTP.
   
-  Closes #7209
-
-- runtests: also find the last test in Makefile.inc
+  Reported-by: Josh Soref
   
-  Closes #7209
+  Fixes https://github.com/curl/curl/issues/7453
 
-- test3010: work with hyper mode
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- configure: disable RTSP when hyper is selected
-  
-  Makes test 1013 work
-  
-  Closes #7209
+  docs/cmdline: fix grammar and typos
 
-- test1594/1595/1596: fix to work in hyper mode
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- test1438/1457: add HTTP keyword to make hyper mode work
+  dump-header.d: Drop suggestion to use for cookie storage
   
-  Closes #7209
-
-- test1340/1341: adjusted for hyper mode
+  Since --cookie-jar is the preferred way to store cookies, no longer
+  suggest using --dump-header to do so.
   
-  Closes #7209
-
-- test1218: adjusted for hyper mode
+  Co-authored-by: Daniel Stenberg
   
-  Closes #7209
+  Closes https://github.com/curl/curl/issues/7414
 
-- test1216: adjusted for hyper mode
-  
-  Closes #7209
+- [Josh Soref brought this change]
 
-- test1230: adjust to work in hyper mode
+  doc/cmdline: fix grammar and typos
   
-  Closes #7209
+  Closes https://github.com/curl/curl/pull/7454
+  Closes https://github.com/curl/curl/pull/7455
+  Closes https://github.com/curl/curl/pull/7456
+  Closes https://github.com/curl/curl/pull/7459
+  Closes https://github.com/curl/curl/pull/7460
+  Closes https://github.com/curl/curl/pull/7461
+  Closes https://github.com/curl/curl/pull/7462
+  Closes https://github.com/curl/curl/pull/7463
 
-- c-hyper: abort CONNECT response reading early on non 2xx responses
+Daniel Stenberg (20 Jul 2021)
+- vtls: fix connection reuse checks for issuer cert and case sensitivity
   
-  Fixes test 493
+  CVE-2021-22924
   
-  Closes #7209
+  Reported-by: Harry Sintonen
+  Bug: https://curl.se/docs/CVE-2021-22924.html
 
-- test434: add HTTP keyword
+- sectransp: check for client certs by name first, then file
   
-  Closes #7209
-
-- test599: adjusted to work in hyper mode
+  CVE-2021-22926
   
-  Closes #7209
+  Bug: https://curl.se/docs/CVE-2021-22926.html
+  
+  Assisted-by: Daniel Gustafsson
+  Reported-by: Harry Sintonen
 
-- c-hyper: fix the uploaded field in progress callbacks
+- telnet: fix option parser to not send uninitialized contents
   
-  Makes test 578 work
+  CVS-2021-22925
   
-  Closes #7209
+  Reported-by: Red Hat Product Security
+  Bug: https://curl.se/docs/CVE-2021-22925.html
 
-- test566: adjust to work with hyper mode
+Jay Satiro (20 Jul 2021)
+- connect: fix wrong format specifier in connect error string
   
-  Closes #7209
-
-- [Fawad Mirza brought this change]
-
-  CURLOPT_WRITEFUNCTION.3: minor update of the example
+  0842175 (not in any release) used the wrong format specifier (long int)
+  for timediff_t. On an OS such as Windows libcurl's timediff_t (usually
+  64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the
+  upper 32-bits of the timediff_t were erroneously then used by the next
+  format specifier. Usually since the timeout isn't larger than 32-bits
+  this would result in null as a pointer to the string with the reason for
+  the connection failing. On other OSes or maybe other compilers it could
+  probably result in garbage values (ie crash on deref).
   
-  Safely avoid chunk.size garbage value if declared non globally.
+  Before:
+  Failed to connect to localhost port 12345 after 1201 ms: (nil)
   
-  Closes #7219
-
-- [Bastian Krause brought this change]
+  After:
+  Failed to connect to localhost port 12345 after 1203 ms: Connection refused
+  
+  Closes https://github.com/curl/curl/pull/7449
 
-  configure: rename get-easy-option configure option to get-easy-options
+- winbuild: support alternate nghttp2 static lib name
   
-  "get-easy-options" is the configure option advertised by the help text
-  anyway, so use that.
+  - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2.
   
-  Fixes #7211
-  Closes #7213
+  nghttp2 briefly changed its static lib name to nghttp2_static, but then
+  made the _static suffix optional.
   
-  Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
-  Suggested-by: Daniel Stenberg <daniel@haxx.se>
-  Signed-off-by: Bastian Krause <bst@pengutronix.de>
-
-- runtests: skip disabled tests unless -f is used
+  Ref: https://github.com/nghttp2/nghttp2/pull/1394
+  Ref: https://github.com/nghttp2/nghttp2/pull/1418
+  Ref: https://github.com/nghttp2/nghttp2/issues/1466
   
-  To make it easier to write ranges like '115 to 229' without that
-  explicitly enabling tests that are listed in DISABLED, this makes
-  runtests always skip disabled tests unless the -f command line option is
-  used.
+  Reported-by: Pierre Yager
   
-  Previously the code attempted to not run such tests, but didn't do it
-  correctly.
+  Fixes https://github.com/curl/curl/issues/7446
+  Closes https://github.com/curl/curl/pull/7447
+
+- [Josh Soref brought this change]
+
+  docs/cmdline: fix grammar and typos
   
-  Closes #7212
+  Closes https://github.com/curl/curl/pull/7432
+  Closes https://github.com/curl/curl/pull/7436
+  Closes https://github.com/curl/curl/pull/7438
+  Closes https://github.com/curl/curl/pull/7440
+  Closes https://github.com/curl/curl/pull/7445
 
-- [Jun-ya Kato brought this change]
+- [Josh Soref brought this change]
 
-  ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
+  delegation.d: mention what happens when used multiple times
   
-  The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
-  mode for middle box but it is enabled by default, which is unnecessary
-  for QUIC.
+  Closes https://github.com/curl/curl/pull/7408
+
+- [Josh Soref brought this change]
+
+  create-file-mode.d: mention what happens when used multiple times
   
-  Fixes #6896
-  Closes #7202
+  Closes https://github.com/curl/curl/pull/7407
 
-- test644: remove as duplicate of test 587
+- [Josh Soref brought this change]
+
+  config.d: split comments and option-per line
   
-  Closes #7208
+  Closes https://github.com/curl/curl/pull/7405
 
-Daniel Gustafsson (8 Jun 2021)
-- RELEASE-NOTES: synced
+Daniel Stenberg (19 Jul 2021)
+- misc: copyright year range updates
 
-- cookies: track expiration in jar to optimize removals
+- mailmap: add Tobias and Timur
+
+Daniel Gustafsson (18 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs: spell out directories instead of dirs in create-dirs
   
-  Removing expired cookies needs to be a fast operation since we want to
-  be able to perform it often and speculatively. By tracking the timestamp
-  of the next known expiration we can exit early in case the timestamp is
-  in the future.
+  Write out directories rather than using the dirs abbrevation. Also
+  use plural form consistently, even if the code in the end might just
+  create a single directory.
+  
+  Closes #7406
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+- [Tobias Nyholm brought this change]
+
+  docs: correct spelling errors and a broken link
   
-  Closes: #7172
+  Update grammar and spelling in docs and source code comments.
+  
+  Closes: #7427
   Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-Daniel Stenberg (7 Jun 2021)
-- GHA: add several libcurl tests to the hyper job
+Marc Hoersken (18 Jul 2021)
+- CI/cirrus: install impacket from PyPI instead of FreeBSD packages
   
-  500 to 512
+  Availability of impacket as FreeBSD package is too flaky.
+  
+  Stick to legacy version of cryptography which still
+  supports OpenSSL version 1.0.2 due to FreeBSD 11.
+  
+  Reviewed-by: Daniel Stenberg
+  
+  Closes #7418
 
-- test500: adjust to work with hyper mode
+Daniel Stenberg (18 Jul 2021)
+- [Josh Soref brought this change]
 
-- c-hyper: support CURLINFO_STARTTRANSFER_TIME
+  docs/cmdline: mention what happens when used multiple times
   
-  Closes #7204
+  For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers
+  
+  Closes #7410
+  Closes #7411
+  Closes #7412
 
-- c-hyper: support CURLOPT_HEADER
+- [Michał Antoniak brought this change]
+
+  lib: fix compiler warnings with CURL_DISABLE_NETRC
   
-  When enabled, the headers are passed to the body write callback as well.
+  warning C4189: 'netrc_user_changed': local variable is initialized but
+  not referenced
   
-  Like in test 500
+  warning C4189: 'netrc_passwd_changed': local variable is initialized but
+  not referenced
   
-  Closes #7204
+  Closes #7423
 
-- GHA: run the newly fixed tests with hyper
+- disable-epsv.d: remove duplicate "(FTP)"
   
-  Closes #7205
+  ... since the tooling adds that to the output based on the "Protocols:"
+  tag.
 
-- test433: adjust for hyper mode
-  
-  Closes #7205
+- [Max Zettlmeißl brought this change]
 
-- test395: hyper cannot work around > 64 bit content-lengths like built-in
+  docs: make the documentation for --etag-save match the program behaviour
   
-  Closes #7205
-
-- test394: hyper returns a different error
+  When using curl with the option `--etag-save` I expected it to save the
+  ETag without its surrounding quotes, as stated by the documentation in
+  the repository and by the generated man pages.
   
-  Closes #7205
-
-- test393: make Content-Length fit within 64 bit for hyper
+  My first endeavour was to fix the program, but while investigating the
+  history of the relevant parts, I discovered that curl once saved the
+  ETag without the quotes.  This was undone by Daniel Stenberg in commit
+  `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in
+  this case the documentation should be adjusted to match the behaviour of
+  curl.
   
-  Closes #7205
-
-- test347: CRLFify to work in hyper mode
+  The changed save behaviour also made parts of the `--etag-compare`
+  documentation wrong or superfluous, so I adjusted those accordingly.
   
-  Closes #7205
+  Closes #7429
 
-- test339: CRLFify better to work in hyper mode
+- [Josh Soref brought this change]
+
+  write-out.d: add missing periods
   
-  Closes #7205
+  Closes #7404
 
-- travis: remove the hyper build
+- [Josie Huddleston brought this change]
 
-- GHA: add a linux-hyper job
+  easy: during upkeep, attach Curl_easy to connections in the cache
   
-  Closes #7206
-
-- test328: avoid a header-looking body to make hyper mode work
+  During the protocol-specific parts of connection upkeep, some code
+  assumes that the data->conn pointer already is set correctly.  However,
+  there's currently no guarantee of that in the code.
   
-  The test still works the same, just modified two bytes in the content.
+  This fix temporarily attaches each connection to the Curl_easy object
+  before performing the protocol-specific connection check on it, in a
+  similar manner to the connection checking in extract_if_dead().
   
-  Closes #7203
+  Fixes #7386
+  Closes #7387
+  Reported-by: Josie Huddleston
 
-- release-notes.pl: also spot common 'closes' typo
+- [Josh Soref brought this change]
 
-- metalink: remove
-  
-  Warning: this will make existing curl command lines that use metalink to
-  stop working.
-  
-  Reasons for removal:
+  cleanup: spell DoH with a lowercase o
   
-  1. We've found several security problems and issues involving the
-     metalink support in curl. The issues are not detailed here. When
-     working on those, it become apparent to the team that several of the
-     problems are due to the system design, metalink library API and what
-     the metalink RFC says. They are very hard to fix on the curl side
-     only.
+  Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
   
-  2. The metalink usage with curl was only very briefly documented and was
-     not following the "normal" curl usage pattern in several ways, making
-     it surprising and non-intuitive which could lead to further security
-     issues.
+  Closes #7413
+
+- [Josh Soref brought this change]
+
+  TheArtOfHttpScripting: polish
   
-  3. The metalink library was last updated 6 years ago and wasn't so
-     active the years before that either. An unmaintained library means
-     there's a security problem waiting to happen. This is probably reason
-     enough.
+  - add missing backticks and comma
   
-  4. Metalink requires an XML parsing library, which is complex code (even
-     the smaller alternatives) and to this day often gets security
-     updates.
+  - fix proxy description:
   
-  5. Metalink is not a widely used curl feature. In the 2020 curl user
-     survey, only 1.4% of the responders said that they'd are using it. In
-     2021 that number was 1.2%. Searching the web also show very few
-     traces of it being used, even with other tools.
+  * example proxy isn't local
+  * locally doesn't really make sense
   
-  6. The torrent format and associated technology clearly won for
-     downloading large files from multiple sources in parallel.
+  Closes #7416
+
+- [Josh Soref brought this change]
+
+  form.d: add examples of `,`/`;` for file[name]
   
-  Cloes #7176
+  Fixes #7415
+  Closes #7417
 
-- docs/INSTALL: remove mentions of configure --with-darwin-ssl
+- [Michał Antoniak brought this change]
+
+  mbedtls: Remove unnecessary include
   
-  ... as it isn't supported since a while back.
+  - curl_setup.h: all references to mbedtls_md4* functions and structures
+    are in the md4.c. This file already includes the <mbedtls/md4.h> file
+    along with the file existence control (defined (MBEDTLS_MD4_C))
   
-  Make configure fail with a warning if used.
+  - curl_ntlm_core.c: unnecessary include - repeated below
   
-  Reported-by: Vadim Grinshpun
-  Bug: https://curl.se/mail/lib-2021-06/0008.html
-  Closes #7200
+  Closes #7419
 
 - RELEASE-NOTES: synced
 
-- [Gregor Jasny brought this change]
+Jay Satiro (16 Jul 2021)
+- [User Sg brought this change]
 
-  cmake: Avoid leaking absolute paths into exported config
-  
-  The `find_libarary` command resolves the library or framework
-  into an absolute path. In case of system frameworks which are
-  located within an Xcode-provided SDK this results in the Xcode
-  path and SDK version being part of the library path.
-  
-  Because those library paths end up in the exported CMake config
-  importing curl will fail once the Xcode location or SDK version
-  changes:
+  multi: fix crash in curl_multi_wait / curl_multi_poll
   
-  ```cmake
-  set_target_properties(CURL::libcurl PROPERTIES
-    INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
-    INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
-  )
-  ```
+  Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a
+  VALID_SOCK check to one of the loops through the sockets but not the
+  other.
   
-  A work-around is to link against system-level frameworks with
-  `-framework XYZ`. In case of `SystemConfiguration` we might be able
-  to omit the lookup-check because we could assume the framework is
-  always present.
+  Reported-by: sylgal@users.noreply.github.com
+  Authored-by: sylgal@users.noreply.github.com
   
-  Closes #7152
+  Fixes https://github.com/curl/curl/issues/7379
+  Closes https://github.com/curl/curl/pull/7389
 
-- [Shikha Sharma brought this change]
+- [Daniel Gustafsson brought this change]
 
-  http2_connisdead: handle trailing GOAWAY better
+  tool_help: remove unused define
   
-  When checking the connection the input processing returns error
-  immediately, we now consider that a dead connnection.
+  The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
+  cleaned out but one occurrence remained.
   
-  Bug: https://curl.se/mail/lib-2021-06/0001.html
-  Closes #7192
+  Closes https://github.com/curl/curl/pull/7380
 
-- [Dmitry Karpov brought this change]
+- [Sergey Markelov brought this change]
 
-  ares: always store IPv6 addresses first
-  
-  Trying dual-stack on some embedded platform, I noticed that quite
-  frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
-  timeout value.  After debugging this issue, I noticed that this happens
-  if c-ares resolver response for IPv6 family comes before IPv4 (which was
-  randomly happening in my tests).
-  
-  In such cases, because libCurl puts the last resolver response on top of
-  the address list, when IPv4 resolver response comes after IPv6 one - the
-  IPv4 family starts the connection phase instead of IPv6 family.
-  
-  The solution for this issue is to always put IPv6 addresses on top of
-  the address list, regardless the order of resolver responses.
+  build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
   
-  Bug: https://curl.se/mail/lib-2021-06/0003.html
+  fix compiler warnings about unused variables and parameters when
+  built with --disable-verbose.
   
-  Closes #7188
+  Closes https://github.com/curl/curl/pull/7377
 
-- Revert "Revert "socketpair: fix potential hangs""
-  
-  This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.
+- [Andrea Pappacoda brought this change]
+
+  build: fix IoctlSocket FIONBIO check
   
-  Thus brings back the change from #7144 as was originally landed in
-  c769d1eab4de8b
+  Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked
+  for (lowercase) ioctlsocket when it should have checked for IoctlSocket.
   
-  Closes #7144 (again)
+  Closes https://github.com/curl/curl/pull/7375
 
-- [Ebe Janchivdorj brought this change]
+- [Timur Artikov brought this change]
 
-  schannel: move code out of SChannel_connect_step1
+  configure: fix nghttp2 library name for static builds
   
-  Reviewed-by: Marc Hoersken
-  Closes #7168
-
-- tests/data/Makefile.inc: error: trailing backslash on last line
+  Don't hardcode the nghttp2 library name,
+  because it can vary, be "nghttp2_static" for example.
   
-  Follow-up to d8dcb399b8009d
-
-- TODO: Support rate-limiting for MQTT
+  Fixes https://github.com/curl/curl/issues/7367
+  Closes https://github.com/curl/curl/pull/7368
 
-- [Dmitry Kostjuchenko brought this change]
+Gisle Vanem (16 Jul 2021)
+- [PellesC] fix _lseeki64() macro
 
-  warnless: simplify type size handling
+- [SChannel] Use '_tcsncmp()' instead
   
-  By using sizeof(T), existing defines and relying on the compiler to
-  define the required signed/unsigned mask.
+  Revert previous change for PellesC.
   
-  Closes #7181
+  Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`.
 
-Gisle Vanem (4 Jun 2021)
-- [Win32] Fix for USE_WATT32
+- [PellesC] missing '_tcsnccmp'
   
-  My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`
-
-Daniel Stenberg (4 Jun 2021)
-- [Alexis Vachette brought this change]
+  PellesC compiler does not have this macro in it's `<tchar.h>`
 
-  url: bad CURLOPT_CONNECT_TO syntax now returns error
+Daniel Gustafsson (14 Jul 2021)
+- TODO: add mention of mbedTLS 3 incompatibilities
   
-  Added test 3020 to verify
+  Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
+  and curl no longer builds with it. Document the need to fix our support
+  until so has been done.
   
-  Closes #7183
+  Closes #7390
+  Fixes #7385
+  Reported-by: Wyatt OʼDay
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
 
-- github: remove the cmake macOS gcc-8 jobs
+- docs: fix inconsistencies in EGDSOCKET documentation
   
-  They're too similar to the gcc-9 ones to be useful (and seems to not
-  work anymore).
+  Only the OpenSSL backend actually use the EGDSOCKET, and also use
+  TLS consistently rather than mixing SSL and TLS. While there, also
+  fix a minor spelling nit.
   
-  Closes #7187
+  Closes: #7391
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
 
-- test269: disable for hyper
+- [Борис Верховский brought this change]
+
+  docs: document missing arguments to commands
   
-  --ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
-  with hyper.
+  This is a followup to commit f410b9e538129e77607fef1 fixing a few
+  more commands which takes arguments.
   
-  Closes #7184
+  Closes #7382
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- runtests: enable 'hyper mode' only for HTTP tests
-  
-  The 'hyper mode' makes line-ending checks work in the test suite for
-  when hyper is used. Now it also requires that HTTP or HTTPS are
-  mentioned as keywords to be enabled so that it doesn't wrongly adjusts
-  tests for other protocols.
+- [Randolf J brought this change]
+
+  docs: fix incorrect argument name reference
   
-  This makes test 271 (TFTP) work again in hyper enabled builds.
+  The documentation for the read callback was erroneously referencing
+  the nitems argument by nmemb.  The error was introduced in commit
+  ce0881edee3c7.
   
-  Closes #7185
+  Closes #7383
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- [Alexis Vachette brought this change]
+- [Борис Верховский brought this change]
 
-  hostip: bad CURLOPT_RESOLVE syntax now returns error
+  tool_help: Document that --tlspassword takes a password
   
-  Added test 3019
-  Fixes #7170
-  Closes #7174
+  Closes #7378
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-Daniel Gustafsson (3 Jun 2021)
-- cookies: fix typo and expand comment
+- scripts: Fix typo in release-notes instructions
   
-  Fix a typo in the sorting comment, and while in there elaborate slightly
-  on why creationtime can be used as a tiebreaker.
+  The command to run had a typo in the pathname which prevented copy
+  pasting it to work, which has annoyed me enough to fix this now.
 
-- cookies: remove unused header
+- RELEASE-NOTES: synced
+
+Jay Satiro (10 Jul 2021)
+- write-out.d: Clarify urlnum is not unique for de-globbed URLs
   
-  Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
-  for the inet_pton.h headerfile, this removes the inclusion of the
-  header.
+  Reported-by: Коваленко Анатолий Викторович
   
-  Closes: #7182
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Fixes https://github.com/curl/curl/issues/7342
+  Closes https://github.com/curl/curl/pull/7369
 
-Daniel Stenberg (3 Jun 2021)
-- Revert "socketpair: fix potential hangs"
-  
-  This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.
+Daniel Gustafsson (3 Jul 2021)
+- [William Desportes brought this change]
+
+  docs: Fix typos
   
-  See #7144 for details
+  Closes: #7370
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- [Paul Groke brought this change]
+Daniel Stenberg (8 Jul 2021)
+- [Jonathan Wernberg brought this change]
 
-  socketpair: fix potential hangs
+  Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
   
-  Fixes potential hang in accept by using select + non-blocking accept.
+  The reverted commit introduced a logic error in code that was
+  correct.
   
-  Fixes potential hang in peer check by replacing the send/recv check with
-  a getsockname/getpeername check.
+  The client using libcurl would notice the error since FTP file
+  uploads in active transfer mode would somtimes complete with
+  success despite no transfer having been performed and the
+  "uploaded" file thus not being on the remote server afterwards.
   
-  Adds length check for returned sockaddr data.
+  The FTP server would notice the error because it receives a
+  RST on the data connection it has established with the client
+  before any data was transferred at all.
   
-  Closes #7144
-
-- runtests: parse data/Makefile.inc instead of using make
+  The logic error happens if the STOR response from the server have
+  arrived by the time ftp_multi_statemach() in the affected code path
+  is called, but the incoming data connection have not arrived yet.
+  In that case, the processing of the STOR response will cause
+  'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
+  in the code. Since 'complete' will also be set, later logic would
+  believe the transfer was done.
   
-  The warning about missing entries in that file then doesn't require that
-  the Makefile has been regenerated which was confusing.
+  In most cases, the STOR response will not have arrived yet when
+  the affected code path is executed, or the incoming connection will
+  also have arrived, and thus the error would not express itself.
+  But if the speed difference of the device using libcurl and the
+  FTP server is exactly right, the error may happen as often as in
+  one out of hundred file transfers.
   
-  The scan for the test num is a little more error prone than before
-  (since now it doesn't actually verify that it is legitimate Makefile
-  syntax), but I think it is good enough.
+  This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
   
-  Closes #7177
-
-- [Harry Sintonen brought this change]
+  Bug: https://curl.se/mail/lib-2021-07/0025.html
+  Closes #7362
 
-  filecheck: quietly remove test-place/*~
+- msnprintf: return number of printed characters excluding null byte
   
-  Closes #7179
-
-- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
+  ... even when the output is "capped" by the maximum length argument.
   
-  For options that pass in lists or strings that are subsequently parsed
-  and must be correct. This broadens the scope for the option previously
-  known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
-  provided as a #define for existing applications.
+  Clarified in the docs.
   
-  Closes #7175
+  Closes #7361
 
-- tests: fix Accept-Encoding strips to work with Hyper builds
+- infof: remove newline from format strings, always append it
   
-  The previous strip also removed the CR which turned problematic.
+  - the data needs to be "line-based" anyway since it's also passed to the
+    debug callback/application
   
-  valgrind.supp: add zstd suppression using hyper
+  - it makes infof() work like failf() and consistency is good
   
-  Reported-and-analyzed-by: Kevin Burke
-  Fixes #7169
-  Closes #7171
-
-- github: timeout jobs on macOS after 90 minutes
+  - there's an assert that triggers on newlines in the format string
   
-  Assisted-by: Marc Hoersken
-  Closes #7173
-
-- [Harry Sintonen brought this change]
-
-  mqtt: detect illegal and too large file size
+  - Also removes a few instances of "..."
   
-  Add test 3017 and 3018 to verify.
-  Closes #7166
-
-- [theawless brought this change]
-
-  cmake: add CURL_DISABLE_NTLM option
+  - Removes the code that would append "..." to the end of the data *iff*
+    it was truncated in infof()
   
-  Closes #7028
-
-- [theawless brought this change]
+  Closes #7357
 
-  configure: add --disable-ntlm option
+- examples/multi-single: fix scan-build warning
   
-  Closes #7028
-
-- [theawless brought this change]
+  warning: Value stored to 'mc' during its initialization is never read
+  
+  Follow-up to ae8e11ed5fd2ce
+  
+  Closes #7360
 
-  define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
+- wolfssl: failing to set a session id is not reason to error out
   
-  This flag will be further exposed by adding build options.
+  ... as it is *probably* just timed out.
   
-  Reverts #6809
-  Closes #7028
+  Reported-by: Francisco Munoz
+  
+  Closes #7358
 
-- RELEASE-NOTES: synced
+- docs/examples: use curl_multi_poll() in multi examples
+  
+  The API is soon two years old and deserves being shown as the primary
+  way to drive multi code as it makes it much easier to write code.
+  
+  multi-poll: removed
+  
+  multi-legacy: add to show how we did multi API use before
+  curl_multi_wait/poll.
+  
+  Closes #7352
 
-Viktor Szakats (1 Jun 2021)
-- travis: delete --enable-hsts option (it is the default now) [ci skip]
+- KNOWN_BUGS: flaky Windows CI builds
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7167
+  Closes #6972
 
-Daniel Stenberg (1 Jun 2021)
-- hostip: fix 3 coverity complaints
+- RELEASE-NOTES: synced
+
+- test1147: hyper doesn't allow "crazy" request headers like built-in
   
-  Follow-up to 1a0ebf6632f889eed
+  ... so strip that from the test.
   
-  - Check the return code to Curl_inet_pton() in two instances, even
-    though we know the input is valid so the functions won't fail.
+  Closes #7349
+
+- c-hyper: bail on too long response headers
   
-  - Clear the 'struct sockaddr_in' struct before use so that the
-    'sin_zero' field isn't left uninitialized.
+  To match with built-in behaviors. Makes test 1154 work.
   
-  Detected by Coverity.
-  Assisted-by: Harry Sintonen
-  Closes #7163
+  Closes #7350
 
-- c-hyper: fix NTLM on closed connection tested with test159
+- test1151: added missing CRLF to work with hyper
   
-  Closes #7154
+  Closes #7350
 
-- conncache: lowercase the hash key for better match
-  
-  As host names are case insensitive, the use of case sensitive hashing
-  caused unnecesary cache misses and therefore lost performance. This
-  lowercases the hash key.
+- c-hyper: add support for transfer-encoding in the request
   
-  Reported-by: Harry Sintonen
-  Fixes #7159
-  Closes #7161
+  Closes #7348
 
-- mbedtls: make mbedtls_strerror always work
+- [Andrea Pappacoda brought this change]
+
+  cmake: remove libssh2 feature checks
   
-  If the function doesn't exist, provide a macro that just clears the
-  error message. Removes #ifdef uses from the code.
+  libssh2 features are detected based on version since commit
+  9dbbba997608f7c3c5de1c627c77c8cd2aa85b73
   
-  Closes #7162
+  Closes #7343
 
-- vtls: exit addsessionid if no cache is inited
+- test1116: hyper doesn't pass through "surprise-trailers"
   
-  Follow-up to b249592d29ae0
+  Closes #7344
+
+- socks4: scan for the IPv4 address in resolve results
   
-  Avoids NULL pointer derefs.
+  Follow-up to 84d2839740 which changed the resolving to always resolve
+  both address families, but since SOCKS4 only supports IPv4 it should
+  scan for and use the first available IPv4 address.
   
-  Closes #7165
-
-- [Harry Sintonen brought this change]
+  Reported-by: shithappens2016 on github
+  Fixes #7345
+  Closes #7346
 
-  Curl_ntlm_core_mk_nt_hash: fix OOM in error path
+Jay Satiro (5 Jul 2021)
+- proto.d: fix formatting for paragraphs after margin changes
   
-  Closes #7164
+  Closes https://github.com/curl/curl/pull/7341
 
-Michael Kaufmann (1 Jun 2021)
-- ssl: read pending close notify alert before closing the connection
+- pinnedpubkey.d: fix formatting for version support lists
   
-  This avoids a TCP reset (RST) if the server initiates a connection
-  shutdown by sending an SSL close notify alert and then closes the TCP
-  connection.
+  Closes https://github.com/curl/curl/pull/7340
+
+Daniel Stenberg (2 Jul 2021)
+- TODO: "Support in-memory certs/ca certs/keys" done
   
-  For SSL connections, usually the server announces that it will close the
-  connection with an SSL close notify alert. curl should read this alert.
-  If curl does not read this alert and just closes the connection, some
-  operating systems close the TCP connection with an RST flag.
+  Has been suppored for a while now with the *BLOB options.
+
+- examples: safer and more proper read callback logic
   
-  See RFC 1122, section 4.2.2.13
+  The same callback code is used in:
   
-  If curl reads the close notify alert, the TCP connection is closed
-  normally with a FIN flag.
+   imap-append.c
+   smtp-authzid.c
+   smtp-mail.c
+   smtp-multi.c
+   smtp-ssl.c
+   smtp-tls.c
   
-  The new code is similar to existing code in the "SSL shutdown" function:
-  try to read an alert (non-blocking), and ignore any read errors.
+  It should not assume that it can copy full lines into the buffer as it
+  will encourage sloppy coding practices. Instead use byte-wise logic and
+  check/acknowledge the buffer size appropriately.
   
-  Closes #7095
-
-Daniel Stenberg (1 Jun 2021)
-- [Laurent Dufresne brought this change]
+  Reported-by: Harry Sintonen
+  Fixes #7330
+  Closes #7331
 
-  setopt: fix incorrect comments
+- test1519: adjusted to work with hyper
   
-  Closes #7157
-
-- [Laurent Dufresne brought this change]
+  Closes #7333
 
-  mbedtls: add support for cert and key blob options
+- test1518: adjusted to work with hyper
   
-  CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
-  mbedtls backend, so the support was added.
+  ... by making sure the stdout output doesn't look like HTTP headers.
   
-  Closes #7157
-
-- [Gregor Jasny brought this change]
+  Closes #7333
 
-  cmake: try well-known send/recv signature for Apple
+- test1514: add a CRLF to the response to make it correct
   
-  The CMake `try_compile` command is especially slow for
-  the Xcode generator. With this patch applied it first tests
-  for the currently used (and Open Group specified) send/recv
-  signature. In case this fails testing falls-back to the
-  permutations.
+  Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on
+  us.
   
-  speed-up:
+  Closes #7334
+
+- formdata: avoid "Argument cannot be negative" warning
   
-  ```
-  time cmake .. -GNinja -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
-  before: 11.64s user 11.09s system 55% cpu 40.754 total
-  after:   7.84s user 6.57s  system 51% cpu 28.074 total
-  ```
+  ... when converting a curl_off_t to size_t, by using
+  CURL_ZERO_TERMINATED before passing the argument to the function.
   
-  ```
-  time cmake .. -GXcode -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
-  before: 217.07s user 104.15s system 60% cpu 8:51.79 total
-  after:  108.76s user  51.80s system 58% cpu 4:32.58 total
-  ```
+  Detected by Coverity CID 1486590.
   
-  Closes #7158
+  Closes #7328
+  Assisted-by: Daniel Gustafsson
 
-- http2: init recvbuf struct for pushed streams
+- lib: more %u for port and int for %*s fixes
   
-  Debug builds would warn that these structs were not initialized properly
-  for pushed streams.
+  Detected by Coverity
   
-  Ref: #7148
-  Closes #7153
+  Closes #7329
 
-- Curl_ssl_getsessionid: fail if no session cache exists
+- doh: (void)-prefix call to curl_easy_setopt
+
+- lib: fix type of len passed to *printf's %*s
   
-  This function might get called for an easy handle for which the session
-  cache hasn't been setup. It now just returns a "miss" in that case.
+  ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc)
   
-  Reported-by: Christoph M. Becker
-  Fixes #7148
-  Closes #7153
+  Closes #7326
 
-- GOVERNANCE: add 'user', 'committer' and 'contributor'
+- lib: use %u instead of %ld for port number printf
   
-  As those are commonly used terms in the project.
+  Follow-up to 764c6bd3bf which changed the type of some port number
+  fields. Detected by Coverity (CID 1486624) etc.
   
-  Closes #7151
-
-- URL-SYNTAX.md: document the new 'localhost' treatment
+  Closes #7325
 
-- hostip: make 'localhost' return fixed values
-  
-  Resolving the case insensitive host name 'localhost' now returns the
-  addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
-  resolver.
+- version: turn version number functions into returning void
   
-  This removes the risk that users accidentally resolves 'localhost' to
-  something else. By making sure 'localhost' is always local, we can
-  assume a "secure context" for such transfers (for cookies etc).
+  ... as we never use the return codes from them.
   
-  Closes #7039
-
-Daniel Gustafsson (31 May 2021)
-- docs: fix typos
+  Reviewed-by: Daniel Gustafsson
+  Closes #7319
 
-Daniel Stenberg (30 May 2021)
-- hsts: ignore numberical IP address hosts
+- mqtt: extend the error message for no topic
   
-  Also, use a single function library-wide for detecting if a given hostname is
-  a numerical IP address.
+  ... and mention that it needs URL encoding.
   
-  Reported-by: Harry Sintonen
-  Fixes #7146
-  Closes #7149
+  Reported-by: Peter Körner
+  Fixes #7316
+  Closes #7317
 
-- test178: adjust for hyper
+- formdata: correct typecast in curl_mime_data call
   
-  Hyper returns the same error for wrong HTTP version as for negative
-  content-length. Test 178 verifies that negative content-length is
-  rejected but the hyper backend will return a different error for it (and
-  without any helpful message telling why the message was bad). It will
-  also not return any headers at all for the response, not even the ones
-  that arrived before the error.
+  Coverity pointed out it the mismatch. CID 1486590
   
-  Closes #7147
-
-- HYPER: remove mentions of deprecated development branch
+  Closes #7327
 
-- c-hyper: handle NULL from hyper_buf_copy()
+- url: (void)-prefix a curl_url_get() call
   
-  Closes #7143
-
-- HSTS: not experimental anymore
-
-- [Douglas R. Reno brought this change]
+  Coverity (CID 1486645) pointed out a use of curl_url_get() in the
+  parse_proxy function where the return code wasn't checked. A
+  (void)-prefix makes the intention obvious.
+  
+  Closes #7320
 
-  INSTALL: use correct extension for CURL-DISABLE.md
+- glob: pass an 'int' as len when using printf's %*s
   
-  In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
-  CURL-DISABLE.md. This generates a 404 on the cURL website as well as
-  when viewing the docs through Github.
+  Detected by Coverity CID 1486629.
   
-  Closes #7142
-
-- travis: run tests 1 - 153 with hyper
+  Closes #7324
 
-- c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
+- vtls: use free() not curl_free()
   
-  Makes test 129 work (HTTP/1.2 response).
+  curl_free() is provided for users of the API to free returned data,
+  there's no need to use it internally.
   
-  Closes #7141
+  Closes #7318
 
-- http_proxy: deal with non-200 CONNECT response with Hyper
+- zuul: use the new rustls directory name
   
-  Makes test 94 and 95 work
+  Follow-up to 6d972c8b1cbb3 which missed updating this directory name.
   
-  Closes #7141
+  Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1
+  
+  Closes #7311
 
-- c-hyper: clear NTLM auth buffer when request is issued
+Jay Satiro (29 Jun 2021)
+- http: fix crash in rate-limited upload
   
-  To prevent previous ones to get reused on subsequent requests. Matches
-  how the built-in HTTP code works. Makes test 90 to 93 work.
+  - Don't set the size of the piece of data to send to the rate limit if
+    that limit is larger than the buffer size that will hold the piece.
   
-  Add test 90 to 93 in travis.
+  Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
+  (curl tool: --limit-rate) was set then it was possible that a temporary
+  buffer used for uploading could be written to out of bounds. A likely
+  scenario for this would be a non-trivial amount of post data combined
+  with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
   
-  Closes #7139
-
-- [Joel Depooter brought this change]
-
-  schannel: set ALPN length correctly for HTTP/2
+  The bug was introduced in 24e469f which is in releases since 7.76.0.
   
-  In a3268eca792f1 this code was changed to use the ALPN_H2 constant
-  instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
-  not the same. The nghttp2 constant included the length of the string,
-  like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
-  to re-add the length of the string to the ALPN buffer.
+  perl -e "print '0' x 200000" > tmp
+  curl --limit-rate 128k -d @tmp httpbin.org/post
   
-  Closes #7138
+  Reported-by: Richard Marion
+  
+  Fixes https://github.com/curl/curl/issues/7308
+  Closes https://github.com/curl/curl/pull/7315
 
-- travis: run tests 1-89 in the hyper build
+Daniel Stenberg (29 Jun 2021)
+- copyright: add boiler-plate headers to CI config files
   
-  Closes #7137
+  And whitelist .zuul.ignore
+  
+  Closes #7314
 
-- Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
+- CI: remove travis details
   
-  This reverts commit c3eefa95c31f55657f0af422e8268d738f689066.
+  Rename still used leftovers to "zuul" as that's now the CI using them.
   
-  Reported-by: Kevin Burke
-  Fixes #7122
-  Closes #7136
+  Closes #7313
 
-- [Jon Rumsey brought this change]
+- RELEASE-NOTES: synced
 
-  ccsidcurl: fix the compile errors
+- openssl: avoid static variable for seed flag
   
-  Looks like the declaration of cpp shoule be const char ** and return
-  null if convert_version_info_string fails.
+  Avoid the race condition risk by instead storing the "seeded" flag in
+  the multi handle. Modern OpenSSL versions handle the seeding itself so
+  doing the seeding once per multi-handle instead of once per process is
+  less of an issue.
   
-  Fixes #7134
-  Closes #7135
-
-- [Viktor Szakats brought this change]
+  Reported-by: Gerrit Renker
+  Fixes #7296
+  Closes #7306
 
-  docs: use --max-redirs instead of --max-redir
+- configure: inhibit the implicit-fallthrough warning on gcc-12
   
-  For consistency.
+  ... since it no longer acknowledges the comment markup we use for that
+  purpose.
   
-  Closes #7130
+  Reported-by: Younes El-karama
+  Fixes #7295
+  Closes #7307
 
-- RELEASE-NOTES: synced
-  
-  ... and bump to 7.77.1
+Daniel Gustafsson (28 Jun 2021)
+- [Andrei Rybak brought this change]
 
-- [Michael Forney brought this change]
+  misc: fix typos in comments which repeat a word
+  
+  Fix typos in code comments which repeat various words.  In trivial
+  cases, just delete the repeated word.  Reword the affected sentence in
+  "lib/url.c" for it to make sense.
+  
+  Closes #7303
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-  travis: add bearssl build
+Daniel Stenberg (27 Jun 2021)
+- lib677: make it survive torture testing
   
-  Closes #7133
+  Follow-up to a5ab72d5edd7
+  
+  Closes #7300
 
-- [Michael Forney brought this change]
+- [Tommy Chiang brought this change]
 
-  bearssl: explicitly initialize all fields of Curl_ssl
+  docs/BINDINGS: fix outdated links
   
-  Also, add comments like the other vtls backends.
+  * luacurl page is now not accessible, fix it with wayback machine page
+  * Scheme one seems not providing https now, change it back to http one
   
-  Closes #7133
+  Closes #7301
 
-- [Michael Forney brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  bearssl: remove incorrect const on variable that is modified
+  curstls: bump crustls version and use new URL
   
-  hostname may be set to NULL later on in this function if it is an
-  IP address.
+  crustls moved to https://github.com/rustls/rustls-ffi. This also bumps
+  the expected version to 0.7.0.
   
-  Closes #7133
-
-Version 7.77.0 (26 May 2021)
+  Closes #7297
 
-Daniel Stenberg (26 May 2021)
 - RELEASE-NOTES: synced
 
-- THANKS: added contributors from 7.77.0 cycle
-
-- copyright: update copyright year ranges to 2021
+- examples: length-limit two sscanf() uses of %s
+  
+  Reported-by: Jishan Shaikh
+  Fixes #7293
+  Closes #7294
 
-- [Radek Zajic brought this change]
+- [Richard Whitehouse brought this change]
 
-  hostip: fix broken macOS/CMake/GCC builds
+  multi: alter transfer timeout ordering
   
-  Follow-up to 31f631a142d855f06
+  - Check whether a connection has succeded before checking whether it's
+    timed out.
   
-  Fixes #7128
-  Closes #7129
+    This means if we've connected quickly, but subsequently been
+    descheduled, we allow the connection to succeed. Note, if we timeout,
+    but between checking the timeout, and connecting to the server the
+    connection succeeds, we will allow it to go ahead. This is viewed as
+    an acceptable trade off.
+  
+  - Add additional failf logging around failed connection attempts to
+    propogate the cause up to the caller.
+  
+  Co-Authored-by: Martin Howarth
+  Closes #7178
 
-- TODO: netrc caching and sharing
+- test677: IMAP CONNECT_ONLY, custom command and then exit
   
-  URL: https://curl.se/mail/archive-2021-05/0018.html
+  Adjusted ftpserver.pl to add support for the IMAP IDLE command
+  
+  Adjusted test 660 to sync with the fix
 
-- [Orgad Shaneh brought this change]
+- multi: do not switch off connect_only flag when closing
+  
+  ... as it made protocol specific disconnect commands wrongly get used.
+  
+  Bug: https://curl.se/mail/lib-2021-06/0024.html
+  Reported-by: Aleksander Mazur
+  Closes #7288
 
-  setopt: streamline ssl option code
+- http: make the haproxy support work with unix domain sockets
   
-  Make it use the same style as the code next to it
+  ... it should then pass on "PROXY UNKNOWN" since it doesn't know the
+  involved IP addresses.
   
-  Closes #7123
+  Reported-by: Valentín Gutiérrez
+  Fixes #7290
+  Closes #7291
 
-- [Radek Zajic brought this change]
+- [Xiang Xiao brought this change]
 
-  lib/hostip6.c: make NAT64 address synthesis on macOS work
+  curl.h: include sys/select.h for NuttX RTOS
   
-  Closes #7121
+  Closes #7287
 
-- [ejanchivdorj brought this change]
+- [Bin Meng brought this change]
 
-  sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
+  curl.h: remove the execution bit
   
-  When the SecCertificateCopyCommonName function fails, it leaves
-  common_name in a invalid state so CFStringCompare uses the invalid
-  result, causing EXC_BAD_ACCESS.
+  The execution bit of curl.h file was wrongly added:
   
-  The fix is to check the return value of the function before using the
-  name.
+    commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
   
-  Closes #7126
+  and should be removed.
+  
+  Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
+  Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+  Closes #7286
 
-- [Paweł Wegner brought this change]
+- [Bin Lan brought this change]
 
-  CMake: add CURL_ENABLE_EXPORT_TARGET option
-  
-  install(EXPORT ...) causes trouble when embedding curl dependencies
-  which don't provide install(EXPORT ...) targets (e.g libressl and
-  nghttp2) with cmake's add_subdirectory.
+  curl.h: <sys/select.h> is supported by VxWorks7
   
-  Reviewed-by: Jakub Zakrzewski
-  Closes #7060
+  Closes #7285
 
-- [Alessandro Ghedini brought this change]
+- [Bachue Zhou brought this change]
 
-  quiche: update for network path aware API
+  quiche: use send() instead of sendto() to avoid macOS issue
   
-  Latest version of quiche requires the application to pass the peer
-  address of received packets, and it provides the address for outgoing
-  packets back.
+  sendto() always returns "Socket is already connected" error on macos
   
-  Closes #7120
+  Closes #7260
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Li Xinwei brought this change]
 
-  rustls: switch read_tls and write_tls to callbacks
+  cmake: fix support for UnixSockets feature on Win32
   
-  And update to 0.6.0, including a rename from session to connection for
-  many fields.
+  Move the definition of sockaddr_un struct from config-win32.h to
+  curl_setup.h, so that it could be shared by all build systems.
   
-  Closes #7071
+  Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use
+  unix sockets.
+  
+  Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS
+  is defined.
+  
+  Closes #7034
 
-- [Koichi Shiraishi brought this change]
+- [Gregory Muchka brought this change]
 
-  sectransp: fix 7f4a9a9b2a49 commit about missing comma
+  hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
   
-  Follow-up to 7f4a9a9b2a495
+  From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
+  dictionary of key-value pairs that represent the current internet proxy
+  settings, or NULL if no proxy settings have been defined or if an error
+  occurred. You must release the returned value."
   
-  Closes #7119
+  Failure to release the returned value of SCDynamicStoreCopyProxies can
+  result in a memory leak.
+  
+  Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
+  
+  Closes #7265
 
-- [Harry Sintonen brought this change]
+- RELEASE-NOTES: synced
 
-  openssl: associate/detach the transfer from connection
+Jay Satiro (21 Jun 2021)
+- vtls: fix warning due to function prototype mismatch
   
-  CVE-2021-22901
+  b09c8ee changed the function prototype. Caught by Visual Studio.
+
+- curl_multibyte: Remove local encoding fallbacks
   
-  Bug: https://curl.se/docs/CVE-2021-22901.html
+  - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
+    no longer fall back to assuming the string is in a local encoding.
+  
+  Background:
+  
+  Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
+  pass to the Windows CRT API wide-character functions since in Windows
+  UTF-8 is not a valid locale (or at least 99% of the time right now).
+  
+  Prior to this change if the Unicode encoding conversion failed then
+  libcurl would assume, for backwards compatibility with applications that
+  may have written their code for non-Unicode builds, attempt to convert
+  the string from local encoding to UTF-16.
+  
+  That type of "best effort" could theoretically cause some type of
+  security or other problem if a string that was locally encoded was also
+  valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
+  could occur.
+  
+  Ref: https://github.com/curl/curl/pull/7246
+  
+  Closes https://github.com/curl/curl/pull/7257
 
-- [Harry Sintonen brought this change]
+Daniel Stenberg (20 Jun 2021)
+- curl_endian: remove the unused Curl_write64_le function
+  
+  The last usage was removed in cca455a36
+  
+  Closes #7280
 
-  telnet: check sscanf() for correct number of matches
+- vtls: only store TIMER_APPCONNECT for non-proxy connect
   
-  CVE-2021-22898
+  Introducing a 'isproxy' argument to the connect function so that it
+  knows wether to store the time stamp or not.
   
-  Bug: https://curl.se/docs/CVE-2021-22898.html
+  Reported-by: Yongkang Huang
+  Fixes #7274
+  Closes #7274
 
-- schannel: don't use static to store selected ciphers
+- gnutls: set the preferred TLS versions in correct order
   
-  CVE-2021-22897
+  Regression since 781864bedbc57 (curl 7.77.0)
   
-  Bug: https://curl.se/docs/CVE-2021-22897.html
+  Reported-by: civodul on github
+  Assisted-by: Nikos Mavrogiannopoulos
+  Fixes #7277
+  Closes #7278
 
-- docs/tests: remove freenode references
+- [Gergely Nagy brought this change]
 
-- RELEASE-NOTES: synced
+  configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r
+  
+  Closes #7276
 
-- [Sergey Markelov brought this change]
+- [Gergely Nagy brought this change]
 
-  NSS: make colons, commas and spaces valid separators in cipher list
+  configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r
   
-  Fixes #7110
-  Closes #7115
+  Closes #7276
 
-- curl: include libmetalink version in --version output
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove unused define HAVE_PERROR
   
-  Closes #7112
+  Closes #7276
 
-Jay Satiro (21 May 2021)
-- [Matias N. Goldberg brought this change]
+- [Gergely Nagy brought this change]
 
-  cmake: Use multithreaded compilation on VS 2008+
-  
-  Multithreaded compilation has been supported since at least VS 2005 and
-  been robustly stable since at least VS 2008
+  configure: remove unused check for gai_strerror
   
-  Closes https://github.com/curl/curl/pull/7109
+  Closes #7276
 
-Daniel Stenberg (21 May 2021)
-- [Matias N. Goldberg brought this change]
+- [Gergely Nagy brought this change]
 
-  cmake: fix two invokes result in different curl_config.h
-  
-  Fixes #7100
-  Closes #7101
+  configure/cmake: remove unused define HAVE_FREEIFADDRS
   
-  Reviewed-by: Jakub Zakrzewski
-  Signed-off-by: Matias N. Goldberg <dark_sylinc@yahoo.com.ar>
+  Closes #7276
 
-- [Peng-Yu Chen brought this change]
+- [Gergely Nagy brought this change]
 
-  cmake: detect CURL_SA_FAMILY_T
+  configure/cmake: remove unused define HAVE_FORK
   
-  Fixes #7049
-  Closes #7065
+  Closes #7276
 
-- [Lucas Clemente Vella brought this change]
+- [Gergely Nagy brought this change]
 
-  CURLOPT_IPRESOLVE: preventing wrong IP version from being used
-  
-  In some situations, it was possible that a transfer was setup to
-  use an specific IP version, but due do DNS caching or connection
-  reuse, it ended up using a different IP version from requested.
-  
-  This commit changes the effect of CURLOPT_IPRESOLVE from simply
-  restricting address resolution to preventing the wrong connection
-  type being used, when choosing a connection from the pool, and
-  to restricting what addresses could be used when establishing
-  a new connection.
-  
-  It is important that all addresses versions are resolved, even if
-  not used in that transfer in particular, because the result is
-  cached, and could be useful for a different transfer with a
-  different CURLOPT_IPRESOLVE setting.
+  configure/cmake: remove unused define HAVE_FDOPEN
   
-  Closes #6853
+  Closes #7276
 
-- [Oliver Urbann brought this change]
+- [Gergely Nagy brought this change]
 
-  AmigaOS: add functions definitions for SHA256
-  
-  AmiSSL replaces many functions with macros. Curl requires pointer
-  to some of these functions. Thus, we have to encapsulate these macros:
-  SHA256_Init, SHA256_Update, SHA256_Final, X509_INFO_free.
-  
-  Bug: https://github.com/jens-maus/amissl/issues/15
-  Co-authored-by: Daniel Stenberg <daniel@haxx.se>
+  configure/cmake: remove checks for unused sgtty.h
   
-  Closes #7099
+  Closes #7276
 
-- test2100: make it run with and require IPv6
-  
-  Closes #7083
+- [Gergely Nagy brought this change]
 
-- tests/getpart: generate output URL encoded for better diffs
+  configure/cmake: remove remaining checks for rsa.h
   
-  Closes #7083
+  Closes #7276
 
-- [Ryan Beck-Buysse brought this change]
+- [Gergely Nagy brought this change]
 
-  docs/TheArtOfHttpScripting: fix markdown links
-  
-  extra parens cause the links to be incorrectly formatted
-  and inconsistent with the rest of the document.
+  configure/cmake: remove remaining checks for err.h
   
-  Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
-  Closes #7097
-
-- RELEASE-NOTES: synced
+  Closes #7276
 
-- [Emil Engler brought this change]
+- [Gergely Nagy brought this change]
 
-  docs: replace dots with dashes in markdown enums
-  
-  We use dashes instead of dots nearly everywhere except for those few
-  cases. This commit addresses this issues and brings more coherency into
-  it.
+  configure/cmake: remove remaining checks for crypto.h
   
-  Closes #7093
+  Closes #7276
 
-- [Emil Engler brought this change]
+- [Gergely Nagy brought this change]
 
-  docs: improve INTERNALS.md regarding getsock cb
-  
-  This adds the I/O prefix to indicate that those "actions" are kind-of
-  related to those found in select(2) or poll(2) (reading/writing).
-  
-  It also adds a note where the prototypes of those functions can be found
-  in the source code.
+  configure/cmake: remove checks for unused getservbyport_r
   
-  Closes #7092
+  Closes #7276
 
-- [Emil Engler brought this change]
+- --socks4[a]: clarify where the host name is resolved
+  
+  Closes #7273
 
-  docs: document attach in INTERNALS.md
+- libcurl-security.3: mention file descriptors and forks
   
-  The new field in the Curl_handler struct still lacks documentation. This
-  adds it it from the information extracted from lib/urldata.h:797
+  ... and move the security report section last.
   
-  Closes #7091
+  Reported-by: Harry Sintonen
+  Closes #7270
 
-- [Marc Aldorasi brought this change]
+- [Alex Xu (Hello71) brought this change]
 
-  config: remove now-unused macros
+  configure.ac: make non-executable
   
-  Closes #7094
-
-- [Marc Aldorasi brought this change]
-
-  hostip.h: remove declaration of unimplemented function
+  it needs to be processed by autoconf or autoreconf, and doesn't have a
+  suitable shebang to be directly executed. other projects normally set
+  configure.ac -x.
   
-  Closes #7094
+  Closes #7272
 
-- h3: add 'attach' callback to protocol handlers
+- configure: do not strip out debug flags
   
-  Follow-up to 0c55fbab45be
+  To allow users to set them when invoking configure without using
+  --with-debug.
   
-  Reviewed-by: Emil Engler
-  Closes #7090
+  Reported-by: Alex Xu
+  Fixes #7216
+  Closes #7267
 
-- wolfssl: remove SSLv3 support leftovers
+- libssh2: limit time a disconnect can take to 1 second
   
-  Closes #7088
+  Closes #7271
 
-- curl-wolfssl.m4: without custom include path, assume /usr/include
+- TLS: prevent shutdown loops to get stuck
   
-  ... so that we can point out the root of the OpenSSL emulation headers.
-  Previously this used the '$includedir' variable which is wrong since
-  that defaults to the dir where the current configure invoke will install
-  the built libcurl headers: /usr/local by default.
+  ... by making sure the loops are only allowed to read the shutdown
+  traffic a limited number of times.
   
-  Fixes #7085
-  Reported-by: Joel Jakobsson
-  Closes #7087
-
-- [Joel Depooter brought this change]
+  Reported-by: Harry Sintonen
+  Closes #7271
 
-  data_pending: check only SECONDARY socket for FTP(S) transfers
-  
-  Check the FIRST for all other protocols.
+- hyper: propagate errors back up from read callbacks
   
-  This fixes a timeout in an ftps download. The server sends a TLS
-  close_notify message in the same packet as the file data. The
-  close_notify seems to not be handled in the schannel_recv function, so
-  libcurl is not aware that the server has closed the connection. Thus
-  libcurl ends up waiting for action on the socket until a timeout is
-  reached. With the secondary socket check added to the data_pending
-  function, the close_notify is properly handled, and the ftps transfer
-  terminates as expected.
+  Makes test 513 work with hyper
   
-  Fixes #7068
-  Closes #7069
+  Closes #7266
 
-- github: inhibit deprecated declarations for clang on macOS
+- KNOWN_BUGS: Negotiate on Windows fails
   
-  ... as they otherwise cause ldap build errors in the CI.
+  Closes #5881
+
+- KNOWN_BUGS: renames instead of locking for atomic operations
   
-  Fixes #7081
-  Closes #7082
+  Closes #6882
+  Closes #6884
 
-- conn: add 'attach' to protocol handler, make libssh2 use it
+- zuul: add two missing CI jobs
   
-  The libssh2 backend has SSH session associated with the connection but
-  the callback context is the easy handle, so when a connection gets
-  attached to a transfer, the protocol handler now allows for a custom
-  function to get used to set things up correctly.
+  ... that were configured, just not run
   
-  Reported-by: Michael O'Farrell
-  Fixes #6898
-  Closes #7078
+  Closes #7261
 
-- http2: make sure pause is done on HTTP
+Viktor Szakats (15 Jun 2021)
+- idn: fix libidn2 with windows unicode builds
   
-  Since the function is called for any protocol, we can't assume that the
-  HTTP struct is there without first making sure it is HTTP.
+  Unicode Windows builds use UTF-8 strings internally in libcurl,
+  so make sure to call the UTF-8 flavour of the libidn2 API. Also
+  document that Windows builds with libidn2 and UNICODE do expect
+  CURLOPT_URL as an UTF-8 string.
   
-  Reported-by: Denis Goleshchikhin
-  Fixes #7079
-  Closes #7080
+  Reported-by: dEajL3kA on github
+  Assisted-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Closes #7246
+  Fixes #7228
 
-- docs: cookies from HTTP headers need domain set
+Daniel Stenberg (15 Jun 2021)
+- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
   
-  ... or the cookies won't get sent. Push users to using the "Netscape"
-  format instead, which curl uses when saving a cookie "jar".
+  They were never officially allowed and slipped in only due to sloppy
+  parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
+  being part of a URL.
+  
+  The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
+  allow spaces.
+  
+  Updated test 1560 to verify.
   
-  Reported-by: Martin Dorey
-  Reviewed-by: Daniel Gustafsson
-  Fixes #6723
-  Closes #7077
+  Closes #7073
 
 - RELEASE-NOTES: synced
-
-- github: add a workflow with libssh2 on macOS using cmake
   
-  Closes #7047
+  ... and bump to version 7.78.0 for the next planned release.
 
-- sws: allow HTTP requests up to 2MB in size
+Jay Satiro (15 Jun 2021)
+- docs: Remove outdated curl tool limitation
   
-  To allow tests with slightly larger payloads. Like #7071 ...
+  - Document that HTTP/2 multiplexing is supported by the curl tool when
+    parallel transfers are used.
   
-  Closes #7075
-
-Marc Hoersken (16 May 2021)
-- CI/azure: increase verbosity and fix outdated task names
+  Supported since 7.66.0 via --parallel, but the doc wasn't updated.
   
-  Closes #7063
+  Closes https://github.com/curl/curl/pull/7259
 
-- CI/cirrus: add shared and static Windows release builds
+- http2: Clarify 'Using HTTP2' verbose message
   
-  Azure Pipelines is currently being used for debug builds,
-  let's also run some non-debug (release) Windows builds and
-  make use of previously underutilized Cirrus CI for that.
+  - Change phrasing from multi-use to multiplexing since the former may
+    not be as well understood.
   
-  Reviewed-by: Marcel Raad
+  Before: * Using HTTP2, server supports multi-use
   
-  Closes #6991
+  After: * Using HTTP2, server supports multiplexing
+  
+  Bug: https://github.com/curl/curl/discussions/7255
+  Reported-by: David Hu
+  
+  Closes https://github.com/curl/curl/pull/7258
 
-Daniel Stenberg (16 May 2021)
-- CURLOPT_CAPATH.3: defaults to a path, not NULL
+Daniel Stenberg (14 Jun 2021)
+- winbuild/README: VC should be set to 6 'or larger'
   
-  Reported-by: Andrew Barnert
+  Previously it listed all versions up to 15 (missing 16) but this new
+  phrasing is more open ended.
   
-  Closes #7062
+  Reported-by: Hugh Macdonald
+  Fixes #7253
+  Closes #7254
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  c-hyper: handle body on HYPER_TASK_EMPTY
-  
-  Some of the time, we get a HYPER_TASK_EMPTY response before the status
-  line, headers, and body have been read. Previously, that would cause us
-  to poll again, leading to a 1 second timeout.
-  
-  The HYPER_TASK_EMPTY docs say:
+  rustls: remove native_roots fallback
   
-     The value of this task is null (does not imply an error).
+  For the commandline tool, we expect to be passed
+  SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
+  trusted roots (like in other TLS backends).
   
-  So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
-  response.
+  This also removes a dependency on Security.framework when building on
+  macOS.
   
-  Reported-by: Kevin Burke
-  Fixes #7064
-  Closes #7070
+  Closes #7250
 
-- [Ikko Ashimine brought this change]
+- [Albin Vass brought this change]
 
-  tool_getparam: fix comment typo in tool_getparam.c
-  
-  enfore -> enforce
+  travis: remove jobs that have migrated to zuul
   
-  Closes #7074
+  Closes #7245
 
-- mem-include-scan.pl: require a non-word letter before memory funcs
-  
-  ... so that ldap_memfree() for example doesn't match the scan for free.
-  
-  Closes #7061
+- [Mohammed Naser brought this change]
 
-- version: free the openldap info correctly
+  CI: add jobs using Zuul
   
-  ... to avoid memory leaks.
+  It also includes a few changes to get the builds going:
+  - Added autoconf to common dependencies
+  - Added automake to common dependencies
+  - Added libtool to common dependencies
+  - Added libssl-dev to common dependencies
   
-  Follow-up to: bf0feae7768d9
-  Closes #7061
-
-- dupset: remove totally off comment
+  Co-authored-by: Albin Vass
   
-  Closes #7067
+  Closes #7245
 
-- configure: if asked for, fail if ldap is not found
+- netrc: skip 'macdef' definitions
   
-  Reported-by: Jakub Zakrzewski
-  Fixes #7053
-  Closes #7055
-
-- version: add OpenLDAP version in the output
+  Add test 494 to verify
   
-  Assisted-by: Howard Chu
-  Closes #7054
-
-Jay Satiro (13 May 2021)
-- [Joel Depooter brought this change]
+  Reported-by: Harry Sintonen
+  Fixes #7238
+  Closes #7244
 
-  schannel: Ensure the security context request flags are always set
-  
-  As of commit 54e7475, these flags would only be set when using a new
-  credential handle. When re-using an existing credential handle, the
-  flags would not be set.
+- multi: add scan-build-6 work-around in curl_multi_fdset
   
-  Closes https://github.com/curl/curl/pull/7051
-
-Dan Fandrich (12 May 2021)
-- tests: Fix some tag matching issues in a number of tests
-
-Daniel Stenberg (12 May 2021)
-- sasl: use 'unsigned short' to store mechanism
+  scan-build-6 otherwise warns, saying: warning: The left operand of '>='
+  is a garbage value otherwise, which is false.
   
-  ... saves a few bytes of struct size in memory and it only uses
-  10 bits anyway.
+  Later scan-builds don't claim this on the same code.
   
-  Closes #7045
+  Closes #7248
 
-- hostip: remove the debug code for LocalHost
+- asyn-ares: remove check for 'data' in Curl_resolver_cancel
   
-  The Curl_resolv() had special code (when built in debug mode) for when
-  resolving the host name "LocalHost" (using that exact casing). It would
-  then get the host name from the --interface option instead.
+  It implied it would survive a NULL in there which it won't. Instead do
+  an assert.
   
-  This development-only feature was not used by anything (anymore) and we
-  have the --resolve feature if we want to play similar tricks properly
-  going forward.
+  Pointed out by scan-build.
   
-  Closes #7044
+  Closes #7248
 
-- progress: reset limit_size variables at transfer start
-  
-  Otherwise the old value would linger from a previous use and would mess
-  up the network speed cap logic.
+- url.c: remove two variable assigns that are never read
   
-  Reported-by: Ymir1711 on github
+  Pointed out by scan-build
   
-  Fixes #7042
-  Closes #7043
-
-- RELEASE-NOTES: synced
+  Closes #7248
 
-- [Daniel Gustafsson brought this change]
+- [Gealber Morales brought this change]
 
-  cookies: use CURLcode for cookie_output reporting
-  
-  Writing the cookie file has multiple error conditions, and was using an
-  int with magic numbers to report the different error (which in turn were
-  disregarded anyways). This moves reporting to use a CURLcode value.
+  mqtt: add support for username and password
   
-  Lightly-touched-by: Daniel Stenberg
+  Minor-edits-by: Daniel Stenberg
+  Added test 2200 to 2205
   
-  Closes #7037
-  Closes #6749
-
-- [Daniel Gustafsson brought this change]
+  Closes #7243
 
-  cookies: make use of string duplication function
+- travis: remove the arm job
   
-  strstore() is defined as a strdup which ensures to free the target
-  pointer before duping the source char * into it. Make use of it in
-  two more cases where it can simplify the code.
-
-- [Daniel Gustafsson brought this change]
+  We do it on circle CI instead
 
-  cookies: refactor comments
+- CI: add .circleci/config.yml
   
-  Comments in the cookie code were a bit all over the place in terms of
-  style and wording. This takes a stab at cleaning them up by keeping to
-  a single style and overall shape. Some comments are moved a little and
-  some removed alltogether due to being redundant. No functional changes
-  have been made,
+  Assisted-by: Gabriel Simmer
+  
+  Closes #7239
 
-- [Peng-Yu Chen brought this change]
+- RELEASE-NOTES: synced
 
-  http2: skip immediate parsing of payload following protocol switch
+- runtests: init $VERSION to avoid warnings when using -l
+
+- openssl: don't remove session id entry in disassociate
   
-  This is considered not harmful as a following http2_recv shall be
-  called very soon.
+  When a connection is disassociated from a transfer, the Session ID entry
+  should remain.
   
-  This is considered helpful in the specific situation where some
-  servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
-  following the return of HTTP status 101, other than waiting for
-  the client-side connection preface to arrive.
+  Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
+  Reported-by: Gergely Nagy
+  Reported-by: Paul Groke
   
-  Fixes #7036
-  Closes #7040
-
-- [Peng-Yu Chen brought this change]
+  Fixes #7222
+  Closes #7230
 
-  http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
-  
-  Following the upstream deprecation of nghttp2_session_upgrade.
+- single_transfer: ignore blank --output-dir
   
-  Also provides further checks for requests with the HEAD method.
+  ... as otherwise it creates a rather unexpected target directory with a
+  leading slash.
   
-  Closes #7041
+  Reported-by: Harry Sintonen
+  Fixes #7218
+  Closes #7233
 
-- progress/trspeed: use a local convenient pointer to beautify code
+- tests: update README about servers and port numbers
   
-  The function becomes easier to read and understand with less repetition.
-
-- trspeed: use long double for transfer speed calculation
+  Closes #7242
 
-- progress: move transfer speed calc into function
+- conn_shutdown: if closed during CONNECT cleanup properly
   
-  This silences two scan-build-11 warnings: "The result of the '/'
-  expression is undefined"
+  Reported-by: Alex Xu
+  Reported-by: Phil E. Taylor
   
-  Bug: https://curl.se/mail/lib-2021-05/0022.html
-  Closes #7035
-
-- [Cameron Cawley brought this change]
+  Fixes #7236
+  Closes #7237
 
-  openssl: remove unneeded cast for CertOpenSystemStore()
-  
-  Closes #7025
+- [Christian Weisgerber brought this change]
 
-- travis: disable the libssh build
+  sws: malloc request struct instead of using stack
   
-  It can't run on focal and causes warnings on bionic. Since the focal
-  failure started rather suddenly a while ago, we can suspect it might be
-  temporary.
+  ... 2MB requests is otherwise just too big for some systems.
   
-  Added "bring back the build" to the TODO document.
+  (The allocations are not freed properly.)
   
-  Fixes #7011
-  Closes #7012
+  Bug: https://curl.se/mail/lib-2021-06/0018.html
+  
+  Closes #7235
 
-- [Peng-Yu Chen brought this change]
+- [Mark Swaanenburg brought this change]
 
-  http: use calculated offsets inst of integer literals for header parsing
-  
-  Assumed to be a minor coding style improvement with no behavior change.
+  lib: don't compare fd to FD_SETSIZE when using poll
   
-  A modern compiler is expected to have the calculation optimized during
-  compilation. It may be deemed okay even if that's not the case, since
-  the added overhead is considered very low.
+  FD_SETSIZE is irrelevant when using poll. So ensuring that the file
+  descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
+  multi_wait to ignore perfectly valid file descriptors and simply wait
+  for 1s to avoid hammering the CPU in a busy loop.
   
-  Closes #7032
+  Fixes #7240
+  Closes #7241
 
-- [Peng-Yu Chen brought this change]
+- [zhangxiuhua brought this change]
 
-  GIT-INFO: suggest using autoreconf instead of buildconf
-  
-  Follow-up to 85868537d
+  doh: fix wrong DEBUGASSERT for doh private_data
   
-  Closes #7033
+  Closes #7227
 
-- http: deal with partial CONNECT sends
+- [yb999 brought this change]
+
+  tests: update README.md with a missing single quote
   
-  Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
-  which helped verifying this even more.
+  Closes #7231
+
+- GHA: run all tests for hyper too
   
-  Add test 363 to verify.
+  As it lists disabled ones in DISABLED now
   
-  Reported-by: ustcqidi on github
-  Fixes #6950
-  Closes #7024
+  Closes #7209
 
-- HTTP3: make the ngtcp2 build use the quictls fork
+- tests/data/DISABLED: add tests not working with hyper
   
-  ... as ngtcp2 itself documents the build this way.
+  The goal is to remove them all from here over time.
   
-  Closes #7031
+  Closes #7209
 
-- http: limit the initial send amount to used upload buffer size
+- runtests: also find the last test in Makefile.inc
   
-  Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
-  but for the situations where a larger upload buffer has been set, this
-  function can benefit from sending more bytes. With default size used,
-  this does the same as before.
+  Closes #7209
+
+- test3010: work with hyper mode
   
-  Also changed the storage of the size to an 'unsigned int' as it is not
-  allowed to be set larger than 2M.
+  Closes #7209
+
+- configure: disable RTSP when hyper is selected
   
-  Also added cautions to the man pages about changing buffer sizes in
-  run-time.
+  Makes test 1013 work
   
-  Closes #7022
-
-- RELEASE-NOTES: synced
+  Closes #7209
 
-- ngtcp2: fix the cb_acked_stream_data_offset proto
+- test1594/1595/1596: fix to work in hyper mode
   
-  The 'datalen' value should be 64 bit, not size_t!
+  Closes #7209
+
+- test1438/1457: add HTTP keyword to make hyper mode work
   
-  Reported-by: Dmitry Karpov
-  Bug: https://curl.se/mail/lib-2021-05/0019.html
-  Closes #7027
+  Closes #7209
 
-- progress: when possible, calculate transfer speeds with microseconds
+- test1340/1341: adjusted for hyper mode
   
-  ... this improves precision, especially for transfers in the few or even
-  sub millisecond range.
+  Closes #7209
+
+- test1218: adjusted for hyper mode
   
-  Reported-by: J. Bromley
-  Fixes #7017
-  Closes #7020
+  Closes #7209
 
-- http: reset the header buffer when sending the request
+- test1216: adjusted for hyper mode
   
-  A reused transfer handle could otherwise reuse the previous leftover
-  buffer and havoc would ensue.
+  Closes #7209
+
+- test1230: adjust to work in hyper mode
   
-  Reported-by: sergio-nsk on github
-  Fixes #7018
-  Closes #7021
+  Closes #7209
 
-- curl_mprintf.3: add description
+- c-hyper: abort CONNECT response reading early on non 2xx responses
   
-  These functions have existed in the API since the dawn of time. It is
-  about time we describe how they work, even if we discourage users from
-  using them.
+  Fixes test 493
   
-  Closes #7010
+  Closes #7209
 
-- [Timothy Gu brought this change]
+- test434: add HTTP keyword
+  
+  Closes #7209
 
-  URL-SYNTAX: update IDNA section for WHATWG spec changes
+- test599: adjusted to work in hyper mode
   
-  WHATWG URL has dictated the use of Nontransitional Processing (IDNA
-  2008) for several years now. Chrome (and derivatives) still use
-  Transitional Processing, but Firefox and Safari have both switched.
+  Closes #7209
+
+- c-hyper: fix the uploaded field in progress callbacks
   
-  Also document the fact that winidn functions differently from libidn2
-  here.
+  Makes test 578 work
   
-  Closes #7026
-
-- [Calvin Buckley brought this change]
+  Closes #7209
 
-  INSTALL: add IBM i specific quirks
+- test566: adjust to work with hyper mode
   
-  Fixes #6830
-  Closes #7013
+  Closes #7209
 
-- libcurl.3: mention the URL API
+- [Fawad Mirza brought this change]
+
+  CURLOPT_WRITEFUNCTION.3: minor update of the example
   
-  To make it easier to find. Also a minor polish of libcurl-url.3
+  Safely avoid chunk.size garbage value if declared non globally.
   
-  Closes #7009
+  Closes #7219
 
-- GnuTLS: don't allow TLS 1.3 for versions that don't support it
+- [Bastian Krause brought this change]
+
+  configure: rename get-easy-option configure option to get-easy-options
   
-  Follow-up to 781864bedbc5
+  "get-easy-options" is the configure option advertised by the help text
+  anyway, so use that.
   
-  ... as they don't understand it and will return error at us!
+  Fixes #7211
+  Closes #7213
   
-  Closes #7014
+  Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
+  Suggested-by: Daniel Stenberg <daniel@haxx.se>
+  Signed-off-by: Bastian Krause <bst@pengutronix.de>
 
-Kamil Dudka (6 May 2021)
-- tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
+- runtests: skip disabled tests unless -f is used
   
-  Reported by GCC analyzer:
+  To make it easier to write ranges like '115 to 229' without that
+  explicitly enabling tests that are listed in DISABLED, this makes
+  runtests always skip disabled tests unless the -f command line option is
+  used.
   
-  Error: GCC_ANALYZER_WARNING (CWE-476):
-  src/tool_getparam.c: scope_hint: In function 'parse_args'
-  src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
-  lib/curlx.h:56: included_from: Included from here.
-  src/tool_getparam.c:28: included_from: Included from here.
-  lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
-  src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
+  Previously the code attempted to not run such tests, but didn't do it
+  correctly.
   
-  Reviewed-by: Marcel Raad
-  Reviewed-by: Daniel Stenberg
-  Closes #7023
+  Closes #7212
 
-Daniel Stenberg (6 May 2021)
-- scripts/delta: also show total number of days
+- [Jun-ya Kato brought this change]
 
-Marc Hoersken (5 May 2021)
-- sockfilt: fix invalid increment of handles index variable nfd
+  ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
   
-  Only increment the array index if we actually stored a handle.
+  The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
+  mode for middle box but it is enabled by default, which is unnecessary
+  for QUIC.
   
-  Follow up to e917492048f4b85a0fd58a033d10072fc7666c3b
-  Closes #6992
+  Fixes #6896
+  Closes #7202
 
-- sockfilt: avoid getting stuck waiting for writable socket
-  
-  Reset FD_WRITE event using the same approach as in multi.c
+- test644: remove as duplicate of test 587
   
-  Follow up to b36442b24305f3cda7c13cc64b46838995a4985b
-  Closes #6992
+  Closes #7208
 
-Jay Satiro (5 May 2021)
-- test678: Fix for Windows multibyte builds
+Daniel Gustafsson (8 Jun 2021)
+- RELEASE-NOTES: synced
+
+- cookies: track expiration in jar to optimize removals
   
-  Follow-up to 77fc385 from yesterday.
+  Removing expired cookies needs to be a fast operation since we want to
+  be able to perform it often and speculatively. By tracking the timestamp
+  of the next known expiration we can exit early in case the timestamp is
+  in the future.
   
-  Bug: https://github.com/curl/curl/pull/6662#issuecomment-832966557
-  Reported-by: Marc Hörsken
-
-- [Dmitry Kostjuchenko brought this change]
+  Closes: #7172
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  build: fix compilation for Windows UWP platform
+Daniel Stenberg (7 Jun 2021)
+- GHA: add several libcurl tests to the hyper job
   
-  - Include afunix.h which is necessary for sockaddr_un when
-    USE_UNIX_SOCKETS is defined on Windows.
+  500 to 512
+
+- test500: adjust to work with hyper mode
+
+- c-hyper: support CURLINFO_STARTTRANSFER_TIME
   
-  Closes https://github.com/curl/curl/pull/7006
+  Closes #7204
 
-Daniel Stenberg (5 May 2021)
-- gnutls: make setting only the MAX TLS allowed version work
+- c-hyper: support CURLOPT_HEADER
   
-  Previously, settting only the max allowed TLS version, leaving the
-  minimum one at default, didn't actually set it and left it to default
-  (TLS 1.3) too!
+  When enabled, the headers are passed to the body write callback as well.
   
-  As a bonus, this change also removes the dead code handling of SSLv3
-  since that version can't be set anymore (since eff614fb0242cb).
+  Like in test 500
   
-  Reported-by: Daniel Carpenter
-  Fixes #6998
-  Closes #7000
+  Closes #7204
 
-- openldap: replace ldap_ prefix on private functions
+- GHA: run the newly fixed tests with hyper
   
-  Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
-  least) there's a symbol collision because of that.
+  Closes #7205
+
+- test433: adjust for hyper mode
   
-  The private functions now use the 'oldap_' prefix where it previously
-  used 'ldap_'.
+  Closes #7205
+
+- test395: hyper cannot work around > 64 bit content-lengths like built-in
   
-  Reported-by: 3eka on github
-  Fixes #7004
-  Closes #7005
+  Closes #7205
 
-Jay Satiro (5 May 2021)
-- http2: fix potentially uninitialized variable
+- test394: hyper returns a different error
   
-  introduced several days ago in 3193170. caught by visual studio linker.
+  Closes #7205
 
-- [Gilles Vollant brought this change]
+- test393: make Content-Length fit within 64 bit for hyper
+  
+  Closes #7205
 
-  SSL: support in-memory CA certs for some backends
+- test347: CRLFify to work in hyper mode
   
-  - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
-    specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
-    and Secure Transport (Apple) SSL backends.
+  Closes #7205
+
+- test339: CRLFify better to work in hyper mode
   
-  Prior to this change PEM certificates could only be imported from a file
-  and not from memory.
+  Closes #7205
+
+- travis: remove the hyper build
+
+- GHA: add a linux-hyper job
   
-  Co-authored-by: moparisthebest@users.noreply.github.com
+  Closes #7206
+
+- test328: avoid a header-looking body to make hyper mode work
   
-  Ref: https://github.com/curl/curl/pull/4679
-  Ref: https://github.com/curl/curl/pull/5677
-  Ref: https://github.com/curl/curl/pull/6109
+  The test still works the same, just modified two bytes in the content.
   
-  Closes https://github.com/curl/curl/pull/6662
+  Closes #7203
 
-Daniel Stenberg (4 May 2021)
-- [David Cook brought this change]
+- release-notes.pl: also spot common 'closes' typo
 
-  tests: ignore case of chunked hex numbers in tests
-  
-  When hyper is used, it emits uppercase hexadecimal numbers for chunked
-  encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
-  This change adds preprocessor statements to tests where this is an
-  issue, and adapts the fixtures to match.
+- metalink: remove
   
-  Closes #6987
-
-- cmake: check for getppid and utimes
+  Warning: this will make existing curl command lines that use metalink to
+  stop working.
   
-  ... as they're checked for in the configure script and are used by
-  source code.
+  Reasons for removal:
   
-  Removed checks for perror, setvbuf and strlcat since those defines are
-  not checked for in source code.
+  1. We've found several security problems and issues involving the
+     metalink support in curl. The issues are not detailed here. When
+     working on those, it become apparent to the team that several of the
+     problems are due to the system design, metalink library API and what
+     the metalink RFC says. They are very hard to fix on the curl side
+     only.
   
-  Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
-  symbol is not used in source code.
+  2. The metalink usage with curl was only very briefly documented and was
+     not following the "normal" curl usage pattern in several ways, making
+     it surprising and non-intuitive which could lead to further security
+     issues.
   
-  Closes #6997
-
-- libtest: remove lib530.c
+  3. The metalink library was last updated 6 years ago and wasn't so
+     active the years before that either. An unmaintained library means
+     there's a security problem waiting to happen. This is probably reason
+     enough.
   
-  Follow up from e50a877df when test 530 was removed. Since then this
-  source file has not been used/needed.
+  4. Metalink requires an XML parsing library, which is complex code (even
+     the smaller alternatives) and to this day often gets security
+     updates.
   
-  Closes #6999
-
-- FILEFORMAT: mention sectransp as a feature
+  5. Metalink is not a widely used curl feature. In the 2020 curl user
+     survey, only 1.4% of the responders said that they'd are using it. In
+     2021 that number was 1.2%. Searching the web also show very few
+     traces of it being used, even with other tools.
   
-  Been supported since at least 40259ca65
+  6. The torrent format and associated technology clearly won for
+     downloading large files from multiple sources in parallel.
   
-  Closes #7001
-
-- RELEASE-NOTES: synced
+  Cloes #7176
 
-- libssh2: ignore timeout during disconnect
+- docs/INSTALL: remove mentions of configure --with-darwin-ssl
   
-  ... to avoid memory leaks!
+  ... as it isn't supported since a while back.
   
-  libssh2 is tricky as we have to deal with the non-blockiness even in
-  close and shutdown cases. In the cases when we shutdown after a timeout
-  already expired, it is crucial that curl doen't let the timeout abort
-  the shutdown process as that then leaks memory!
+  Make configure fail with a warning if used.
   
-  Reported-by: Benjamin Riefenstahl
-  Fixes #6990
+  Reported-by: Vadim Grinshpun
+  Bug: https://curl.se/mail/lib-2021-06/0008.html
+  Closes #7200
 
-- KNOWN_BUGS: add two HTTP/2 bugs
+- RELEASE-NOTES: synced
 
-- KNOWN_BUGS: add three HTTP/3 issues
+- [Gregor Jasny brought this change]
+
+  cmake: Avoid leaking absolute paths into exported config
   
-  ... and moved the HTTP/2 issues to its own section
+  The `find_libarary` command resolves the library or framework
+  into an absolute path. In case of system frameworks which are
+  located within an Xcode-provided SDK this results in the Xcode
+  path and SDK version being part of the library path.
   
-  Closes #6606
-  Closes #6510
-  Closes #6494
-
-- [ejanchivdorj brought this change]
-
-  CURLcode: add CURLE_SSL_CLIENTCERT
+  Because those library paths end up in the exported CMake config
+  importing curl will fail once the Xcode location or SDK version
+  changes:
   
-  When a TLS server requests a client certificate during handshake and
-  none can be provided, libcurl now returns this new error code
-  CURLE_SSL_CLIENTCERT
+  ```cmake
+  set_target_properties(CURL::libcurl PROPERTIES
+    INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
+    INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
+  )
+  ```
   
-  Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
+  A work-around is to link against system-level frameworks with
+  `-framework XYZ`. In case of `SystemConfiguration` we might be able
+  to omit the lookup-check because we could assume the framework is
+  always present.
   
-  Closes #6721
+  Closes #7152
 
-- [Tobias Gabriel brought this change]
+- [Shikha Sharma brought this change]
 
-  .github/FUNDING: add link to GitHub sponsors
+  http2_connisdead: handle trailing GOAWAY better
   
-  Closes #6985
-
-- [Harry Sintonen brought this change]
-
-  krb5/name_to_level: replace checkprefix with curl_strequal
+  When checking the connection the input processing returns error
+  immediately, we now consider that a dead connnection.
   
-  Closes #6993
+  Bug: https://curl.se/mail/lib-2021-06/0001.html
+  Closes #7192
 
-- [Harry Sintonen brought this change]
+- [Dmitry Karpov brought this change]
 
-  Curl_input_digest: require space after Digest
+  ares: always store IPv6 addresses first
   
-  Closes #6993
-
-- [Harry Sintonen brought this change]
-
-  Curl_http_header: check for colon when matching Persistent-Auth
+  Trying dual-stack on some embedded platform, I noticed that quite
+  frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
+  timeout value.  After debugging this issue, I noticed that this happens
+  if c-ares resolver response for IPv6 family comes before IPv4 (which was
+  randomly happening in my tests).
   
-  Closes #6993
-
-- [Harry Sintonen brought this change]
-
-  Curl_http_input_auth: require valid separator after negotiation type
+  In such cases, because libCurl puts the last resolver response on top of
+  the address list, when IPv4 resolver response comes after IPv6 one - the
+  IPv4 family starts the connection phase instead of IPv6 family.
   
-  Closes #6993
-
-- http: fix the check for 'Authorization' with Bearer
+  The solution for this issue is to always put IPv6 addresses on top of
+  the address list, regardless the order of resolver responses.
   
-  The code would wrongly check for it using an additional colon.
+  Bug: https://curl.se/mail/lib-2021-06/0003.html
   
-  Reported-by: Blake Burkhart
-  Closes #6988
-
-- [Kamil Dudka brought this change]
+  Closes #7188
 
-  http2: fix a resource leak in push_promise()
+- Revert "Revert "socketpair: fix potential hangs""
   
-  ... detected by Coverity:
+  This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
-  lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
-  lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
-  lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
+  Thus brings back the change from #7144 as was originally landed in
+  c769d1eab4de8b
   
-  Closes #6986
+  Closes #7144 (again)
 
-- [Kamil Dudka brought this change]
+- [Ebe Janchivdorj brought this change]
 
-  http2: fix resource leaks in set_transfer_url()
-  
-  ... detected by Coverity:
+  schannel: move code out of SChannel_connect_step1
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  Reviewed-by: Marc Hoersken
+  Closes #7168
+
+- tests/data/Makefile.inc: error: trailing backslash on last line
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  Follow-up to d8dcb399b8009d
+
+- TODO: Support rate-limiting for MQTT
+
+- [Dmitry Kostjuchenko brought this change]
+
+  warnless: simplify type size handling
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  By using sizeof(T), existing defines and relying on the compiler to
+  define the required signed/unsigned mask.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  Closes #7181
+
+Gisle Vanem (4 Jun 2021)
+- [Win32] Fix for USE_WATT32
   
-  Closes #6986
+  My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`
 
-- [Jacob Hoffman-Andrews brought this change]
+Daniel Stenberg (4 Jun 2021)
+- [Alexis Vachette brought this change]
 
-  rustls: use ALPN
+  url: bad CURLOPT_CONNECT_TO syntax now returns error
   
-  Update required rustls to 0.5.0
+  Added test 3020 to verify
   
-  Closes #6960
-
-- [Michał Antoniak brought this change]
+  Closes #7183
 
-  gskit: fix CURL_DISABLE_PROXY build
+- github: remove the cmake macOS gcc-8 jobs
   
-  Removed localfd and remotefd from ssl_backend_data (ued only with proxy
-  connection). Function pipe_ssloverssl return always 0, when proxy is not
-  used.
+  They're too similar to the gcc-9 ones to be useful (and seems to not
+  work anymore).
   
-  Closes #6981
-
-- [Michał Antoniak brought this change]
+  Closes #7187
 
-  gskit: fix undefined reference to 'conn'
+- test269: disable for hyper
   
-  Closes #6980
-
-- [Jacob Hoffman-Andrews brought this change]
+  --ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
+  with hyper.
+  
+  Closes #7184
 
-  tls: add USE_HTTP2 define
+- runtests: enable 'hyper mode' only for HTTP tests
   
-  This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
+  The 'hyper mode' makes line-ending checks work in the test suite for
+  when hyper is used. Now it also requires that HTTP or HTTPS are
+  mentioned as keywords to be enabled so that it doesn't wrongly adjusts
+  tests for other protocols.
   
-  Add our own define for the "h2" ALPN protocol, so TLS backends can use
-  it without depending on a specific HTTP backend.
+  This makes test 271 (TFTP) work again in hyper enabled builds.
   
-  Closes #6959
+  Closes #7185
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Alexis Vachette brought this change]
 
-  lib: fix 0-length Curl_client_write calls
+  hostip: bad CURLOPT_RESOLVE syntax now returns error
   
-  Closes #6954
-
-- [Jacob Hoffman-Andrews brought this change]
+  Added test 3019
+  Fixes #7170
+  Closes #7174
 
-  lib: remove strlen call from Curl_client_write
-  
-  At all call sites with an explicit 0 len, pass an appropriate nonzero
-  len.
+Daniel Gustafsson (3 Jun 2021)
+- cookies: fix typo and expand comment
   
-  Closes #6954
-
-- [Ayushman Singh Chauhan brought this change]
+  Fix a typo in the sorting comment, and while in there elaborate slightly
+  on why creationtime can be used as a tiebreaker.
 
-  docs: camelcase it like GitHub everywhere
+- cookies: remove unused header
   
-  Closes #6979
-
-Jay Satiro (27 Apr 2021)
-- [Lucas Servén Marín brought this change]
+  Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
+  for the inet_pton.h headerfile, this removes the inclusion of the
+  header.
+  
+  Closes: #7182
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  docs: fix typo in fail-with-body doc
+Daniel Stenberg (3 Jun 2021)
+- Revert "socketpair: fix potential hangs"
   
-  This commit fixes a small typo in the documentation for the
-  --fail-with-body flag.
+  This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.
   
-  Closes https://github.com/curl/curl/pull/6977
+  See #7144 for details
 
-- lib: fix some misuse of curlx_convert_UTF8_to_tchar
+- [Paul Groke brought this change]
+
+  socketpair: fix potential hangs
   
-  curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
-  prior to this change some uses mistakenly called free.
+  Fixes potential hang in accept by using select + non-blocking accept.
   
-  I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
-  curlx_convert_tchar_to_UTF8.
+  Fixes potential hang in peer check by replacing the send/recv check with
+  a getsockname/getpeername check.
   
-  Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
-  Reported-by: sergio-nsk@users.noreply.github.com
+  Adds length check for returned sockaddr data.
   
-  Closes https://github.com/curl/curl/pull/6938
+  Closes #7144
 
-Daniel Stenberg (27 Apr 2021)
-- ntlm: precaution against super huge type2 offsets
+- runtests: parse data/Makefile.inc instead of using make
   
-  ... which otherwise caused an integer overflow and circumvented the if()
-  conditional size check.
+  The warning about missing entries in that file then doesn't require that
+  the Makefile has been regenerated which was confusing.
   
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
-  Assisted-by: Max Dymond
-  Closes #6975
+  The scan for the test num is a little more error prone than before
+  (since now it doesn't actually verify that it is legitimate Makefile
+  syntax), but I think it is good enough.
+  
+  Closes #7177
 
-- c-hyper: fix unused variable ‘wrote’
+- [Harry Sintonen brought this change]
 
-- libcurl-security.3: be careful of setuid
+  filecheck: quietly remove test-place/*~
   
-  Reported-by: Harry Sintonen
-  Closes #6970
+  Closes #7179
 
-- [Kevin Burke brought this change]
+- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
+  
+  For options that pass in lists or strings that are subsequently parsed
+  and must be correct. This broadens the scope for the option previously
+  known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
+  provided as a #define for existing applications.
+  
+  Closes #7175
 
-  c-hyper: don't write to set.writeheader if null
+- tests: fix Accept-Encoding strips to work with Hyper builds
   
-  Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
-  CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
-  the data->set.writeheader header buffer, even though it is null.  This
-  led to NPE segfaults attempting to use libcurl+Hyper with Git, for
-  example.
+  The previous strip also removed the CR which turned problematic.
   
-  Instead, process the client write for the status line using the same
-  logic we use to process the client write for the later HTTP headers,
-  which contains the appropriate guard logic. As a side benefit,
-  data->set.writeheader is now only read in one file instead of two.
+  valgrind.supp: add zstd suppression using hyper
   
-  Fixes #6619
-  Fixes abetterinternet/crustls#49
-  Fixes hyperium/hyper#2438
-  Closes #6971
+  Reported-and-analyzed-by: Kevin Burke
+  Fixes #7169
+  Closes #7171
 
-- wolfssl: handle SSL_write() returns 0 for error
-  
-  Reported-by: Timo Lange
+- github: timeout jobs on macOS after 90 minutes
   
-  Closes #6967
+  Assisted-by: Marc Hoersken
+  Closes #7173
 
-- easy: ignore sigpipe in curl_easy_send
+- [Harry Sintonen brought this change]
+
+  mqtt: detect illegal and too large file size
   
-  Closes #6965
+  Add test 3017 and 3018 to verify.
+  Closes #7166
 
-- sigpipe: ignore SIGPIPE when using wolfSSL as well
+- [Abhinav Singh brought this change]
+
+  cmake: add CURL_DISABLE_NTLM option
   
-  Closes #6966
+  Closes #7028
 
-- libcurl-security.3: don't try to filter IPv4 hosts based on the URL
+- [Abhinav Singh brought this change]
+
+  configure: add --disable-ntlm option
   
-  Closes #6942
+  Closes #7028
 
-- [Harry Sintonen brought this change]
+- [Abhinav Singh brought this change]
 
-  nss_set_blocking: avoid static for sock_opt
+  define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
   
-  Reviewed-by: Kamil Dudka
-  Closes #6945
+  This flag will be further exposed by adding build options.
+  
+  Reverts #6809
+  Closes #7028
 
 - RELEASE-NOTES: synced
 
-- [Yusuke Nakamura brought this change]
+Viktor Szakats (1 Jun 2021)
+- travis: delete --enable-hsts option (it is the default now) [ci skip]
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #7167
 
-  docs/HTTP3.md: fix nghttp2's HTTP/3 server port
+Daniel Stenberg (1 Jun 2021)
+- hostip: fix 3 coverity complaints
   
-  Port 8443 does not work now.
-  Correct origin is in the quicwg's wiki.
-  https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
+  Follow-up to 1a0ebf6632f889eed
   
-  Closes #6964
+  - Check the return code to Curl_inet_pton() in two instances, even
+    though we know the input is valid so the functions won't fail.
+  
+  - Clear the 'struct sockaddr_in' struct before use so that the
+    'sin_zero' field isn't left uninitialized.
+  
+  Detected by Coverity.
+  Assisted-by: Harry Sintonen
+  Closes #7163
 
-- krb5: don't use 'static' to store PBSZ size response
+- c-hyper: fix NTLM on closed connection tested with test159
   
-  ... because it makes the knowledge and usage cross-transfer in funny and
-  unexpected ways.
+  Closes #7154
+
+- conncache: lowercase the hash key for better match
+  
+  As host names are case insensitive, the use of case sensitive hashing
+  caused unnecesary cache misses and therefore lost performance. This
+  lowercases the hash key.
   
   Reported-by: Harry Sintonen
-  Closes #6963
+  Fixes #7159
+  Closes #7161
 
-- [Kevin Burke brought this change]
+- mbedtls: make mbedtls_strerror always work
+  
+  If the function doesn't exist, provide a macro that just clears the
+  error message. Removes #ifdef uses from the code.
+  
+  Closes #7162
 
-  m4: add security frameworks on Mac when compiling rustls
+- vtls: exit addsessionid if no cache is inited
   
-  Previously compiling rustls on Mac would only complete if you also
-  compiled the SecureTransport TLS backend, which curl would prefer to
-  the Rust backend.
+  Follow-up to b249592d29ae0
+  
+  Avoids NULL pointer derefs.
+  
+  Closes #7165
+
+- [Harry Sintonen brought this change]
+
+  Curl_ntlm_core_mk_nt_hash: fix OOM in error path
+  
+  Closes #7164
+
+Michael Kaufmann (1 Jun 2021)
+- ssl: read pending close notify alert before closing the connection
+  
+  This avoids a TCP reset (RST) if the server initiates a connection
+  shutdown by sending an SSL close notify alert and then closes the TCP
+  connection.
+  
+  For SSL connections, usually the server announces that it will close the
+  connection with an SSL close notify alert. curl should read this alert.
+  If curl does not read this alert and just closes the connection, some
+  operating systems close the TCP connection with an RST flag.
+  
+  See RFC 1122, section 4.2.2.13
   
-  Appending these flags to LDFLAGS makes it possible to compile the
-  Rustls backend on Mac without the SecureTransport backend, which means
-  this patch will make it possible for Mac users to use the Rustls
-  backend for TLS.
+  If curl reads the close notify alert, the TCP connection is closed
+  normally with a FIN flag.
   
-  Reviewed-by: Jacob Hoffman-Andrews
+  The new code is similar to existing code in the "SSL shutdown" function:
+  try to read an alert (non-blocking), and ignore any read errors.
   
-  Fixes #6955
-  Cloes #6956
+  Closes #7095
 
-- krb5: remove the unused 'overhead' function
+Daniel Stenberg (1 Jun 2021)
+- [Laurent Dufresne brought this change]
+
+  setopt: fix incorrect comments
   
-  Closes #6947
+  Closes #7157
 
-- [Johann150 brought this change]
+- [Laurent Dufresne brought this change]
 
-  curl_url_set.3: add memory management information
-  
-  wording taken from man page for CURLOPT_URL.3
+  mbedtls: add support for cert and key blob options
   
-  As far as I can see, the URL part is either malloc'ed before due to
-  encoding or it is strdup'ed.
+  CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
+  mbedtls backend, so the support was added.
   
-  Closes #6953
+  Closes #7157
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Gregor Jasny brought this change]
 
-  c-hpyer: fix handling of zero-byte chunk from hyper
+  cmake: try well-known send/recv signature for Apple
   
-  Closes #6951
-
-- CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
+  The CMake `try_compile` command is especially slow for
+  the Xcode generator. With this patch applied it first tests
+  for the currently used (and Open Group specified) send/recv
+  signature. In case this fails testing falls-back to the
+  permutations.
   
-  Ref: https://curl.se/mail/lib-2021-04/0085.html
-  Closes #6943
-
-- [Ralph Langendam brought this change]
-
-  cmake: make libcurl output filename configurable
+  speed-up:
   
-  Reviewed-by: Jakub Zakrzewski
-  Closes #6933
-
-- [Patrick Monnerat brought this change]
+  ```
+  time cmake .. -GNinja -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
+  before: 11.64s user 11.09s system 55% cpu 40.754 total
+  after:   7.84s user 6.57s  system 51% cpu 28.074 total
+  ```
+  
+  ```
+  time cmake .. -GXcode -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
+  before: 217.07s user 104.15s system 60% cpu 8:51.79 total
+  after:  108.76s user  51.80s system 58% cpu 4:32.58 total
+  ```
+  
+  Closes #7158
 
-  vtls: reset ssl use flag upon negotiation failure
+- http2: init recvbuf struct for pushed streams
   
-  Fixes the segfault in ldaps disconnect.
+  Debug builds would warn that these structs were not initialized properly
+  for pushed streams.
   
-  Reported-by: Illarion Taev
-  Fixes #6934
-  Closes #6937
+  Ref: #7148
+  Closes #7153
 
-- configure: fix typo in TLS error message
+- Curl_ssl_getsessionid: fail if no session cache exists
   
-  Reported-by: Pontus Lundkvist
+  This function might get called for an easy handle for which the session
+  cache hasn't been setup. It now just returns a "miss" in that case.
+  
+  Reported-by: Christoph M. Becker
+  Fixes #7148
+  Closes #7153
 
-- README: link to the commercial support option
+- GOVERNANCE: add 'user', 'committer' and 'contributor'
+  
+  As those are commonly used terms in the project.
+  
+  Closes #7151
 
-Jay Satiro (22 Apr 2021)
-- [Martin Halle brought this change]
+- URL-SYNTAX.md: document the new 'localhost' treatment
 
-  version: add gsasl_version to curl_version_info_data
+- hostip: make 'localhost' return fixed values
   
-  - Add gsasl_version string and bump to CURLVERSION_TENTH.
+  Resolving the case insensitive host name 'localhost' now returns the
+  addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
+  resolver.
   
-  Ref: https://curl.se/mail/lib-2021-04/0003.html
+  This removes the risk that users accidentally resolves 'localhost' to
+  something else. By making sure 'localhost' is always local, we can
+  assume a "secure context" for such transfers (for cookies etc).
   
-  Closes https://github.com/curl/curl/pull/6843
+  Closes #7039
 
-- [Morten Minde Neergaard brought this change]
+Daniel Gustafsson (31 May 2021)
+- docs: fix typos
 
-  schannel: Support strong crypto option
+Daniel Stenberg (30 May 2021)
+- hsts: ignore numberical IP address hosts
   
-  - Support enabling strong crypto via optional user cipher list when
-    USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
+  Also, use a single function library-wide for detecting if a given hostname is
+  a numerical IP address.
   
-  MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
-  weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
-  versions that may be otherwise enabled for better interoperability."
+  Reported-by: Harry Sintonen
+  Fixes #7146
+  Closes #7149
+
+- test178: adjust for hyper
   
-  Ref: https://curl.se/mail/lib-2021-02/0066.html
-  Ref: https://curl.se/docs/manpage.html#--ciphers
-  Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
-  Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
+  Hyper returns the same error for wrong HTTP version as for negative
+  content-length. Test 178 verifies that negative content-length is
+  rejected but the hyper backend will return a different error for it (and
+  without any helpful message telling why the message was bad). It will
+  also not return any headers at all for the response, not even the ones
+  that arrived before the error.
   
-  Closes https://github.com/curl/curl/pull/6734
-
-Daniel Stenberg (22 Apr 2021)
-- RELEASE-NOTES: synced
+  Closes #7147
 
-- ci: adapt to configure requiring an explicit TLS choice
+- HYPER: remove mentions of deprecated development branch
 
-- configure: split out each TLS library detector into its own function
+- c-hyper: handle NULL from hyper_buf_copy()
   
-  ... and put those functions in separate m4 files per TLS library.
+  Closes #7143
 
-- configure: make the TLS library choice(s) explicit
+- HSTS: not experimental anymore
+
+- [Douglas R. Reno brought this change]
+
+  INSTALL: use correct extension for CURL-DISABLE.md
   
-  configure no longer tries to find a TLS library by default, but all
-  libraries are now equal: the user needs to explicitly ask what TLS
-  library or libraries to use.
+  In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
+  CURL-DISABLE.md. This generates a 404 on the cURL website as well as
+  when viewing the docs through Github.
   
-  If no TLS library is selected, configure will error out unless
-  --without-ssl is explicitly used to request a built without TLS (as that
-  is very rare these days).
+  Closes #7142
+
+- travis: run tests 1 - 153 with hyper
+
+- c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
   
-  Removes: --with-winssl, --with-darwinssl and all --without-* options for
-  TLS libraries.
+  Makes test 129 work (HTTP/1.2 response).
   
-  Closes #6897
+  Closes #7141
 
-- tests/disable-scan.pl: also scan all m4 files
+- http_proxy: deal with non-200 CONNECT response with Hyper
   
-  Fixes test 1165 when functions are moved from configure.ac to files in
-  m4/
+  Makes test 94 and 95 work
+  
+  Closes #7141
 
-Jay Satiro (22 Apr 2021)
-- schannel: Disable auto credentials; add an option to enable it
+- c-hyper: clear NTLM auth buffer when request is issued
   
-  - Disable auto credentials by default. This is a breaking change
-    for clients that are using it, wittingly or not.
+  To prevent previous ones to get reused on subsequent requests. Matches
+  how the built-in HTTP code works. Makes test 90 to 93 work.
   
-  - New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
-    to automatically locate and use a client certificate for
-    authentication, when requested by the server.
+  Add test 90 to 93 in travis.
   
-  - New curl tool options --ssl-auto-client-cert and
-    --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
+  Closes #7139
+
+- [Joel Depooter brought this change]
+
+  schannel: set ALPN length correctly for HTTP/2
   
-  This option is only supported for Schannel (the native Windows SSL
-  library). Prior to this change Schannel would, with no notification to
-  the client, attempt to locate a client certificate and send it to the
-  server, when requested by the server. Since the server can request any
-  certificate that supports client authentication in the OS certificate
-  store it could be a privacy violation and unexpected.
+  In a3268eca792f1 this code was changed to use the ALPN_H2 constant
+  instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
+  not the same. The nghttp2 constant included the length of the string,
+  like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
+  to re-add the length of the string to the ALPN buffer.
   
-  Fixes https://github.com/curl/curl/issues/2262
-  Reported-by: Jeroen Ooms
-  Assisted-by: Wes Hinsley
-  Assisted-by: Rich FitzJohn
+  Closes #7138
+
+- travis: run tests 1-89 in the hyper build
   
-  Ref: https://curl.se/mail/lib-2021-02/0066.html
-  Reported-by: Morten Minde Neergaard
+  Closes #7137
+
+- Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
   
-  Closes https://github.com/curl/curl/pull/6673
+  This reverts commit c3eefa95c31f55657f0af422e8268d738f689066.
+  
+  Reported-by: Kevin Burke
+  Fixes #7122
+  Closes #7136
 
-Daniel Stenberg (22 Apr 2021)
-- [Michał Antoniak brought this change]
+- [Jon Rumsey brought this change]
 
-  vtls: deduplicate some DISABLE_PROXY ifdefs
+  ccsidcurl: fix the compile errors
   
-  continue from #5735
+  Looks like the declaration of cpp shoule be const char ** and return
+  null if convert_version_info_string fails.
   
-  - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
-    tls backend
+  Fixes #7134
+  Closes #7135
+
+- [Viktor Szakats brought this change]
+
+  docs: use --max-redirs instead of --max-redir
   
-  - create SSL_HOST_PORT
+  For consistency.
   
-  Closes #6660
+  Closes #7130
 
-Jay Satiro (22 Apr 2021)
-- OS400: fix typo
+- RELEASE-NOTES: synced
   
-  CURLVERSION_HEIGHTH -> CURLVERSION_EIGHTH
+  ... and bump to 7.77.1
 
-Daniel Stenberg (22 Apr 2021)
-- checksrc: complain on == NULL or != 0 checks in conditions
-  
-  ... to make them all consistenly use if(!var) and if(var)
-  
-  Also added a few missing warnings to the documentation.
+- [Michael Forney brought this change]
+
+  travis: add bearssl build
   
-  Closes #6912
+  Closes #7133
 
-- tidy-up: make conditional checks more consistent
+- [Michael Forney brought this change]
+
+  bearssl: explicitly initialize all fields of Curl_ssl
   
-  ... remove '== NULL' and '!= 0'
+  Also, add comments like the other vtls backends.
   
-  Closes #6912
+  Closes #7133
 
-- [Patrick Monnerat brought this change]
+- [Michael Forney brought this change]
 
-  vauth: factor base64 conversions out of authentication procedures
+  bearssl: remove incorrect const on variable that is modified
   
-  Input challenges and returned messages are now in binary.
-  Conversions from/to base64 are performed by callers (currently curl_sasl.c
-  and http_ntlm.c).
+  hostname may be set to NULL later on in this function if it is an
+  IP address.
   
-  Closes #6654
+  Closes #7133
 
-- [Patrick Monnerat brought this change]
+Version 7.77.0 (26 May 2021)
 
-  bufref: buffer reference support
+Daniel Stenberg (26 May 2021)
+- RELEASE-NOTES: synced
+
+- THANKS: added contributors from 7.77.0 cycle
+
+- copyright: update copyright year ranges to 2021
+
+- [Radek Zajic brought this change]
+
+  hostip: fix broken macOS/CMake/GCC builds
   
-  A struct bufref holds a buffer pointer, a data size and a destructor.
-  When freed or its contents are changed, the previous buffer is implicitly
-  released by the associated destructor. The data size, although not used
-  internally, allows binary data support.
+  Follow-up to 31f631a142d855f06
   
-  A unit test checks its handling methods: test 1661
+  Fixes #7128
+  Closes #7129
+
+- TODO: netrc caching and sharing
   
-  Closes #6654
+  URL: https://curl.se/mail/archive-2021-05/0018.html
 
-- [Patrick Monnerat brought this change]
+- [Orgad Shaneh brought this change]
 
-  os400: additional support for options metadata
-  
-  New functions curl_easy_option_by_name_ccsid() and
-  curl_easy_option_get_name_ccsid() allows accessing metadata in alternate
-  character encoding.
-  
-  This commit also updates curl_version_info_ccsid() to handle info version 9
-  and adds recent definitions to the ILE/RPG include file.
+  setopt: streamline ssl option code
   
-  Documentation updated accordingly.
+  Make it use the same style as the code next to it
   
-  Reviewed-by: Jon Rumsey
-  Closes #6574
+  Closes #7123
 
-- [Patrick Monnerat brought this change]
+- [Radek Zajic brought this change]
 
-  test server: take care of siginterrupt() deprecation
+  lib/hostip6.c: make NAT64 address synthesis on macOS work
   
-  Closes #6529
+  Closes #7121
 
-Marc Hoersken (21 Apr 2021)
-- lib1564.c: enable last wakeup test part on Windows
-  
-  Suggested-by: Gergely Nagy
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  
-  Closes #6245
+- [ejanchivdorj brought this change]
 
-- multi: fix slow write/upload performance on Windows
-  
-  Reset FD_WRITE by sending zero bytes which is permissible
-  and will be treated by implementations as successful send.
+  sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
   
-  Without this we won't be notified in case a socket is still
-  writable if we already received such a notification and did
-  not send any data afterwards on the socket. This would lead
-  to waiting forever on a writable socket being writable again.
+  When the SecCertificateCopyCommonName function fails, it leaves
+  common_name in a invalid state so CFStringCompare uses the invalid
+  result, causing EXC_BAD_ACCESS.
   
-  Assisted-by: Tommy Odom
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Tested-by: tmkk on github
+  The fix is to check the return value of the function before using the
+  name.
   
-  Bug: #6146
-  Closes #6245
+  Closes #7126
 
-- multi: reduce Win32 API calls to improve performance
+- [Paweł Wegner brought this change]
+
+  CMake: add CURL_ENABLE_EXPORT_TARGET option
   
-  1. Consolidate pre-checks into a single Curl_poll call:
+  install(EXPORT ...) causes trouble when embedding curl dependencies
+  which don't provide install(EXPORT ...) targets (e.g libressl and
+  nghttp2) with cmake's add_subdirectory.
   
-  This is an attempt to restructure the code in Curl_multi_wait
-  in such a way that less syscalls are made by removing individual
-  calls to Curl_socket_check via SOCKET_READABLE/SOCKET_WRITABLE.
+  Reviewed-by: Jakub Zakrzewski
+  Closes #7060
+
+- [Alessandro Ghedini brought this change]
+
+  quiche: update for network path aware API
   
-  2. Avoid resetting the WinSock event multiple times:
+  Latest version of quiche requires the application to pass the peer
+  address of received packets, and it provides the address for outgoing
+  packets back.
   
-  We finally call WSAResetEvent anyway, so specifying it as
-  an optional parameter to WSAEnumNetworkEvents is redundant.
+  Closes #7120
+
+- [Jacob Hoffman-Andrews brought this change]
+
+  rustls: switch read_tls and write_tls to callbacks
   
-  3. Wakeup directly in case no sockets are being monitoring:
+  And update to 0.6.0, including a rename from session to connection for
+  many fields.
   
-  Fix the WinSock based implementation to skip extra waiting by
-  not sleeping in case no sockets are to be waited on and just
-  the WinSock event is being monitored for wakeup functionality.
+  Closes #7071
+
+- [Koichi Shiraishi brought this change]
+
+  sectransp: fix 7f4a9a9b2a49 commit about missing comma
   
-  Assisted-by: Tommy Odom
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  Follow-up to 7f4a9a9b2a495
   
-  Bug: #6146
-  Closes #6245
+  Closes #7119
 
-- Revert "Revert 'multi: implement wait using winsock events'"
-  
-  This reverts commit 2260e0ebe6d45529495231b3e37a0c58fb92a6a2,
-  also restoring previous follow up changes which were reverted.
+- [Harry Sintonen brought this change]
+
+  openssl: associate/detach the transfer from connection
   
-  Authored-by: rcombs on github
-  Authored-by: Marc Hörsken
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  CVE-2021-22901
   
-  Restores #5634
-  Reverts #6281
-  Part of #6245
+  Bug: https://curl.se/docs/CVE-2021-22901.html
 
-Daniel Stenberg (21 Apr 2021)
-- Revert "cmake: make libcurl library output name configurable"
+- [Harry Sintonen brought this change]
+
+  telnet: check sscanf() for correct number of matches
   
-  This reverts commit 1cba36d2166c396f987eea587cf92671b27acb92.
+  CVE-2021-22898
   
-  CMake provides properties that can be set on a target to rename the
-  output artifact without changing the name of a target.
+  Bug: https://curl.se/docs/CVE-2021-22898.html
+
+- schannel: don't use static to store selected ciphers
   
-  Ref: #6899
+  CVE-2021-22897
+  
+  Bug: https://curl.se/docs/CVE-2021-22897.html
 
-- [Michael Kolechkin brought this change]
+- docs/tests: remove freenode references
 
-  sectransp: allow cipher name to be specified
-  
-  Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
-  back-end. Similar to NSS and GSKit back-ends, new code parses string
-  value and configures ST library to use those ciphers for communication.
-  Create cipher spec data structure and initialize the array of specs with
-  cipher number, name, alias, and 'weak' flag.
+- RELEASE-NOTES: synced
+
+- [Sergey Markelov brought this change]
+
+  NSS: make colons, commas and spaces valid separators in cipher list
   
-  Mark triple-DES ciphers as 'weak', and exclude them from the default
-  ciphers list.
+  Fixes #7110
+  Closes #7115
+
+- curl: include libmetalink version in --version output
   
-  Closes #6464
+  Closes #7112
 
-- [Michael Kolechkin brought this change]
+Jay Satiro (21 May 2021)
+- [Matias N. Goldberg brought this change]
 
-  NSS: add ciphers to map
+  cmake: Use multithreaded compilation on VS 2008+
   
-  Add cipher names to the `cipherlist` map, based on the list of ciphers
-  implemented by the NSS in the source code file
-  https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c
+  Multithreaded compilation has been supported since at least VS 2005 and
+  been robustly stable since at least VS 2008
   
-  Closes #6670
+  Closes https://github.com/curl/curl/pull/7109
 
-- http2: remove DEBUG_HTTP2
+Daniel Stenberg (21 May 2021)
+- [Matias N. Goldberg brought this change]
+
+  cmake: fix two invokes result in different curl_config.h
   
-  Accidentally committed in 605e84235
+  Fixes #7100
+  Closes #7101
+  
+  Reviewed-by: Jakub Zakrzewski
+  Signed-off-by: Matias N. Goldberg <dark_sylinc@yahoo.com.ar>
 
-- [Ralph Langendam brought this change]
+- [Peng-Yu Chen brought this change]
 
-  cmake: make libcurl library output name configurable
+  cmake: detect CURL_SA_FAMILY_T
   
-  Closes #6899
+  Fixes #7049
+  Closes #7065
 
-- sws: #ifdef S_IFSOCK use
-  
-  SCO OpenServer 5.0.7 does not define S_IFSOCK.
-  
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0074.html
-  Closes #6926
+- [Lucas Clemente Vella brought this change]
 
-- curl_setup: provide the shutdown flags wider
+  CURLOPT_IPRESOLVE: preventing wrong IP version from being used
   
-  By using #ifdef on the symbol names to work on anything that don't
-  provide them. SCO OpenServer 5.0.7, sys/socket.h does not define either
-  SHUT_RDWR, SHUT_RD, and SHUT_WR.
+  In some situations, it was possible that a transfer was setup to
+  use an specific IP version, but due do DNS caching or connection
+  reuse, it ended up using a different IP version from requested.
   
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0073.html
-  Closes #6925
-
-- connect: use CURL_SA_FAMILY_T for portability
+  This commit changes the effect of CURLOPT_IPRESOLVE from simply
+  restricting address resolution to preventing the wrong connection
+  type being used, when choosing a connection from the pool, and
+  to restricting what addresses could be used when establishing
+  a new connection.
   
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0071.html
+  It is important that all addresses versions are resolved, even if
+  not used in that transfer in particular, because the result is
+  cached, and could be useful for a different transfer with a
+  different CURLOPT_IPRESOLVE setting.
   
-  Closes #6918
+  Closes #6853
 
-- urlapi: make sure no +/- signs are accepted in IPv4 numericals
-  
-  Follow-up to 56a037cc0ad1b2. Extends test 1560 to verify.
-  
-  Reported-by: Tuomas Siipola
-  Fixes #6916
-  Closes #6917
+- [Oliver Urbann brought this change]
 
-- ConnectionExists: respect requests for h1 connections better
+  AmigaOS: add functions definitions for SHA256
   
-  ... for situations when multiplexing isn't enabled on the h2 connection
-  and h1 is explicitly requested for the transfer.
+  AmiSSL replaces many functions with macros. Curl requires pointer
+  to some of these functions. Thus, we have to encapsulate these macros:
+  SHA256_Init, SHA256_Update, SHA256_Final, X509_INFO_free.
   
-  Assisted-by: Gergely Nagy
-
-- multi: don't close connection HTTP_1_1_REQUIRED
+  Bug: https://github.com/jens-maus/amissl/issues/15
+  Co-authored-by: Daniel Stenberg <daniel@haxx.se>
   
-  The ConnectionExists() function will note that the new transfer wants
-  less then h2 and that it can't multiplex it and therefor opt to open a
-  new connection instead.
+  Closes #7099
 
-- http2: move the stream error field to the per-transfer storage
-  
-  Storing a stream error in the per-connection struct was an error that lead to
-  race conditions as subsequent stream handling could overwrite the error code
-  before it was used for the stream with the actual problem.
+- test2100: make it run with and require IPv6
   
-  Closes #6910
+  Closes #7083
 
-- http2: call the handle-closed function correctly on closed stream
-  
-  This was this one condition where the stream could be closed due to an
-  error and the function would still wrongly just return 0 for it.
+- tests/getpart: generate output URL encoded for better diffs
   
-  Reported-by: Gergely Nagy
-  Fixes #6862
-  Closes #6910
+  Closes #7083
 
-- test1660: check the created HSTS file as text mode
+- [Ryan Beck-Buysse brought this change]
+
+  docs/TheArtOfHttpScripting: fix markdown links
   
-  Closes #6922
+  extra parens cause the links to be incorrectly formatted
+  and inconsistent with the rest of the document.
+  
+  Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
+  Closes #7097
 
 - RELEASE-NOTES: synced
 
-- test 493: require https in curl to run
-  
-  Closes #6927
+- [Emil Engler brought this change]
 
-Jay Satiro (20 Apr 2021)
-- tool_operate: don't discard failed parallel transfer result
+  docs: replace dots with dashes in markdown enums
   
-  - Save a parallel transfer's result code only when it fails and the
-    transfer is not being retried.
+  We use dashes instead of dots nearly everywhere except for those few
+  cases. This commit addresses this issues and brings more coherency into
+  it.
   
-  Prior to this change the result code was always set which meant that a
-  failed result could be erroneously discarded if a different transfer
-  later had a successful result (CURLE_OK).
+  Closes #7093
+
+- [Emil Engler brought this change]
+
+  docs: improve INTERNALS.md regarding getsock cb
   
-  Before:
+  This adds the I/O prefix to indicate that those "actions" are kind-of
+  related to those found in select(2) or poll(2) (reading/writing).
   
-  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
-  > echo %ERRORLEVEL%
-  0
+  It also adds a note where the prototypes of those functions can be found
+  in the source code.
   
-  After:
+  Closes #7092
+
+- [Emil Engler brought this change]
+
+  docs: document attach in INTERNALS.md
   
-  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
-  > echo %ERRORLEVEL%
-  22
+  The new field in the Curl_handler struct still lacks documentation. This
+  adds it it from the information extracted from lib/urldata.h:797
   
-  Closes #xxxx
+  Closes #7091
 
-- [Georeth Zhou brought this change]
+- [Marc Aldorasi brought this change]
 
-  openssl: fix build error with OpenSSL < 1.0.2
+  config: remove now-unused macros
   
-  Closes https://github.com/curl/curl/pull/6920
+  Closes #7094
 
-Viktor Szakats (19 Apr 2021)
-- README.md: delete Codacy UTM parameters & follow permanent redirect [ci skip]
-  
-  UTM parameters leak referrer and various marketing/tracking information
-  even if these would normally be stripped by website or client policy.
-  This link also works fine without them. Also took the opportunity to
-  update the URL to the one pointed to by the previous one via permanent
-  redirect.
+- [Marc Aldorasi brought this change]
+
+  hostip.h: remove declaration of unimplemented function
   
-  Reviewed-by: Daniel Stenberg
-  Closes #6919
+  Closes #7094
 
-Daniel Stenberg (19 Apr 2021)
-- urlapi: "normalize" numerical IPv4 host names
+- h3: add 'attach' callback to protocol handlers
   
-  When the host name in a URL is given as an IPv4 numerical address, the
-  address can be specified with dotted numericals in four different ways:
-  a32, a.b24, a.b.c16 or a.b.c.d and each part can be specified in
-  decimal, octal (0-prefixed) or hexadecimal (0x-prefixed).
+  Follow-up to 0c55fbab45be
   
-  Instead of passing on the name as-is and leaving the handling to the
-  underlying name functions, which made them not work with c-ares but work
-  with getaddrinfo, this change now makes the curl URL API itself detect
-  and "normalize" host names specified as IPv4 numericals.
+  Reviewed-by: Emil Engler
+  Closes #7090
+
+- wolfssl: remove SSLv3 support leftovers
   
-  The WHATWG URL Spec says this is an okay way to specify a host name in a
-  URL. RFC 3896 does not allow them, but curl didn't prevent them before
-  and it seems other RFC 3896-using tools have not either. Host names used
-  like this are widely supported by other tools as well due to the
-  handling being done by getaddrinfo and friends.
+  Closes #7088
+
+- curl-wolfssl.m4: without custom include path, assume /usr/include
   
-  I decided to add the functionality into the URL API itself so that all
-  users of these functions get the benefits, when for example wanting to
-  compare two URLs. Also, it makes curl built to use c-ares now support
-  them as well and make curl builds more consistent.
+  ... so that we can point out the root of the OpenSSL emulation headers.
+  Previously this used the '$includedir' variable which is wrong since
+  that defaults to the dir where the current configure invoke will install
+  the built libcurl headers: /usr/local by default.
   
-  The normalization makes HTTPS and virtual hosted HTTP work fine even
-  when curl gets the address specified using one of the "obscure" formats.
+  Fixes #7085
+  Reported-by: Joel Jakobsson
+  Closes #7087
+
+- [Joel Depooter brought this change]
+
+  data_pending: check only SECONDARY socket for FTP(S) transfers
   
-  Test 1560 is extended to verify.
+  Check the FIRST for all other protocols.
   
-  Fixes #6863
-  Closes #6871
+  This fixes a timeout in an ftps download. The server sends a TLS
+  close_notify message in the same packet as the file data. The
+  close_notify seems to not be handled in the schannel_recv function, so
+  libcurl is not aware that the server has closed the connection. Thus
+  libcurl ends up waiting for action on the socket until a timeout is
+  reached. With the secondary socket check added to the data_pending
+  function, the close_notify is properly handled, and the ftps transfer
+  terminates as expected.
+  
+  Fixes #7068
+  Closes #7069
 
-- libssh: fix "empty expression statement has no effect" warnings
+- github: inhibit deprecated declarations for clang on macOS
   
-  ... by fixing macros to do-while constructs and moving out the calls to
-  "break" outside of the actual macro. It also fixes the problem where the
-  macro was used witin a loop and the break didn't do right.
+  ... as they otherwise cause ldap build errors in the CI.
   
-  Reported-by: Emil Engler
-  Fixes #6847
-  Closes #6909
+  Fixes #7081
+  Closes #7082
 
-- hsts: enable by default
+- conn: add 'attach' to protocol handler, make libssh2 use it
   
-  No longer considered experimental.
+  The libssh2 backend has SSH session associated with the connection but
+  the callback context is the easy handle, so when a connection gets
+  attached to a transfer, the protocol handler now allows for a custom
+  function to get used to set things up correctly.
   
-  Closes #6700
+  Reported-by: Michael O'Farrell
+  Fixes #6898
+  Closes #7078
 
-- vtls: refuse setting any SSL version
+- http2: make sure pause is done on HTTP
   
-  ... previously they were supported if a TLS library would (unexpectedly)
-  still support them, but from this change they will be refused already in
-  curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
-  many years now.
+  Since the function is called for any protocol, we can't assume that the
+  HTTP struct is there without first making sure it is HTTP.
   
-  Closes #6773
+  Reported-by: Denis Goleshchikhin
+  Fixes #7079
+  Closes #7080
 
-- curl: ignore options asking for SSLv2 or SSLv3
-  
-  Instead output a warning about it and continue with the defaults.
+- docs: cookies from HTTP headers need domain set
   
-  These SSL versions are typically not supported by the TLS libraries since a
-  long time back already since they are inherently insecure and broken. Asking
-  for them to be used will just cause an error to be returned slightly later.
+  ... or the cookies won't get sent. Push users to using the "Netscape"
+  format instead, which curl uses when saving a cookie "jar".
   
-  In the unlikely event that a user's TLS library actually still supports these
-  protocol versions, this change might make the request a little less insecure.
+  Reported-by: Martin Dorey
+  Reviewed-by: Daniel Gustafsson
+  Fixes #6723
+  Closes #7077
+
+- RELEASE-NOTES: synced
+
+- github: add a workflow with libssh2 on macOS using cmake
   
-  Closes #6772
+  Closes #7047
 
-- test972: verify the json output with jsonlint
+- sws: allow HTTP requests up to 2MB in size
   
-  Make sure one of the azure jobs has jsonlint installed so that the test
-  runs there.
+  To allow tests with slightly larger payloads. Like #7071 ...
   
-  Ref: #6905
+  Closes #7075
 
-- [Jay Satiro brought this change]
+Marc Hoersken (16 May 2021)
+- CI/azure: increase verbosity and fix outdated task names
+  
+  Closes #7063
 
-  tool_writeout: fix the HTTP_CODE json output
+- CI/cirrus: add shared and static Windows release builds
   
-  Update test 970 accordingly.
+  Azure Pipelines is currently being used for debug builds,
+  let's also run some non-debug (release) Windows builds and
+  make use of previously underutilized Cirrus CI for that.
   
-  Reported-by: Michal Rus
-  Fixes #6905
-  Closes #6906
-
-- openldap: protect SSL-specific code with proper #ifdef
+  Reviewed-by: Marcel Raad
   
-  Closes #6901
+  Closes #6991
 
-- libssh2: fix Value stored to 'sshp' is never read
+Daniel Stenberg (16 May 2021)
+- CURLOPT_CAPATH.3: defaults to a path, not NULL
   
-  Pointed out by scan-build
+  Reported-by: Andrew Barnert
   
-  Closes #6900
+  Closes #7062
 
-- [Victor Vieux brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
+  c-hyper: handle body on HYPER_TASK_EMPTY
   
-  Signed-off-by: Victor Vieux <victorvieux@gmail.com>
+  Some of the time, we get a HYPER_TASK_EMPTY response before the status
+  line, headers, and body have been read. Previously, that would cause us
+  to poll again, leading to a 1 second timeout.
   
-  Closes #6895
-
-- configure: provide --with-openssl, deprecate --with-ssl
+  The HYPER_TASK_EMPTY docs say:
   
-  Makes the option more explicit.
+     The value of this task is null (does not imply an error).
   
-  Closes #6887
-
-- RELEASE-NOTES: synced
+  So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
+  response.
   
-  and bumped curlver to 7.77.0
+  Reported-by: Kevin Burke
+  Fixes #7064
+  Closes #7070
 
-- [Javier Blazquez brought this change]
+- [Ikko Ashimine brought this change]
 
-  rustls: only return CURLE_AGAIN when TLS session is fully drained
-  
-  The code in cr_recv was returning prematurely as soon as the socket
-  reported no more data to read. However, this could be leaving some
-  unread plaintext data in the rustls session from a previous call,
-  causing causing the transfer to hang if the socket never receives
-  further data.
+  tool_getparam: fix comment typo in tool_getparam.c
   
-  We need to ensure that the session is fully drained of plaintext data
-  before returning CURLE_AGAIN to the caller.
+  enfore -> enforce
   
-  Reviewed-by: Jacob Hoffman-Andrews
-  Closes #6894
+  Closes #7074
 
-- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
+- mem-include-scan.pl: require a non-word letter before memory funcs
   
-  Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
-  the cookiejar from memory.
+  ... so that ldap_memfree() for example doesn't match the scan for free.
   
-  Reported-by: Stefan Karpinski
-  Fixes #6889
-  Closes #6891
-
-Version 7.76.1 (14 Apr 2021)
+  Closes #7061
 
-Daniel Stenberg (14 Apr 2021)
-- RELEASE-NOTES: synced
+- version: free the openldap info correctly
   
-  curl 7.76.1 release
-
-- THANKS: add names from 7.76.1
-
-- misc: update copyright year ranges to match latest updates
-
-- [Tatsuhiro Tsujikawa brought this change]
-
-  ngtcp2: Use ALPN h3-29 for now
+  ... to avoid memory leaks.
   
-  Fixes #6864
-  Cloes #6886
+  Follow-up to: bf0feae7768d9
+  Closes #7061
 
-Jay Satiro (11 Apr 2021)
-- TODO: remove 18.22 --fail-with-body
+- dupset: remove totally off comment
   
-  --fail-with-body was added in 8a964cb (precedes curl-7_76_0).
-
-Daniel Stenberg (10 Apr 2021)
-- [Jürgen Gmach brought this change]
+  Closes #7067
 
-  src/tool_vms.c: remove duplicated word in comment
+- configure: if asked for, fail if ldap is not found
   
-  Closes #6881
+  Reported-by: Jakub Zakrzewski
+  Fixes #7053
+  Closes #7055
 
-- configure: fix CURL_DARWIN_CFLAGS use
-  
-  The macro name change was not completely done.
+- version: add OpenLDAP version in the output
   
-  Follow-up to 5d2c384452543c
-  Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
-  Reported-by: Marcel Raad
-  Closes #6878
+  Assisted-by: Howard Chu
+  Closes #7054
 
-- [Anthony Shaw brought this change]
+Jay Satiro (13 May 2021)
+- [Joel Depooter brought this change]
 
-  github/workflow: add "security-extended" to codeql-analysis.yml
+  schannel: Ensure the security context request flags are always set
   
-  Extends the CodeQL code scan.
+  As of commit 54e7475, these flags would only be set when using a new
+  credential handle. When re-using an existing credential handle, the
+  flags would not be set.
   
-  Closes #6815
+  Closes https://github.com/curl/curl/pull/7051
 
-- [Jochem Broekhoff brought this change]
+Dan Fandrich (12 May 2021)
+- tests: Fix some tag matching issues in a number of tests
 
-  examples/hiperfifo.c: check event_initialized before delete
+Daniel Stenberg (12 May 2021)
+- sasl: use 'unsigned short' to store mechanism
   
-  If event_del is called with the event struct (still) zeroed out, a
-  segmentation fault may occur.  event_initialized checks whether the
-  event struct is nonzero.
+  ... saves a few bytes of struct size in memory and it only uses
+  10 bits anyway.
   
-  Closes #6876
-
-- [Patrick Monnerat brought this change]
+  Closes #7045
 
-  ntlm: fix negotiated flags usage
-  
-  According to Microsoft document MS-NLMP, current flags usage is not
-  accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
-  extended security in an NTLM authentication message and NTLM version 2
-  cannot be negotiated within the protocol.
+- hostip: remove the debug code for LocalHost
   
-  The solution implemented here is: if the extended security flag is set,
-  prefer using NTLM version 2 (as a server featuring extended security
-  should also support version 2). If version 2 has been disabled at
-  compile time, use extended security.
+  The Curl_resolv() had special code (when built in debug mode) for when
+  resolving the host name "LocalHost" (using that exact casing). It would
+  then get the host name from the --interface option instead.
   
-  Tests involving NTLM are adjusted to this new behavior.
+  This development-only feature was not used by anything (anymore) and we
+  have the --resolve feature if we want to play similar tricks properly
+  going forward.
   
-  Fixes #6813
-  Closes #6849
-
-- [Patrick Monnerat brought this change]
+  Closes #7044
 
-  ntlm: support version 2 on 32-bit platforms
+- progress: reset limit_size variables at transfer start
   
-  Closes #6849
-
-- [Patrick Monnerat brought this change]
-
-  curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
+  Otherwise the old value would linger from a previous use and would mess
+  up the network speed cap logic.
   
-  ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
-  whole NTLM.
+  Reported-by: Ymir1711 on github
   
-  Closes #6849
+  Fixes #7042
+  Closes #7043
 
-- lib: remove unused HAVE_INET_NTOA_R* defines
-  
-  Closes #6867
+- RELEASE-NOTES: synced
 
-- [Michael Forney brought this change]
+- [Daniel Gustafsson brought this change]
 
-  configure: include <time.h> unconditionally
-  
-  In 2682e5f5, several instances of AC_HEADER_TIME were removed since
-  it is a deprecated autoconf macro. However, this was the macro that
-  defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
-  can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
-  used in the configure test body and since it is no longer defined,
-  <time.h> is *not* included on systems that have <sys/time.h>.
-  
-  In particular, at least on musl libc and glibc, <sys/time.h> does
-  not implicitly include <time.h> and does not declare clock_gettime,
-  gmtime_r, or localtime_r. This causes configure to fail to detect
-  those functions.
+  cookies: use CURLcode for cookie_output reporting
   
-  The AC_HEADER_TIME macro deprecation text says
+  Writing the cookie file has multiple error conditions, and was using an
+  int with magic numbers to report the different error (which in turn were
+  disregarded anyways). This moves reporting to use a CURLcode value.
   
-  > All current systems provide time.h; it need not be checked for.
-  > Not all systems provide sys/time.h, but those that do, all allow
-  > you to include it and time.h simultaneously.
+  Lightly-touched-by: Daniel Stenberg
   
-  So, to fix this issue, simply include <time.h> unconditionally when
-  testing for time-related functions and in libcurl, and don't bother
-  checking for it.
+  Closes #7037
+  Closes #6749
+
+- [Daniel Gustafsson brought this change]
+
+  cookies: make use of string duplication function
   
-  Closes #6859
+  strstore() is defined as a strdup which ensures to free the target
+  pointer before duping the source char * into it. Make use of it in
+  two more cases where it can simplify the code.
 
-- [Michael Forney brought this change]
+- [Daniel Gustafsson brought this change]
 
-  configure: remove use of RETSIGTYPE
+  cookies: refactor comments
   
-  This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
-  which was removed in 2682e5f5. The deprecation text says
+  Comments in the cookie code were a bit all over the place in terms of
+  style and wording. This takes a stab at cleaning them up by keeping to
+  a single style and overall shape. Some comments are moved a little and
+  some removed alltogether due to being redundant. No functional changes
+  have been made,
+
+- [Peng-Yu Chen brought this change]
+
+  http2: skip immediate parsing of payload following protocol switch
   
-  > Your code may safely assume C89 semantics that RETSIGTYPE is void.
+  This is considered not harmful as a following http2_recv shall be
+  called very soon.
   
-  So, remove it and just use void instead.
+  This is considered helpful in the specific situation where some
+  servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
+  following the return of HTTP status 101, other than waiting for
+  the client-side connection preface to arrive.
   
-  Closes #6861
+  Fixes #7036
+  Closes #7040
 
-- [Muhammed Yavuz Nuzumlalı brought this change]
+- [Peng-Yu Chen brought this change]
 
-  install: add instructions for Apple Darwin platforms
+  http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
   
-  Closes #6860
-
-- [Muhammed Yavuz Nuzumlalı brought this change]
+  Following the upstream deprecation of nghttp2_session_upgrade.
+  
+  Also provides further checks for requests with the HEAD method.
+  
+  Closes #7041
 
-  configure: disable min version set for Darwin
+- progress/trspeed: use a local convenient pointer to beautify code
   
-  Fixes #6838
-  Closes #6860
+  The function becomes easier to read and understand with less repetition.
 
-- [David Hu brought this change]
+- trspeed: use long double for transfer speed calculation
 
-  docs/HTTP3.md: update the build instruction using gnutls
-  
-  In ngtcp2 the `with-gnutls` option is disabled by default, which will
-  cause `curl` unable to be `make` because of lacking the libraries
-  needed.
+- progress: move transfer speed calc into function
   
-  Closes #6857
+  This silences two scan-build-11 warnings: "The result of the '/'
+  expression is undefined"
+  
+  Bug: https://curl.se/mail/lib-2021-05/0022.html
+  Closes #7035
 
-- RELEASE-NOTES: synced
+- [Cameron Cawley brought this change]
 
-- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
-  
-  ... and not values.
+  openssl: remove unneeded cast for CertOpenSystemStore()
   
-  Reported-by: locpyl-tidnyd on github
-  Fixes #6818
-  Closes #6819
+  Closes #7025
 
-- ngtcp2+gnutls: clear credentials when freed
+- travis: disable the libssh build
   
-  ... to avoid double-free.
+  It can't run on focal and causes warnings on bionic. Since the focal
+  failure started rather suddenly a while ago, we can suspect it might be
+  temporary.
   
-  Reported-by: Kenneth Davidson
-  Fixes #6824
-  Closes #6856
+  Added "bring back the build" to the TODO document.
+  
+  Fixes #7011
+  Closes #7012
 
-Jay Satiro (5 Apr 2021)
-- [Cherish98 brought this change]
+- [Peng-Yu Chen brought this change]
 
-  tool_progress: Fix progress meter in parallel mode
-  
-  Make sure the total amount of DL/UL bytes are counted before the
-  transfer finalizes. Otherwise if a transfer finishes too quick, its
-  total numbers are not added, and results in a DL%/UL% that goes above
-  100%.
+  http: use calculated offsets inst of integer literals for header parsing
   
-  Detail:
+  Assumed to be a minor coding style improvement with no behavior change.
   
-  progress_meter() is called periodically, and it may not catch a
-  transfer's total bytes if the value was unknown during the last call,
-  and the transfer is finished and deleted (i.e., lost) during the next
-  call.
+  A modern compiler is expected to have the calculation optimized during
+  compilation. It may be deemed okay even if that's not the case, since
+  the added overhead is considered very low.
   
-  Closes https://github.com/curl/curl/pull/6840
+  Closes #7032
 
-- [Emil Engler brought this change]
+- [Peng-Yu Chen brought this change]
 
-  libssh: get rid of PATH_MAX
+  GIT-INFO: suggest using autoreconf instead of buildconf
   
-  This removes the last occurrence of PATH_MAX inside our libssh
-  implementation by calculating the path length from the string length of
-  the two components.
+  Follow-up to 85868537d
   
-  Closes #6829
+  Closes #7033
 
-Daniel Stenberg (5 Apr 2021)
-- http_proxy: only loop on 407 + close if we have credentials
+- http: deal with partial CONNECT sends
   
-  ... to fix the retry-loop.
+  Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
+  which helped verifying this even more.
   
-  Add test 718 to verify.
+  Add test 363 to verify.
   
-  Reported-by: Daniel Kurečka
-  Fixes #6828
-  Closes #6850
+  Reported-by: ustcqidi on github
+  Fixes #6950
+  Closes #7024
 
-- h2: allow 100 streams by default
+- HTTP3: make the ngtcp2 build use the quictls fork
   
-  instead of 13, before the server has told how many streams it
-  accepts. The server can always reject new streams anyway if we go above
-  what it accepts.
+  ... as ngtcp2 itself documents the build this way.
   
-  Ref: #6826
-  Closes #6852
-
-- [Luke Granger-Brown brought this change]
+  Closes #7031
 
-  file: support GETing directories again
+- http: limit the initial send amount to used upload buffer size
   
-  After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
-  expected_size for directories. This has the upshot that when we compare
-  even an empty Range with the available size, we fail.
+  Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
+  but for the situations where a larger upload buffer has been set, this
+  function can benefit from sending more bytes. With default size used,
+  this does the same as before.
   
-  This brings back the previous behaviour, which was to succeed, but with
-  empty content. This also removes the "Accept-ranges: bytes" header,
-  which is nonsensical on directories.
+  Also changed the storage of the size to an 'unsigned int' as it is not
+  allowed to be set larger than 2M.
   
-  Adds test 3016
-  Fixes #6845
-  Closes #6846
+  Also added cautions to the man pages about changing buffer sizes in
+  run-time.
+  
+  Closes #7022
 
 - RELEASE-NOTES: synced
-  
-  and bumped to 7.76.1
 
-- TLS: fix HTTP/2 selection
+- ngtcp2: fix the cb_acked_stream_data_offset proto
   
-  for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
-  wolfSSL...
+  The 'datalen' value should be 64 bit, not size_t!
   
-  Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
-  Reported-by: Kenneth Davidson
-  Reported-by: romamik om github
-  Fixes #6825
-  Closes #6827
+  Reported-by: Dmitry Karpov
+  Bug: https://curl.se/mail/lib-2021-05/0019.html
+  Closes #7027
 
-Jay Satiro (2 Apr 2021)
-- hostip: Fix for builds that disable all asynchronous DNS
+- progress: when possible, calculate transfer speeds with microseconds
   
-  - Define Curl_resolver_error function only when USE_CURL_ASYNC.
+  ... this improves precision, especially for transfers in the few or even
+  sub millisecond range.
   
-  Prior to this change building curl without an asynchronous resolver
-  backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
-  also asynchronous but independent of resolver backend) would cause a
-  build error since Curl_resolver_error is called by and evaluates
-  variables only available in asynchronous builds.
+  Reported-by: J. Bromley
+  Fixes #7017
+  Closes #7020
+
+- http: reset the header buffer when sending the request
   
-  Reported-by: Benbuck Nason
+  A reused transfer handle could otherwise reuse the previous leftover
+  buffer and havoc would ensue.
   
-  Fixes https://github.com/curl/curl/issues/6831
-  Closes https://github.com/curl/curl/pull/6832
-
-Daniel Stenberg (31 Mar 2021)
-- [Gilles Vollant brought this change]
+  Reported-by: sergio-nsk on github
+  Fixes #7018
+  Closes #7021
 
-  openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
+- curl_mprintf.3: add description
   
-  Reported-by: Christian Schmitz
-  Fixes #6816
-  Closes #6820
+  These functions have existed in the API since the dawn of time. It is
+  about time we describe how they work, even if we discourage users from
+  using them.
+  
+  Closes #7010
 
-Version 7.76.0 (31 Mar 2021)
+- [Timothy Gu brought this change]
 
-Daniel Stenberg (31 Mar 2021)
-- RELEASE-NOTES: synced
+  URL-SYNTAX: update IDNA section for WHATWG spec changes
   
-  curl 7.76.0 release
+  WHATWG URL has dictated the use of Nontransitional Processing (IDNA
+  2008) for several years now. Chrome (and derivatives) still use
+  Transitional Processing, but Firefox and Safari have both switched.
+  
+  Also document the fact that winidn functions differently from libidn2
+  here.
+  
+  Closes #7026
 
-- THANKS: added names from 7.76.0
+- [Calvin Buckley brought this change]
 
-- CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
+  INSTALL: add IBM i specific quirks
   
-  ... some users may not want that!
+  Fixes #6830
+  Closes #7013
 
-- define: remove CURL_DISABLE_NTLM ifdefs
+- libcurl.3: mention the URL API
   
-  It was never defined anywhere. Fixed disable-scan (test 1165) to also
-  scan headers, which found this issue.
+  To make it easier to find. Also a minor polish of libcurl-url.3
   
-  Closes #6809
+  Closes #7009
 
-- vtls: fix addsessionid for non-proxy builds
+- GnuTLS: don't allow TLS 1.3 for versions that don't support it
   
-  Follow-up to b09c8ee15771c61
-  Fixes #6812
-  Closes #6811
-
-- [Li Xinwei brought this change]
-
-  cmake: support WinIDN
+  Follow-up to 781864bedbc5
   
-  Closes #6807
+  ... as they don't understand it and will return error at us!
+  
+  Closes #7014
 
-- transfer: clear 'referer' in declaration
+Kamil Dudka (6 May 2021)
+- tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
   
-  To silence (false positive) compiler warnings about it.
+  Reported by GCC analyzer:
   
-  Follow-up to 7214288898f5625
+  Error: GCC_ANALYZER_WARNING (CWE-476):
+  src/tool_getparam.c: scope_hint: In function 'parse_args'
+  src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
+  lib/curlx.h:56: included_from: Included from here.
+  src/tool_getparam.c:28: included_from: Included from here.
+  lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
+  src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
   
   Reviewed-by: Marcel Raad
-  Closes #6810
+  Reviewed-by: Daniel Stenberg
+  Closes #7023
 
-- [Marc Hoersken brought this change]
+Daniel Stenberg (6 May 2021)
+- scripts/delta: also show total number of days
 
-  config: fix SSPI enabling NTLM if crypto auth is disabled
-  
-  Avoid enabling NTLM feature based upon Windows SSPI
-  being enabled in case that crypto auth is disabled.
+Marc Hoersken (5 May 2021)
+- sockfilt: fix invalid increment of handles index variable nfd
   
-  Reported-by: Marcel Raad
+  Only increment the array index if we actually stored a handle.
   
-  Follow-up to #6277
-  Fixes #6803
-  Closes #6808
-
-- HISTORY: add two 2021 events
+  Follow up to e917492048f4b85a0fd58a033d10072fc7666c3b
+  Closes #6992
 
-- vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+- sockfilt: avoid getting stuck waiting for writable socket
   
-  To make sure we set and extract the correct session.
+  Reset FD_WRITE event using the same approach as in multi.c
   
-  Reported-by: Mingtao Yang
-  Bug: https://curl.se/docs/CVE-2021-22890.html
+  Follow up to b36442b24305f3cda7c13cc64b46838995a4985b
+  Closes #6992
+
+Jay Satiro (5 May 2021)
+- test678: Fix for Windows multibyte builds
   
-  CVE-2021-22890
+  Follow-up to 77fc385 from yesterday.
+  
+  Bug: https://github.com/curl/curl/pull/6662#issuecomment-832966557
+  Reported-by: Marc Hörsken
 
-- [Viktor Szakats brought this change]
+- [Dmitry Kostjuchenko brought this change]
+
+  build: fix compilation for Windows UWP platform
+  
+  - Include afunix.h which is necessary for sockaddr_un when
+    USE_UNIX_SOCKETS is defined on Windows.
+  
+  Closes https://github.com/curl/curl/pull/7006
 
-  transfer: strip credentials from the auto-referer header field
+Daniel Stenberg (5 May 2021)
+- gnutls: make setting only the MAX TLS allowed version work
   
-  Added test 2081 to verify.
+  Previously, settting only the max allowed TLS version, leaving the
+  minimum one at default, didn't actually set it and left it to default
+  (TLS 1.3) too!
   
-  CVE-2021-22876
+  As a bonus, this change also removes the dead code handling of SSLv3
+  since that version can't be set anymore (since eff614fb0242cb).
   
-  Bug: https://curl.se/docs/CVE-2021-22876.html
+  Reported-by: Daniel Carpenter
+  Fixes #6998
+  Closes #7000
 
-- curl_sasl: fix compiler error with --disable-crypto-auth
+- openldap: replace ldap_ prefix on private functions
   
-  ... if libgsasl was found.
+  Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
+  least) there's a symbol collision because of that.
   
-  Closes #6806
-
-- [Patrick Monnerat brought this change]
-
-  ldap: only set the callback ptr for TLS context when TLS is used
+  The private functions now use the 'oldap_' prefix where it previously
+  used 'ldap_'.
   
-  Follow-up to a5eee22e594c2460f
-  Fixes #6804
-  Closes #6805
+  Reported-by: 3eka on github
+  Fixes #7004
+  Closes #7005
 
-- copyright: update copyright year ranges to 2021
+Jay Satiro (5 May 2021)
+- http2: fix potentially uninitialized variable
   
-  Reviewed-by: Emil Engler
-  Closes #6802
+  introduced several days ago in 3193170. caught by visual studio linker.
 
-- send_speed: simplify the checks for if a speed limit is set
-  
-  ... as we know the value cannot be set to negative: enforced by
-  setopt()
+- [Gilles Vollant brought this change]
 
-- http: cap body data amount during send speed limiting
+  SSL: support in-memory CA certs for some backends
   
-  By making sure never to send off more than the allowed number of bytes
-  per second the speed limit logic is given more room to actually work.
+  - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
+    specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
+    and Secure Transport (Apple) SSL backends.
   
-  Reported-by: Fabian Keil
-  Bug: https://curl.se/mail/lib-2021-03/0042.html
-  Closes #6797
-
-- urldata: merge "struct DynamicStatic" into "struct UrlState"
+  Prior to this change PEM certificates could only be imported from a file
+  and not from memory.
   
-  Both were used for the same purposes and there was no logical separation
-  between them. Combined, this also saves 16 bytes in less holes in my
-  test build.
+  Co-authored-by: moparisthebest@users.noreply.github.com
   
-  Closes #6798
-
-- tests/README.md: mentioned that en_US.UTF-8 is required
+  Ref: https://github.com/curl/curl/pull/4679
+  Ref: https://github.com/curl/curl/pull/5677
+  Ref: https://github.com/curl/curl/pull/6109
   
-  Reported-by: Oumph on github
-  Fixes #6768
+  Closes https://github.com/curl/curl/pull/6662
 
-- HISTORY: fixed the Mac OS X 10.1 release date
-  
-  Based on what Wikipedia says
+Daniel Stenberg (4 May 2021)
+- [David Cook brought this change]
 
-Jay Satiro (26 Mar 2021)
-- examples: Remove threaded-shared-conn.c due to bug
-  
-  Known bug 11.11 is the shared object's connection cache is not thread
-  safe, so we should not have an example for it.
+  tests: ignore case of chunked hex numbers in tests
   
-  Ref: https://github.com/curl/curl/issues/4915
-  Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not
+  When hyper is used, it emits uppercase hexadecimal numbers for chunked
+  encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
+  This change adds preprocessor statements to tests where this is an
+  issue, and adapts the fixtures to match.
   
-  Closes https://github.com/curl/curl/pull/6795
+  Closes #6987
 
-- KNOWN_BUGS: Update 11.9 - DoH option inheritance
+- cmake: check for getppid and utimes
   
-  - Add description: Explain that some options aren't inherited because
-    they are not relevant for the DoH SSL connections or may result in
-    unexpected behavior.
+  ... as they're checked for in the configure script and are used by
+  source code.
   
-  - Remove the reference to #4578 (SSL verify options not inherited) since
-    that was fixed by #6597 (separate DoH-specific options for verify).
+  Removed checks for perror, setvbuf and strlcat since those defines are
+  not checked for in source code.
   
-  - Explain that DoH-specific options (those created by #6597) are
-    available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
-    CURLOPT_DOH_SSL_VERIFYSTATUS.
+  Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
+  symbol is not used in source code.
   
-  - Add a reference to #6605 and explain that the user's debug function is
-    not inherited because it would be unexpected to pass internal handles
-    (ie DoH handles) to the user's callback.
+  Closes #6997
+
+- libtest: remove lib530.c
   
-  Closes https://github.com/curl/curl/issues/6605
+  Follow up from e50a877df when test 530 was removed. Since then this
+  source file has not been used/needed.
+  
+  Closes #6999
 
-Daniel Stenberg (26 Mar 2021)
-- curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
+- FILEFORMAT: mention sectransp as a feature
+  
+  Been supported since at least 40259ca65
+  
+  Closes #7001
 
-- [Jean-Philippe Menil brought this change]
+- RELEASE-NOTES: synced
 
-  openssl: ensure to check SSL_CTX_set_alpn_protos return values
+- libssh2: ignore timeout during disconnect
   
-  SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure
+  ... to avoid memory leaks!
   
-  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+  libssh2 is tricky as we have to deal with the non-blockiness even in
+  close and shutdown cases. In the cases when we shutdown after a timeout
+  already expired, it is crucial that curl doen't let the timeout abort
+  the shutdown process as that then leaks memory!
   
-  Closes #6794
+  Reported-by: Benjamin Riefenstahl
+  Fixes #6990
 
-- multi: close the connection when h2=>h1 downgrading
+- KNOWN_BUGS: add two HTTP/2 bugs
+
+- KNOWN_BUGS: add three HTTP/3 issues
   
-  Otherwise libcurl is likely to reuse the connection again in the next
-  attempt since the connection reuse logic doesn't take downgrades into
-  account.
+  ... and moved the HTTP/2 issues to its own section
   
-  Reported-by: Anthony Ramine
-  Fixes #6788
-  Closes #6793
+  Closes #6606
+  Closes #6510
+  Closes #6494
 
-- openssl: set the transfer pointer for logging early
+- [ejanchivdorj brought this change]
+
+  CURLcode: add CURLE_SSL_CLIENTCERT
   
-  Otherwise, the transfer will be NULL in the trace function when the
-  early handshake details arrive and then curl won't show them.
+  When a TLS server requests a client certificate during handshake and
+  none can be provided, libcurl now returns this new error code
+  CURLE_SSL_CLIENTCERT
   
-  Regresssion in 7.75.0
+  Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
   
-  Reported-by: David Hu
-  Fixes #6783
-  Closes #6792
+  Closes #6721
 
-- RELEASE-NOTES: synced
+- [Tobias Gabriel brought this change]
 
-- TODO: Custom progress meter update interval
+  .github/FUNDING: add link to GitHub sponsors
   
-  Ref: https://stackoverflow.com/q/66789977/93747
+  Closes #6985
 
-- docs/ABI: tighten up the language
-  
-  Make the promises more firm
+- [Harry Sintonen brought this change]
+
+  krb5/name_to_level: replace checkprefix with curl_strequal
   
-  Closes #6786
+  Closes #6993
 
-- openldap: disconnect better
+- [Harry Sintonen brought this change]
+
+  Curl_input_digest: require space after Digest
   
-  Instead of clearing the callback argument in disconnect, set it to the
-  (new) transfer to make sure the correct data is passed to the callbacks.
+  Closes #6993
+
+- [Harry Sintonen brought this change]
+
+  Curl_http_header: check for colon when matching Persistent-Auth
   
-  Follow-up to e467ea3bd937f38
-  Assisted-by: Patrick Monnerat
-  Closes #6787
+  Closes #6993
 
-- libssh2: kdb_callback: get the right struct pointer
+- [Harry Sintonen brought this change]
+
+  Curl_http_input_auth: require valid separator after negotiation type
   
-  After the recent conn/data refactor in this source file, this function
-  was mistakenly still getting the old struct pointer which would lead to
-  crash on servers with keyboard-interactive auth enabled.
+  Closes #6993
+
+- http: fix the check for 'Authorization' with Bearer
   
-  Follow-up to a304051620b92e12b (shipped in 7.75.0)
+  The code would wrongly check for it using an additional colon.
   
-  Reported-by: Christian Schmitz
-  Fixes #6691
-  Closes #6782
+  Reported-by: Blake Burkhart
+  Closes #6988
 
-- tftp: remove unused struct fields
+- [Kamil Dudka brought this change]
+
+  http2: fix a resource leak in push_promise()
   
-  Follow-up to d3d90ad9c00530d
+  ... detected by Coverity:
   
-  Closes #6781
-
-- openldap: avoid NULL pointer dereferences
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
+  lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
+  lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
+  lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
   
-  Follow-up to a59c33ceffb8f78
-  Reported-by: Patrick Monnerat
-  Fixes #6676
-  Closes #6780
+  Closes #6986
 
-- http: strip default port from URL sent to proxy
+- [Kamil Dudka brought this change]
+
+  http2: fix resource leaks in set_transfer_url()
   
-  To make sure the Host: header and the URL provide the same authority
-  portion when sent to the proxy, strip the default port number from the
-  URL if one was provided.
+  ... detected by Coverity:
   
-  Reported-by: Michael Brown
-  Fixes #6769
-  Closes #6778
-
-- azure: disable test 433 on azure-ubuntu
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Something in that environment sets XDG_CONFIG_HOME for us in a way that
-  breaks the test.
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Reported-by: Marc Hörsken
-  Fixes #6739
-  Closes #6777
-
-- tftp: remove the 3600 second default timeout
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  ... it was never meant to be there.
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Reported-by: Tomas Berger
-  Fixes #6774
-  Closes #6776
+  Closes #6986
 
-- docs: make gen.pl support *italic* and **bold**
+- [Jacob Hoffman-Andrews brought this change]
+
+  rustls: use ALPN
   
-  Remove some nroffisms from the cmdline doc files to simplify editing,
-  and instead support this markdown style.
+  Update required rustls to 0.5.0
   
-  Closes #6771
+  Closes #6960
 
-- ngtcp2: sync with recent API updates
+- [Michał Antoniak brought this change]
+
+  gskit: fix CURL_DISABLE_PROXY build
   
-  Closes #6770
+  Removed localfd and remotefd from ssl_backend_data (ued only with proxy
+  connection). Function pipe_ssloverssl return always 0, when proxy is not
+  used.
+  
+  Closes #6981
 
-- RELEASE-NOTES: synced
+- [Michał Antoniak brought this change]
 
-- libssh2:ssh_connect: clear session pointer after free
-  
-  If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
-  ssh session was freed but the pointer wasn't cleared which made libcurl
-  later call libssh2 to cleanup using the stale pointer.
+  gskit: fix undefined reference to 'conn'
   
-  Fixes #6764
-  Closes #6766
+  Closes #6980
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  docs: document version of crustls dependency
+  tls: add USE_HTTP2 define
   
-  This also pins a specific release in the Travis test so future
-  API-breaking changins in crustls won't break curl builds.
+  This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
   
-  Add RUSTLS documentation to release tarball.
+  Add our own define for the "h2" ALPN protocol, so TLS backends can use
+  it without depending on a specific HTTP backend.
   
-  Enable running tests for rustls, minus FTP tests (require
-  connect_blocking, which rustls doesn't implement) and 313 (requires CRL
-  handling).
+  Closes #6959
+
+- [Jacob Hoffman-Andrews brought this change]
+
+  lib: fix 0-length Curl_client_write calls
   
-  Closes #6763
+  Closes #6954
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  rustls: Handle close_notify.
+  lib: remove strlen call from Curl_client_write
   
-  If we get a close_notify, treat that as EOF. If we get an EOF from the
-  TCP stream, treat that as an error (because we should have ended the
-  connection earlier, when we got a close_notify).
+  At all call sites with an explicit 0 len, pass an appropriate nonzero
+  len.
   
-  Closes #6763
+  Closes #6954
 
-- docs: clarify timeouts for queued transfers in multi API
+- [Ayushman Singh Chauhan brought this change]
+
+  docs: camelcase it like GitHub everywhere
   
-  Closes #6758
+  Closes #6979
 
-- ftpserver: only load the preprocessed test file
+Jay Satiro (27 Apr 2021)
+- [Lucas Servén Marín brought this change]
+
+  docs: fix typo in fail-with-body doc
   
-  We always preprocess and tests are no longer sensible to load "raw"
+  This commit fixes a small typo in the documentation for the
+  --fail-with-body flag.
   
-  Closes #6738
+  Closes https://github.com/curl/curl/pull/6977
 
-- tests: use %TESTNUMBER instead of fixed number
+- lib: fix some misuse of curlx_convert_UTF8_to_tchar
   
-  This makes the tests easier to copy and relocate to other test numbers
-  without having to update content.
+  curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
+  prior to this change some uses mistakenly called free.
   
-  Closes #6738
+  I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
+  curlx_convert_tchar_to_UTF8.
+  
+  Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
+  Reported-by: sergio-nsk@users.noreply.github.com
+  
+  Closes https://github.com/curl/curl/pull/6938
 
-- KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
+Daniel Stenberg (27 Apr 2021)
+- ntlm: precaution against super huge type2 offsets
   
-  Closes #5747
+  ... which otherwise caused an integer overflow and circumvented the if()
+  conditional size check.
+  
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
+  Assisted-by: Max Dymond
+  Closes #6975
 
-- TODO: provide timing info for each redirect
+- c-hyper: fix unused variable ‘wrote’
+
+- libcurl-security.3: be careful of setuid
   
-  Closes #6743
+  Reported-by: Harry Sintonen
+  Closes #6970
 
-Jay Satiro (17 Mar 2021)
-- docs: Add SSL backend names to CURL_SSL_BACKEND
+- [Kevin Burke brought this change]
+
+  c-hyper: don't write to set.writeheader if null
   
-  - Document the names that can be used with CURL_SSL_BACKEND:
-    bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
-    schannel, secure-transport, wolfssl
+  Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
+  CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
+  the data->set.writeheader header buffer, even though it is null.  This
+  led to NPE segfaults attempting to use libcurl+Hyper with Git, for
+  example.
   
-  Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
-  Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201
+  Instead, process the client write for the status line using the same
+  logic we use to process the client write for the later HTTP headers,
+  which contains the appropriate guard logic. As a side benefit,
+  data->set.writeheader is now only read in one file instead of two.
   
-  Closes https://github.com/curl/curl/pull/6755
+  Fixes #6619
+  Fixes abetterinternet/crustls#49
+  Fixes hyperium/hyper#2438
+  Closes #6971
 
-- docs: Explain DOH transfers inherit some SSL settings
+- wolfssl: handle SSL_write() returns 0 for error
   
-  - Document in DOH that some SSL settings are inherited but DOH hostname
-    and peer verification are not and are controlled separately.
+  Reported-by: Timo Lange
   
-  - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
-    we're considering changing behavior to no longer inherit it. Request
-    feedback.
+  Closes #6967
+
+- easy: ignore sigpipe in curl_easy_send
   
-  Closes https://github.com/curl/curl/pull/6688
+  Closes #6965
 
-Daniel Stenberg (17 Mar 2021)
-- http: make 416 not fail with resume + CURLOPT_FAILONERRROR
+- sigpipe: ignore SIGPIPE when using wolfSSL as well
   
-  When asked to resume a download, libcurl will convert that to HTTP logic
-  and if then the entire file is already transferred it will result in a
-  416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
-  scenario, it should *not* lead to an error return.
+  Closes #6966
+
+- libcurl-security.3: don't try to filter IPv4 hosts based on the URL
   
-  Updated test 1156, added test 1273
+  Closes #6942
+
+- [Harry Sintonen brought this change]
+
+  nss_set_blocking: avoid static for sock_opt
   
-  Reported-by: Jonathan Watt
-  Fixes #6740
-  Closes #6753
+  Reviewed-by: Kamil Dudka
+  Closes #6945
 
-- Curl_timeleft: check both timeouts during connect
+- RELEASE-NOTES: synced
+
+- [Yusuke Nakamura brought this change]
+
+  docs/HTTP3.md: fix nghttp2's HTTP/3 server port
   
-  The duration of a connect and the total transfer are calculated from two
-  different time-stamps. It can end up with the total timeout triggering
-  before the connect timeout expires and we should make sure to
-  acknowledge whichever timeout that is reached first.
+  Port 8443 does not work now.
+  Correct origin is in the quicwg's wiki.
+  https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
   
-  This is especially notable when a transfer first sits in PENDING, as
-  that time is counted in the total time but the connect timeout is based
-  on the time since the handle changed to the CONNECT state.
+  Closes #6964
+
+- krb5: don't use 'static' to store PBSZ size response
   
-  The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
-  operation.
+  ... because it makes the knowledge and usage cross-transfer in funny and
+  unexpected ways.
   
-  Fixes #6744
-  Closes #6745
-  Reported-by: Andrei Bica
-  Assisted-by: Jay Satiro
+  Reported-by: Harry Sintonen
+  Closes #6963
 
-- configure: remove use of deprecated macros
-  
-  AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL
+- [Kevin Burke brought this change]
 
-- configure: make AC_TRY_* into AC_*_IFELSE
+  m4: add security frameworks on Mac when compiling rustls
   
-  ... as the former versions are deprecated.
-
-- configure: s/AC_HELP_STRING/AS_HELP_STRING
+  Previously compiling rustls on Mac would only complete if you also
+  compiled the SecureTransport TLS backend, which curl would prefer to
+  the Rust backend.
   
-  AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
-  already since 2.59 so bump the minimum required version to that.
+  Appending these flags to LDFLAGS makes it possible to compile the
+  Rustls backend on Mac without the SecureTransport backend, which means
+  this patch will make it possible for Mac users to use the Rustls
+  backend for TLS.
   
-  Reported-by: Emil Engler
-  Fixes #6647
-  Closes #6748
-
-- RELEASE-NOTES: synced
+  Reviewed-by: Jacob Hoffman-Andrews
+  
+  Fixes #6955
+  Cloes #6956
 
-- travis: use ubuntu nghttp2 package instead of build our own
+- krb5: remove the unused 'overhead' function
   
-  Closes #6751
+  Closes #6947
 
-- travis: bump wolfssl to 4.7.0
+- [Johann150 brought this change]
 
-- travis: only build wolfssl when needed
+  curl_url_set.3: add memory management information
   
-  Closes #6751
+  wording taken from man page for CURLOPT_URL.3
+  
+  As far as I can see, the URL part is either malloc'ed before due to
+  encoding or it is strdup'ed.
+  
+  Closes #6953
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  rustls: allocate a buffer for TLS data.
-  
-  Previously, rustls was using an on-stack array for TLS data. However,
-  crustls has an (unusual) requirement that buffers it deals with are
-  initialized before writing to them. By using calloc, we can ensure the
-  buffer is initialized once and then reuse it across calls.
+  c-hpyer: fix handling of zero-byte chunk from hyper
   
-  Closes #6742
+  Closes #6951
 
-- travis: add a rustls build
-  
-  ... that doesn't run any tests (yet)
+- CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
   
-  Closes #6750
-
-- HTTP2: remove the outdated remark about multiplexing for the tool
+  Ref: https://curl.se/mail/lib-2021-04/0085.html
+  Closes #6943
 
-- [Robert Ronto brought this change]
+- [Ralph Langendam brought this change]
 
-  http2: don't set KEEP_SEND when there's no more data to be sent
-  
-  this should fix an issue where curl sometimes doesn't send out a request
-  with authorization info after a 401 is received over http2
+  cmake: make libcurl output filename configurable
   
-  Closes #6747
+  Reviewed-by: Jakub Zakrzewski
+  Closes #6933
 
-Marc Hoersken (15 Mar 2021)
-- config: fix building SMB with configure using Win32 Crypto
+- [Patrick Monnerat brought this change]
+
+  vtls: reset ssl use flag upon negotiation failure
   
-  Align conditions for NTLM features between CMake and configure
-  builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
-  just like curl_setup.h does internally to detect support of:
+  Fixes the segfault in ldaps disconnect.
   
-  - USE_NTLM: required for NTLM crypto authentication feature
-  - USE_CURL_NTLM_CORE: required for SMB protocol
+  Reported-by: Illarion Taev
+  Fixes #6934
+  Closes #6937
+
+- configure: fix typo in TLS error message
   
-  Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
-  in wincrypt.h which are not available in the Windows App environment.
+  Reported-by: Pontus Lundkvist
+
+- README: link to the commercial support option
+
+Jay Satiro (22 Apr 2021)
+- [Martin Halle brought this change]
+
+  version: add gsasl_version to curl_version_info_data
   
-  Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
-  Fix condition of Schannel SSL backend in CMake build accordingly.
+  - Add gsasl_version string and bump to CURLVERSION_TENTH.
   
-  Reviewed-by: Marcel Raad
+  Ref: https://curl.se/mail/lib-2021-04/0003.html
   
-  Closes #6277
+  Closes https://github.com/curl/curl/pull/6843
 
-- config: fix detection of restricted Windows App environment
+- [Morten Minde Neergaard brought this change]
+
+  schannel: Support strong crypto option
   
-  Move the detection of the restricted Windows App environment
-  in curl_setup.h before the definition of USE_WIN32_CRYPTO
-  via included config-win32.h in case no build system is used.
+  - Support enabling strong crypto via optional user cipher list when
+    USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
   
-  Reviewed-by: Marcel Raad
+  MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
+  weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
+  versions that may be otherwise enabled for better interoperability."
   
-  Part of #6277
+  Ref: https://curl.se/mail/lib-2021-02/0066.html
+  Ref: https://curl.se/docs/manpage.html#--ciphers
+  Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
+  Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
+  
+  Closes https://github.com/curl/curl/pull/6734
 
-Daniel Stenberg (15 Mar 2021)
-- HISTORY: curl 7.7.2 was the first version used in Mac OS X 10.1
+Daniel Stenberg (22 Apr 2021)
+- RELEASE-NOTES: synced
 
-- gen.pl: quote "bare" minuses in the nroff curl.1
-  
-  Reported-by: Alejandro Colomar
-  Fixes #6698
-  Closes #6722
+- ci: adapt to configure requiring an explicit TLS choice
 
-Daniel Gustafsson (14 Mar 2021)
-- hsts: remove unused defines
-  
-  MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
-  and mostly likely leftovers from early development.  Remove as they're not
-  used for anything.
+- configure: split out each TLS library detector into its own function
   
-  Closes #6741
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  ... and put those functions in separate m4 files per TLS library.
 
-Daniel Stenberg (12 Mar 2021)
-- github: add torture-ftp for FTP-only torture testing
-  
-  and at 20% to try to keep the run-time reasonable
+- configure: make the TLS library choice(s) explicit
   
-  Closes #6728
-
-- travis: split "torture" into a separate "events" build as well
+  configure no longer tries to find a TLS library by default, but all
+  libraries are now equal: the user needs to explicitly ask what TLS
+  library or libraries to use.
   
-  Run torture without FTP and reducing coverage to 20%
+  If no TLS library is selected, configure will error out unless
+  --without-ssl is explicitly used to request a built without TLS (as that
+  is very rare these days).
   
-  For some reason the torture tests now run a lot slower on travis and run
-  into the 50 minute limit all the time.
+  Removes: --with-winssl, --with-darwinssl and all --without-* options for
+  TLS libraries.
   
-  Closes #6728
+  Closes #6897
 
-- ftp: fix memory leak in ftp_done
-  
-  If after a transfer is complete Curl_GetFTPResponse() returns an error,
-  curl would not free the ftp->pathalloc block.
-  
-  Found by torture-testing test 576
+- tests/disable-scan.pl: also scan all m4 files
   
-  Closes #6737
-
-- [oxalica brought this change]
+  Fixes test 1165 when functions are moved from configure.ac to files in
+  m4/
 
-  http2: fail if connection terminated without END_STREAM
+Jay Satiro (22 Apr 2021)
+- schannel: Disable auto credentials; add an option to enable it
   
-  Closes #6736
-
-- RELEASE-NOTES: synced
-
-- [Jacob Hoffman-Andrews brought this change]
-
-  rustls: support CURLOPT_SSL_VERIFYPEER
+  - Disable auto credentials by default. This is a breaking change
+    for clients that are using it, wittingly or not.
   
-  This requires the latest main branch of crustls, which provides
-  rustls_client_config_builder_dangerous_set_certificate_verifier and
-  rustls_client_config_builder_set_enable_sni.
+  - New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
+    to automatically locate and use a client certificate for
+    authentication, when requested by the server.
   
-  This refactors the session setup into its own function, and adds a new
-  function cr_hostname_is_ip. Because crustls doesn't support verification
-  of IP addresses, special handling is needed: We disable SNI and set a
-  placeholder hostname (which never actually gets sent on the wire).
+  - New curl tool options --ssl-auto-client-cert and
+    --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
   
-  Closes #6719
-
-Daniel Gustafsson (12 Mar 2021)
-- cookies: Fix potential NULL pointer deref with PSL
+  This option is only supported for Schannel (the native Windows SSL
+  library). Prior to this change Schannel would, with no notification to
+  the client, attempt to locate a client certificate and send it to the
+  server, when requested by the server. Since the server can request any
+  certificate that supports client authentication in the OS certificate
+  store it could be a privacy violation and unexpected.
   
-  Curl_cookie_init can be called with data being NULL, and this can in turn
-  be passed to Curl_cookie_add, meaning that both functions must be careful
-  to only use data where it's checked for being a NULL pointer.  The libpsl
-  support code does however dereference data without checking, so if we are
-  indeed having an unset data pointer we cannot PSL check the cookiedomain.
+  Fixes https://github.com/curl/curl/issues/2262
+  Reported-by: Jeroen Ooms
+  Assisted-by: Wes Hinsley
+  Assisted-by: Rich FitzJohn
   
-  This is currently not a reachable dereference, as the only caller with a
-  NULL data isn't passing a file to initialize cookies from, but since the
-  API has this contract let's ensure we hold it.
+  Ref: https://curl.se/mail/lib-2021-02/0066.html
+  Reported-by: Morten Minde Neergaard
   
-  Closes #6731
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes https://github.com/curl/curl/pull/6673
 
-Daniel Stenberg (12 Mar 2021)
-- [Michael Hordijk brought this change]
+Daniel Stenberg (22 Apr 2021)
+- [Michał Antoniak brought this change]
 
-  configure: only add OpenSSL paths if they are defined
-  
-  Add paths for OpenSSL compiling and linking only if they have been
-  defined.  If they haven't been defined, we'll assume that the paths are
-  already available to the toolchain.
+  vtls: deduplicate some DISABLE_PROXY ifdefs
   
-  Closes #6730
-
-Jay Satiro (12 Mar 2021)
-- retry.d: Clarify transient 5xx HTTP response codes
+  continue from #5735
   
-  - Clarify the only 5xx response codes that are treated as transient are
-    500, 502, 503 and 504.
+  - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
+    tls backend
   
-  Prior to this change it said it treated all 5xx as transient, but the
-  code says otherwise.
+  - create SSL_HOST_PORT
   
-  Ref: https://github.com/curl/curl/blob/curl-7_75_0/src/tool_operate.c#L462-L495
+  Closes #6660
+
+Jay Satiro (22 Apr 2021)
+- OS400: fix typo
   
-  Closes https://github.com/curl/curl/pull/6724
+  CURLVERSION_HEIGHTH -> CURLVERSION_EIGHTH
 
-- retry-all-errors.d: Explain curl errors versus HTTP response errors
+Daniel Stenberg (22 Apr 2021)
+- checksrc: complain on == NULL or != 0 checks in conditions
   
-  - Add a paragraph explaining that curl does not consider HTTP response
-    errors as curl errors, and how that behavior can be modified by using
-    --retry and --fail.
+  ... to make them all consistenly use if(!var) and if(var)
   
-  The --retry-all-errors doc says "Retry on any error" which some users
-  may find misleading without the added explanation.
+  Also added a few missing warnings to the documentation.
   
-  Ref: https://curl.se/docs/faq.html#Why_do_I_get_downloaded_data_eve
-  Ref: https://curl.se/docs/faq.html#curl_doesn_t_return_error_for_HT
+  Closes #6912
+
+- tidy-up: make conditional checks more consistent
   
-  Reported-by: Lawrence Gripper
+  ... remove '== NULL' and '!= 0'
   
-  Fixes https://github.com/curl/curl/issues/6712
-  Closes https://github.com/curl/curl/pull/6720
+  Closes #6912
 
-Daniel Stenberg (11 Mar 2021)
-- travis: switch ngtcp2 build over to quictls
+- [Patrick Monnerat brought this change]
+
+  vauth: factor base64 conversions out of authentication procedures
   
-  The ngtcp2 project switched over to using the quictls OpenSSL fork
-  instead of their own patched OpenSSL. We follow suit.
+  Input challenges and returned messages are now in binary.
+  Conversions from/to base64 are performed by callers (currently curl_sasl.c
+  and http_ntlm.c).
   
-  Closes #6729
+  Closes #6654
 
-- test220/314: adjust to run with Hyper
+- [Patrick Monnerat brought this change]
 
-- c-hyper: support automatic content-encoding
+  bufref: buffer reference support
+  
+  A struct bufref holds a buffer pointer, a data size and a destructor.
+  When freed or its contents are changed, the previous buffer is implicitly
+  released by the associated destructor. The data size, although not used
+  internally, allows binary data support.
   
-  Closes #6727
-
-- http: remove superfluous NULL assign
+  A unit test checks its handling methods: test 1661
   
-  Closes #6727
+  Closes #6654
 
-- tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
-  
-  Closes #6727
+- [Patrick Monnerat brought this change]
 
-- setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
+  os400: additional support for options metadata
   
-  Not supported.
+  New functions curl_easy_option_by_name_ccsid() and
+  curl_easy_option_get_name_ccsid() allows accessing metadata in alternate
+  character encoding.
   
-  Closes #6727
-
-- test306: make it not run with Hyper
+  This commit also updates curl_version_info_ccsid() to handle info version 9
+  and adds recent definitions to the ILE/RPG include file.
   
-  ... as it tests HTTP/0.9 which Hyper doesn't support.
+  Documentation updated accordingly.
+  
+  Reviewed-by: Jon Rumsey
+  Closes #6574
 
-- test304: header CRLF cleanup to work with Hyper
+- [Patrick Monnerat brought this change]
 
-- FTP: allow SIZE to fail when doing (resumed) upload
-  
-  Added test 362 to verify.
+  test server: take care of siginterrupt() deprecation
   
-  Reported-by: Jordan Brown
-  Regression since 7ea2e1d0c5a7f (7.73.0)
-  Fixes #6715
-  Closes #6725
+  Closes #6529
 
-- configure: provide Largefile feature for curl-config
+Marc Hoersken (21 Apr 2021)
+- lib1564.c: enable last wakeup test part on Windows
   
-  ... as cmake now does it correctly, and make test1014 check for it
+  Suggested-by: Gergely Nagy
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
   
-  Closes #6702
+  Closes #6245
 
-- config: remove CURL_SIZEOF_CURL_OFF_T use only SIZEOF_CURL_OFF_T
+- multi: fix slow write/upload performance on Windows
   
-  Make the code consistently use a single name for the size of the
-  "curl_off_t" type.
+  Reset FD_WRITE by sending zero bytes which is permissible
+  and will be treated by implementations as successful send.
   
-  Closes #6702
-
-Jay Satiro (10 Mar 2021)
-- [Jun-ya Kato brought this change]
-
-  ngtcp2: Fix build error due to change in ngtcp2_addr_init
+  Without this we won't be notified in case a socket is still
+  writable if we already received such a notification and did
+  not send any data afterwards on the socket. This would lead
+  to waiting forever on a writable socket being writable again.
   
-  ngtcp2/ngtcp2@b8d90a9 changed the function prototype.
+  Assisted-by: Tommy Odom
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Tested-by: tmkk on github
   
-  Closes https://github.com/curl/curl/pull/6716
-
-Daniel Stenberg (10 Mar 2021)
-- [ejanchivdorj brought this change]
+  Bug: #6146
+  Closes #6245
 
-  multi: update pending list when removing handle
+- multi: reduce Win32 API calls to improve performance
   
-  when removing a handle, most of the lists are updated but pending list
-  is not updated. Updating now.
+  1. Consolidate pre-checks into a single Curl_poll call:
   
-  Closes #6713
-
-- [kokke brought this change]
-
-  lib1536: check ptr against NULL before dereferencing it
+  This is an attempt to restructure the code in Curl_multi_wait
+  in such a way that less syscalls are made by removing individual
+  calls to Curl_socket_check via SOCKET_READABLE/SOCKET_WRITABLE.
   
-  Closes #6710
-
-- [kokke brought this change]
-
-  lib1537: check ptr against NULL before dereferencing it
+  2. Avoid resetting the WinSock event multiple times:
   
-  Fixes #6707
-  Closes #6708
-
-- travis: make torture tests skip TLS-SRP tests
+  We finally call WSAResetEvent anyway, so specifying it as
+  an optional parameter to WSAEnumNetworkEvents is redundant.
   
-  ... as it seems to often hang.
+  3. Wakeup directly in case no sockets are being monitoring:
   
-  Also: skip the "normal" tests as they're already run by many other
-  builds.
+  Fix the WinSock based implementation to skip extra waiting by
+  not sleeping in case no sockets are to be waited on and just
+  the WinSock event is being monitored for wakeup functionality.
   
-  Closes #6705
-
-- openssl: adapt to v3's new const for a few API calls
+  Assisted-by: Tommy Odom
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
   
-  Closes #6703
+  Bug: #6146
+  Closes #6245
 
-- quiche: fix crash when failing to connect
+- Revert "Revert 'multi: implement wait using winsock events'"
   
-  Reported-by: ウさん
-  Fixes #6664
-  Closes #6701
-
-- RELEASE-NOTES: synced
+  This reverts commit 2260e0ebe6d45529495231b3e37a0c58fb92a6a2,
+  also restoring previous follow up changes which were reverted.
   
-  Fixed the release counter and added a missing contributor
-
-- RELEASE-NOTES: synced
+  Authored-by: rcombs on github
+  Authored-by: Marc Hörsken
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Restores #5634
+  Reverts #6281
+  Part of #6245
 
-- dynbuf: bump the max HTTP request to 1MB
+Daniel Stenberg (21 Apr 2021)
+- Revert "cmake: make libcurl library output name configurable"
   
-  Raised from 128KB to allow longer request headers.
+  This reverts commit 1cba36d2166c396f987eea587cf92671b27acb92.
   
-  Reported-by: Carl Zogheib
-  Fixes #6681
-  Closes #6685
+  CMake provides properties that can be set on a target to rename the
+  output artifact without changing the name of a target.
+  
+  Ref: #6899
 
-Jay Satiro (6 Mar 2021)
-- schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
+- [Michael Kolechkin brought this change]
+
+  sectransp: allow cipher name to be specified
   
-  - Change use of those options from CURLOPT_SSL_OPTIONS that are not
-    already evaluated via SSL_SET_OPTION in schannel and secure transport
-    to use that instead of data->set.ssl.optname.
+  Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
+  back-end. Similar to NSS and GSKit back-ends, new code parses string
+  value and configures ST library to use those ciphers for communication.
+  Create cipher spec data structure and initialize the array of specs with
+  cipher number, name, alias, and 'weak' flag.
   
-  Example:
+  Mark triple-DES ciphers as 'weak', and exclude them from the default
+  ciphers list.
   
-  Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
+  Closes #6464
+
+- [Michael Kolechkin brought this change]
+
+  NSS: add ciphers to map
   
-  This change is because options set via CURLOPT_SSL_OPTIONS
-  (data->set.ssl.optname) are separate from those set for HTTPS proxy via
-  CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
-  SSL_SET_OPTION macro determines whether the connection is for HTTPS
-  proxy and based on that which option to evaluate.
+  Add cipher names to the `cipherlist` map, based on the list of ciphers
+  implemented by the NSS in the source code file
+  https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c
   
-  Since neither Schannel nor Secure Transport backends currently support
-  HTTPS proxy in libcurl, this change is for posterity and has no other
-  effect.
+  Closes #6670
+
+- http2: remove DEBUG_HTTP2
   
-  Closes https://github.com/curl/curl/pull/6690
+  Accidentally committed in 605e84235
 
-- [kokke brought this change]
+- [Ralph Langendam brought this change]
 
-  c-hyper: Remove superfluous pointer check
+  cmake: make libcurl library output name configurable
   
-  `n` pointer is never NULL once set. Found by static analysis.
+  Closes #6899
+
+- sws: #ifdef S_IFSOCK use
   
-  Ref: https://github.com/curl/curl/issues/6696
+  SCO OpenServer 5.0.7 does not define S_IFSOCK.
   
-  Closes https://github.com/curl/curl/pull/6697
+  Reported-by: Kevin R. Bulgrien
+  Bug: https://curl.se/mail/lib-2021-04/0074.html
+  Closes #6926
 
-- version.d: Add missing features to the features list
+- curl_setup: provide the shutdown flags wider
   
-  - Add missing entries for gsasl, Kerberos, NTLM_WB, TrackMemory,
-    Unicode and zstd.
+  By using #ifdef on the symbol names to work on anything that don't
+  provide them. SCO OpenServer 5.0.7, sys/socket.h does not define either
+  SHUT_RDWR, SHUT_RD, and SHUT_WR.
   
-  - Remove krb4 since it's no longer a feature.
+  Reported-by: Kevin R. Bulgrien
+  Bug: https://curl.se/mail/lib-2021-04/0073.html
+  Closes #6925
+
+- connect: use CURL_SA_FAMILY_T for portability
   
-  Reported-by: Ádler Jonas Gross
+  Reported-by: Kevin R. Bulgrien
+  Bug: https://curl.se/mail/lib-2021-04/0071.html
   
-  Fixes https://github.com/curl/curl/issues/6677
-  Closes https://github.com/curl/curl/pull/6687
-
-- [Vladimir Varlamov brought this change]
+  Closes #6918
 
-  docs: add missing Arg tag to --stderr
+- urlapi: make sure no +/- signs are accepted in IPv4 numericals
   
-  Prior to this change the required argument was not shown.
+  Follow-up to 56a037cc0ad1b2. Extends test 1560 to verify.
   
-  curl.1 before: --stderr
-  curl.1 after: --stderr <file>
+  Reported-by: Tuomas Siipola
+  Fixes #6916
+  Closes #6917
+
+- ConnectionExists: respect requests for h1 connections better
   
-  curl --help before:
-       --stderr        Where to redirect stderr
+  ... for situations when multiplexing isn't enabled on the h2 connection
+  and h1 is explicitly requested for the transfer.
   
-  curl --help after:
-       --stderr <file>  Where to redirect stderr
+  Assisted-by: Gergely Nagy
+
+- multi: don't close connection HTTP_1_1_REQUIRED
   
-  Closes https://github.com/curl/curl/pull/6692
+  The ConnectionExists() function will note that the new transfer wants
+  less then h2 and that it can't multiplex it and therefor opt to open a
+  new connection instead.
 
-- projects: Update VS projects for OpenSSL 1.1.x
+- http2: move the stream error field to the per-transfer storage
   
-  - Update VS project templates to use the OpenSSL lib names and include
-    directories for OpenSSL 1.1.x.
+  Storing a stream error in the per-connection struct was an error that lead to
+  race conditions as subsequent stream handling could overwrite the error code
+  before it was used for the stream with the actual problem.
   
-  This change means the VS project files will now build only with OpenSSL
-  1.1.x when an OpenSSL configuration is chosen. Prior to this change the
-  project files built only with OpenSSL 1.0.x (end-of-life) when an
-  OpenSSL configuration was chosen.
+  Closes #6910
+
+- http2: call the handle-closed function correctly on closed stream
   
-  The template changes in this commit were made by script:
+  This was this one condition where the stream could be closed due to an
+  error and the function would still wrongly just return 0 for it.
   
-  libeay32.lib => libcrypto.lib
-  ssleay32.lib => libssl.lib
-  ..\..\..\..\..\openssl\inc32 => ..\..\..\..\..\openssl\include
+  Reported-by: Gergely Nagy
+  Fixes #6862
+  Closes #6910
+
+- test1660: check the created HSTS file as text mode
   
-  And since the output directory now contains the includes it's prepended:
-  ..\..\..\..\..\openssl\build\Win{32,64}\VC{6..15}\{DLL,LIB}
-  {Debug,Release}\include
+  Closes #6922
+
+- RELEASE-NOTES: synced
+
+- test 493: require https in curl to run
   
-  - Change build-openssl.bat to copy the build's include directory to the
-    output directory (as seen above).
+  Closes #6927
+
+Jay Satiro (20 Apr 2021)
+- tool_operate: don't discard failed parallel transfer result
   
-  Each build has its own opensslconf.h which is different so we can't just
-  include the source include directory any longer.
+  - Save a parallel transfer's result code only when it fails and the
+    transfer is not being retried.
   
-  Note the include directory in the output directory is a full copy from
-  the build so technically we don't need to include the OpenSSL source
-  include directory in the template. However, I left it last in case the
-  user made a custom OpenSSL build using the old method which would put
-  opensslconf in the OpenSSL source include directory.
+  Prior to this change the result code was always set which meant that a
+  failed result could be erroneously discarded if a different transfer
+  later had a successful result (CURLE_OK).
   
-  - Change build-openssl.bat to use a temporary install directory that is
-    different from the temporary build directory.
+  Before:
   
-  For OpenSSL 1.1.x the temporary paths must be separate not a descendant
-  of the other, otherwise pdb files will be lost between builds.
+  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
+  > echo %ERRORLEVEL%
+  0
   
-  Ref: https://curl.se/mail/lib-2018-10/0049.html
-  Ref: https://gist.github.com/jay/125191c35bbeb894444eff827651f755
-  Ref; https://github.com/openssl/openssl/issues/10005
+  After:
   
-  Fixes https://github.com/curl/curl/issues/984
-  Closes https://github.com/curl/curl/pull/6675
+  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
+  > echo %ERRORLEVEL%
+  22
+  
+  Closes #xxxx
 
-- doh: Inherit CURLOPT_STDERR from user's easy handle
+- [Georeth Zhou brought this change]
+
+  openssl: fix build error with OpenSSL < 1.0.2
   
-  Prior to this change if the user set their easy handle's error stream
-  to something other than stderr it was not inherited by the doh handles,
-  which meant that they would still write to the default standard error
-  stream (stderr) for verbose output.
+  Closes https://github.com/curl/curl/pull/6920
+
+Viktor Szakats (19 Apr 2021)
+- README.md: delete Codacy UTM parameters & follow permanent redirect [ci skip]
   
-  Bug: https://github.com/curl/curl/issues/6605
-  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
+  UTM parameters leak referrer and various marketing/tracking information
+  even if these would normally be stripped by website or client policy.
+  This link also works fine without them. Also took the opportunity to
+  update the URL to the one pointed to by the previous one via permanent
+  redirect.
   
-  Closes https://github.com/curl/curl/pull/6661
+  Reviewed-by: Daniel Stenberg
+  Closes #6919
 
-Marc Hoersken (1 Mar 2021)
-- CI/azure: replace python-impacket with python3-impacket
+Daniel Stenberg (19 Apr 2021)
+- urlapi: "normalize" numerical IPv4 host names
   
-  As of this month Azure DevOps uses Ubuntu 20.04 LTS which
-  no longer supports Python 2 and instead ships Python 3.
+  When the host name in a URL is given as an IPv4 numerical address, the
+  address can be specified with dotted numericals in four different ways:
+  a32, a.b24, a.b.c16 or a.b.c.d and each part can be specified in
+  decimal, octal (0-prefixed) or hexadecimal (0x-prefixed).
   
-  Closes #6678
-
-- runtests.pl: kill processes locking test log files
+  Instead of passing on the name as-is and leaving the handling to the
+  underlying name functions, which made them not work with c-ares but work
+  with getaddrinfo, this change now makes the curl URL API itself detect
+  and "normalize" host names specified as IPv4 numericals.
   
-  Introduce a new runtests.pl command option: -rm
+  The WHATWG URL Spec says this is an okay way to specify a host name in a
+  URL. RFC 3896 does not allow them, but curl didn't prevent them before
+  and it seems other RFC 3896-using tools have not either. Host names used
+  like this are widely supported by other tools as well due to the
+  handling being done by getaddrinfo and friends.
   
-  For now only required and implemented for Windows.
-  Ignore stunnel logs due to long running processes.
+  I decided to add the functionality into the URL API itself so that all
+  users of these functions get the benefits, when for example wanting to
+  compare two URLs. Also, it makes curl built to use c-ares now support
+  them as well and make curl builds more consistent.
   
-  Requires Sysinternals handle[64].exe to be on PATH.
+  The normalization makes HTTPS and virtual hosted HTTP work fine even
+  when curl gets the address specified using one of the "obscure" formats.
   
-  Reviewed-by: Jay Satiro
+  Test 1560 is extended to verify.
   
-  Ref: #6058
-  Closes #6179
+  Fixes #6863
+  Closes #6871
 
-- pathhelp.pm: fix use of pwd -L in Msys environment
-  
-  While Msys2 has a pwd binary which supports -L,
-  Msys1 only has a shell built-in with that feature.
+- libssh: fix "empty expression statement has no effect" warnings
   
-  Reviewed-by: Jay Satiro
+  ... by fixing macros to do-while constructs and moving out the calls to
+  "break" outside of the actual macro. It also fixes the problem where the
+  macro was used witin a loop and the break didn't do right.
   
-  Part of #6179
+  Reported-by: Emil Engler
+  Fixes #6847
+  Closes #6909
 
-Daniel Gustafsson (1 Mar 2021)
-- ldap: use correct memory free function
+- hsts: enable by default
   
-  unescaped is coming from Curl_urldecode and not a unicode conversion
-  function, so reclaiming its memory should be performed with a normal
-  call to free rather than curlx_unicodefree.  In reality, this is the
-  same thing as curlx_unicodefree is implemented as a call to free but
-  that's not guaranteed to always hold.  Using the curlx macro present
-  issues with memory debugging as well.
+  No longer considered experimental.
   
-  Closes #6671
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6700
 
-- url: fix typo in comment
+- vtls: refuse setting any SSL version
   
-  Correct a small typo which snuck in with a304051620.
+  ... previously they were supported if a TLS library would (unexpectedly)
+  still support them, but from this change they will be refused already in
+  curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
+  many years now.
+  
+  Closes #6773
 
-Jay Satiro (28 Feb 2021)
-- tool_help: Increase space between option and description
+- curl: ignore options asking for SSLv2 or SSLv3
   
-  - Increase the minimum number of spaces between the option and the
-    description from 1 to 2.
+  Instead output a warning about it and continue with the defaults.
   
-  Before:
-  ~~~
-   -u, --user <user:password> Server user and password
-   -A, --user-agent <name> Send User-Agent <name> to server
-   -v, --verbose       Make the operation more talkative
-   -V, --version       Show version number and quit
-   -w, --write-out <format> Use output FORMAT after completion
-       --xattr         Store metadata in extended file attributes
-  ~~~
+  These SSL versions are typically not supported by the TLS libraries since a
+  long time back already since they are inherently insecure and broken. Asking
+  for them to be used will just cause an error to be returned slightly later.
   
-  After:
-  ~~~
-   -u, --user <user:password>  Server user and password
-   -A, --user-agent <name>  Send User-Agent <name> to server
-   -v, --verbose       Make the operation more talkative
-   -V, --version       Show version number and quit
-   -w, --write-out <format>  Use output FORMAT after completion
-       --xattr         Store metadata in extended file attributes
-  ~~~
+  In the unlikely event that a user's TLS library actually still supports these
+  protocol versions, this change might make the request a little less insecure.
   
-  Closes https://github.com/curl/curl/pull/6674
+  Closes #6772
 
-Daniel Stenberg (27 Feb 2021)
-- curl: set CURLOPT_NEW_FILE_PERMS if requested
-  
-  The --create-file-mode code logic accepted the value but never actually
-  passed it on to libcurl!
+- test972: verify the json output with jsonlint
   
-  Follow-up to a7696c73436f (shipped in 7.75.0)
-  Reported-by: Johannes Lesr
-  Fixes #6657
-  Closes #6666
-
-- tool_operate: check argc before accessing argv[1]
+  Make sure one of the azure jobs has jsonlint installed so that the test
+  runs there.
   
-  Follow-up to 09363500b
-  Reported-by: Emil Engler
-  Reviewed-by: Daniel Gustafsson
-  Closes #6668
+  Ref: #6905
 
-Daniel Gustafsson (26 Feb 2021)
-- [Jean-Philippe Menil brought this change]
+- [Jay Satiro brought this change]
 
-  openssl: remove get_ssl_version_txt in favor of SSL_get_version
-  
-  openssl: use SSL_get_version to get connection protocol
+  tool_writeout: fix the HTTP_CODE json output
   
-  Replace our bespoke get_ssl_version_txt in favor of SSL_get_version.
-  We can get rid of few lines of code, since SSL_get_version achieve
-  the exact same thing
+  Update test 970 accordingly.
   
-  Closes #6665
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+  Reported-by: Michal Rus
+  Fixes #6905
+  Closes #6906
 
-- gnutls: Fix nettle discovery
-  
-  Commit e06fa7462ac258c removed support for libgcrypt leaving only
-  support for nettle which has been the default crypto library in
-  GnuTLS for a long time. There were however a few conditionals on
-  USE_GNUTLS_NETTLE which cause compilation errors in the metalink
-  code (as it used the gcrypt fallback instead as a result). See the
-  below autobuild for an example of the error:
+- openldap: protect SSL-specific code with proper #ifdef
   
-    https://curl.se/dev/log.cgi?id=20210225123226-30704#prob1
+  Closes #6901
+
+- libssh2: fix Value stored to 'sshp' is never read
   
-  This removes all uses of USE_GNUTLS_NETTLE and also removes the
-  gcrypt support from the metalink code while at it.
+  Pointed out by scan-build
   
-  Closes #6656
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6900
 
-- cookies: Support multiple -b parameters
+- [Victor Vieux brought this change]
+
+  tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
   
-  Previously only a single -b cookie parameter was supported with the last
-  one winning.  This adds support for supplying multiple -b params to have
-  them serialized semicolon separated.  Both cookiefiles and cookies can be
-  entered multiple times.
+  Signed-off-by: Victor Vieux <victorvieux@gmail.com>
   
-  Closes #6649
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6895
 
-Daniel Stenberg (25 Feb 2021)
-- build: remove all traces of USE_BLOCKING_SOCKETS
+- configure: provide --with-openssl, deprecate --with-ssl
   
-  libcurl doesn't behave properly with the define set
+  Makes the option more explicit.
   
-  Closes #6655
+  Closes #6887
 
 - RELEASE-NOTES: synced
-
-Daniel Gustafsson (25 Feb 2021)
-- docs: Fix typos
   
-  Random typos spotted when skimming docs.
+  and bumped curlver to 7.77.0
+
+- [Javier Blazquez brought this change]
 
-- cookies: Use named parameters in header prototypes
+  rustls: only return CURLE_AGAIN when TLS session is fully drained
   
-  Align header with project style of using named parameters in the
-  function prototypes to aid readability and self-documentation.
+  The code in cr_recv was returning prematurely as soon as the socket
+  reported no more data to read. However, this could be leaving some
+  unread plaintext data in the rustls session from a previous call,
+  causing causing the transfer to hang if the socket never receives
+  further data.
   
-  Closes #6653
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  We need to ensure that the session is fully drained of plaintext data
+  before returning CURLE_AGAIN to the caller.
+  
+  Reviewed-by: Jacob Hoffman-Andrews
+  Closes #6894
 
-Daniel Stenberg (24 Feb 2021)
-- urldata: make 'actions[]' use unsigned char instead of int
+- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
   
-  ... as it only needs a few bits per index anyway.
+  Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
+  the cookiejar from memory.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #6648
+  Reported-by: Stefan Karpinski
+  Fixes #6889
+  Closes #6891
 
-- configure: fail if --with-quiche is used and quiche isn't found
+Version 7.76.1 (14 Apr 2021)
+
+Daniel Stenberg (14 Apr 2021)
+- RELEASE-NOTES: synced
   
-  Closes #6652
+  curl 7.76.1 release
 
-- [Gregor Jasny brought this change]
+- THANKS: add names from 7.76.1
 
-  cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
-  
-  Reviewed-by: Sergei Nikulov
-  Closes #6440
+- misc: update copyright year ranges to match latest updates
 
-Viktor Szakats (23 Feb 2021)
-- mingw: enable using strcasecmp()
-  
-  This makes the 'Features:' list sorted case-insensitively,
-  bringing output in-line with *nix builds.
-  
-  Reviewed-by: Jay Satiro
-  Closes #6644
+- [Tatsuhiro Tsujikawa brought this change]
 
-- build: delete unused feature guards
-  
-  - `HAVE_STRNCASECMP`
-  - `HAVE_TCGETATTR`
-  - `HAVE_TCSETATTR`
+  ngtcp2: Use ALPN h3-29 for now
   
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Daniel Stenberg
-  Closes #6645
+  Fixes #6864
+  Cloes #6886
 
-Jay Satiro (23 Feb 2021)
-- docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
+Jay Satiro (11 Apr 2021)
+- TODO: remove 18.22 --fail-with-body
   
-  Closes https://github.com/curl/curl/pull/6639
+  --fail-with-body was added in 8a964cb (precedes curl-7_76_0).
 
-Daniel Stenberg (23 Feb 2021)
-- [Jacob Hoffman-Andrews brought this change]
+Daniel Stenberg (10 Apr 2021)
+- [Jürgen Gmach brought this change]
 
-  configure: make hyper opt-in, and fail if missing
-  
-  Previously, configure would look for hyper by default, and use it if
-  found; otherwise it would not use hyper, and not error.
-  
-  Now, configure will not look for hyper unless --with-hyper is passed. If
-  configure looks for hyper and fails, it will error.
-  
-  Also, add -ld -lpthread -lm to Hyper's libs. I think they are required.
+  src/tool_vms.c: remove duplicated word in comment
   
-  Closes #6598
+  Closes #6881
 
-- multi: do once-per-transfer inits in before_perform in DID state
-  
-  ... since the state machine might go to RATELIMITING and then back to
-  PERFORMING doing once-per-transfer inits in that function is wrong and
-  it caused problems with receiving chunked HTTP and it set the
-  PRETRANSFER time much too often...
+- configure: fix CURL_DARWIN_CFLAGS use
   
-  Regression from b68dc34af341805aeb7b3715 (shipped in 7.75.0)
+  The macro name change was not completely done.
   
-  Reported-by: Amaury Denoyelle
-  Fixes #6640
-  Closes #6641
+  Follow-up to 5d2c384452543c
+  Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
+  Reported-by: Marcel Raad
+  Closes #6878
 
-- RELEASE-NOTES: synced
+- [Anthony Shaw brought this change]
 
-- CODE_STYLE.md: fix broken link to INTERNALS
+  github/workflow: add "security-extended" to codeql-analysis.yml
   
-  ... the link would only work if browsed on GitHub, while this link now
-  takes the user to the website instead and thus should work on either.
+  Extends the CodeQL code scan.
   
-  Reported-by: David Demelier
+  Closes #6815
 
-- curl_url_set.3: mention CURLU_PATH_AS_IS
-  
-  ... it has been supported since the URL API was added.
-  
-  Bug: https://curl.se/mail/lib-2021-02/0046.html
-  
-  Closes #6638
+- [Jochem Broekhoff brought this change]
 
-Viktor Szakats (21 Feb 2021)
-- time: enable 64-bit time_t in supported mingw environments
-  
-  (Unless 32-bit `time_t` is selected manually via the `_USE_32BIT_TIME_T`
-  mingw macro.)
+  examples/hiperfifo.c: check event_initialized before delete
   
-  Previously, 64-bit `time_t` was enabled on VS2005 and newer only, and
-  32-bit `time_t` was used on all other Windows builds.
+  If event_del is called with the event struct (still) zeroed out, a
+  segmentation fault may occur.  event_initialized checks whether the
+  event struct is nonzero.
   
-  Assisted-by: Jay Satiro
-  Closes #6636
+  Closes #6876
 
-Jay Satiro (20 Feb 2021)
-- test1188: Check for --fail HTTP status
-  
-  - Change the test to check for curl error on HTTP 404 Not Found.
-  
-  test1188 tests "--write-out with %{onerror} and %{urlnum} to stderr".
-  Prior to this change it did that by specifying a non-existent host which
-  would cause an error. ISPs may hijack DNS and resolve non-existent hosts
-  so the test would not work if that was the case.
-  
-  Ref: https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs
-  Ref: https://github.com/curl/curl/issues/6621
-  Ref: https://github.com/curl/curl/pull/6623
-  
-  Closes https://github.com/curl/curl/pull/6637
+- [Patrick Monnerat brought this change]
 
-- memdebug: close debug logfile explicitly on exit
-  
-  - Use atexit to register a dbg cleanup function that closes the logfile.
-  
-  LeakSantizier (LSAN) calls _exit() instead of exit() when a leak is
-  detected on exit so the logfile must be closed explicitly or data could
-  be lost. Though _exit() does not call atexit handlers such as this,
-  LSAN's call to _exit() comes after the atexit handlers are called.
+  ntlm: fix negotiated flags usage
   
-  Prior to this change the logfile was not explicitly closed so it was
-  possible that if LSAN detected a leak and called _exit (which does
-  not flush or close files like exit) then the logfile could be missing
-  data. That could then cause curl's memanalyze to report false leaks
-  (eg a malloc was recorded to the logfile but the corresponding free was
-  discarded from the buffer instead of written to the logfile, then
-  memanalyze reports that as a leak).
+  According to Microsoft document MS-NLMP, current flags usage is not
+  accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
+  extended security in an NTLM authentication message and NTLM version 2
+  cannot be negotiated within the protocol.
   
-  Ref: https://github.com/google/sanitizers/issues/1374
+  The solution implemented here is: if the extended security flag is set,
+  prefer using NTLM version 2 (as a server featuring extended security
+  should also support version 2). If version 2 has been disabled at
+  compile time, use extended security.
   
-  Bug: https://github.com/curl/curl/pull/6591#issuecomment-780396541
+  Tests involving NTLM are adjusted to this new behavior.
   
-  Closes https://github.com/curl/curl/pull/6620
+  Fixes #6813
+  Closes #6849
 
-- curl_multibyte: always return a heap-allocated copy of string
-  
-  - Change the Windows char <-> UTF-8 conversion functions to return an
-    allocated copy of the passed in string instead of the original.
-  
-  Prior to this change the curlx_convert_ functions would, as what I
-  assume was an optimization, not make a copy of the passed in string if
-  no conversion was required. No conversion is required in non-UNICODE
-  Windows builds since our tchar strings are type char and remain in
-  whatever the passed in encoding is, which is assumed to be UTF-8 but may
-  be other encoding.
-  
-  In contrast the UNICODE Windows builds require conversion
-  (wchar <-> char) and do return a copy. That inconsistency could lead to
-  programming errors where the developer expects a copy, and does not
-  realize that won't happen in all cases.
-  
-  Closes https://github.com/curl/curl/pull/6602
+- [Patrick Monnerat brought this change]
 
-Viktor Szakats (19 Feb 2021)
-- http: add new files missed from referrer commit
+  ntlm: support version 2 on 32-bit platforms
   
-  Ref: 44872aefc2d54f297caf2b0cc887df321bc9d791
-  Ref: #6591
+  Closes #6849
 
-- http: add support to read and store the referrer header
-  
-  - add CURLINFO_REFERER libcurl option
-  - add --write-out '%{referer}' command-line option
-  - extend --xattr command-line option to fill user.xdg.referrer.url extended
-    attribute with the referrer (if there was any)
-  
-  Closes #6591
+- [Patrick Monnerat brought this change]
 
-Daniel Stenberg (19 Feb 2021)
-- urldata: remove the _ORIG suffix from string names
+  curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
   
-  It doesn't provide any useful info but only makes the names longer.
+  ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
+  whole NTLM.
   
-  Closes #6624
+  Closes #6849
 
-- url: fix memory leak if OOM in the HSTS handling
-  
-  Reported-by: Viktor Szakats
-  Bug: https://github.com/curl/curl/pull/6627#issuecomment-781626205
+- lib: remove unused HAVE_INET_NTOA_R* defines
   
-  Closes #6628
+  Closes #6867
+
+- [Michael Forney brought this change]
 
-- gnutls: assume nettle crypto support
+  configure: include <time.h> unconditionally
   
-  nettle has been the default crypto library with GnuTLS since 2010. By
-  dropping support for the previous libcrypto, we simplify code.
+  In 2682e5f5, several instances of AC_HEADER_TIME were removed since
+  it is a deprecated autoconf macro. However, this was the macro that
+  defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
+  can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
+  used in the configure test body and since it is no longer defined,
+  <time.h> is *not* included on systems that have <sys/time.h>.
   
-  Closes #6625
-
-- asyn-ares: use consistent resolve error message
+  In particular, at least on musl libc and glibc, <sys/time.h> does
+  not implicitly include <time.h> and does not declare clock_gettime,
+  gmtime_r, or localtime_r. This causes configure to fail to detect
+  those functions.
   
-  ... with the help of Curl_resolver_error() which now is moved from
-  asyn-thead.c and is provided globally for this purpose.
+  The AC_HEADER_TIME macro deprecation text says
   
-  Follow-up to 35ca04ce1b77636
+  > All current systems provide time.h; it need not be checked for.
+  > Not all systems provide sys/time.h, but those that do, all allow
+  > you to include it and time.h simultaneously.
   
-  Makes test 1188 work for c-ares builds
+  So, to fix this issue, simply include <time.h> unconditionally when
+  testing for time-related functions and in libcurl, and don't bother
+  checking for it.
   
-  Closes #6626
+  Closes #6859
 
-Viktor Szakats (18 Feb 2021)
-- ci: stop building on freebsd-12-1
+- [Michael Forney brought this change]
+
+  configure: remove use of RETSIGTYPE
   
-  An updated freebsd-12-2 image was added a few months ago, and this
-  older one is consistently failing to go past `pkginstall`:
-  ```
-  Newer FreeBSD version for package py37-mlt:
-  To ignore this error set IGNORE_OSVERSION=yes
-  - package: 1202000
-  - running kernel: 1201000
-  Ignore the mismatch and continue? [Y/n]: pkg: repository FreeBSD contains packages for wrong OS version: FreeBSD:12:amd64
-  ```
+  This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
+  which was removed in 2682e5f5. The deprecation text says
   
-  FreeBSD thread suggests that 12.1 is EOL, and best to avoid.
+  > Your code may safely assume C89 semantics that RETSIGTYPE is void.
   
-  Ref: https://forums.freebsd.org/threads/78856/
+  So, remove it and just use void instead.
   
-  Reviewed-by: Daniel Stenberg
-  Closes #6622
+  Closes #6861
 
-Daniel Stenberg (18 Feb 2021)
-- test1188: change error from connect to resolve error
-  
-  Using the %NOLISTENPORT to trigger a connection failure is somewhat
-  "risky" (since it isn't guaranteed to not be listened to) and caused
-  occasional CI problems. This fix changes the infused error to be a more
-  reliable one but still verifies the --write-out functionality properly -
-  which is the purpose of this test.
-  
-  Reported-by: Jay Satiro
-  Fixes #6621
-  Closes #6623
+- [Muhammed Yavuz Nuzumlalı brought this change]
 
-- url.c: use consistent error message for failed resolve
+  install: add instructions for Apple Darwin platforms
+  
+  Closes #6860
 
-- BUGS: language polish
+- [Muhammed Yavuz Nuzumlalı brought this change]
 
-- wolfssl: don't store a NULL sessionid
-  
-  This caused a memory leak as the session id cache entry was still
-  erroneously stored with a NULL sessionid and that would later be treated
-  as not needed to get freed.
+  configure: disable min version set for Darwin
   
-  Reported-by: Gisle Vanem
-  Fixes #6616
-  Closes #6617
+  Fixes #6838
+  Closes #6860
 
-- parse_proxy: fix a memory leak in the OOM path
-  
-  Reported-by: Jay Satiro
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Emil Engler
-  
-  Closes #6614
-  Bug: https://github.com/curl/curl/pull/6591#issuecomment-780396541
+- [David Hu brought this change]
 
-Jay Satiro (17 Feb 2021)
-- url: fix possible use-after-free in default protocol
-  
-  Prior to this change if the user specified a default protocol and a
-  separately allocated non-absolute URL was used then it was freed
-  prematurely, before it was then used to make the replacement URL.
+  docs/HTTP3.md: update the build instruction using gnutls
   
-  Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219
-  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
+  In ngtcp2 the `with-gnutls` option is disabled by default, which will
+  cause `curl` unable to be `make` because of lacking the libraries
+  needed.
   
-  Closes https://github.com/curl/curl/pull/6613
+  Closes #6857
 
-Daniel Stenberg (16 Feb 2021)
-- multi: rename the multi transfer states
-  
-  While working on documenting the states it dawned on me that step one is
-  to use more descriptive names on the states. This also changes prefix on
-  the states to make them shorter in the source.
-  
-  State names NOT ending with *ing are transitional ones.
-  
-  Closes #6612
+- RELEASE-NOTES: synced
 
-Viktor Szakats (16 Feb 2021)
-- http: do not add a referrer header with empty value
+- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
   
-  Previously an empty 'Referer:' header was added to the HTTP request when
-  passing `--referer ';auto'` or `--referer ''` on the command-line. This
-  patch makes `--referer` work like `--header 'Referer:'` and will only add
-  the header if it has a non-zero length value.
+  ... and not values.
   
-  Reviewed-by: Jay Satiro
-  Closes #6610
+  Reported-by: locpyl-tidnyd on github
+  Fixes #6818
+  Closes #6819
 
-Daniel Stenberg (16 Feb 2021)
-- lib: remove 'conn->data' completely
+- ngtcp2+gnutls: clear credentials when freed
   
-  The Curl_easy pointer struct entry in connectdata is now gone. Just
-  before commit 215db086e0 landed on January 8, 2021 there were 919
-  references to conn->data.
+  ... to avoid double-free.
   
-  Closes #6608
+  Reported-by: Kenneth Davidson
+  Fixes #6824
+  Closes #6856
 
-- openldap: pass 'data' to the callbacks instead of 'conn'
+Jay Satiro (5 Apr 2021)
+- [Cherish98 brought this change]
 
-Jay Satiro (15 Feb 2021)
-- doh: Fix sharing user's resolve list with DOH handles
-  
-  - Share the shared object from the user's easy handle with the DOH
-    handles.
+  tool_progress: Fix progress meter in parallel mode
   
-  Prior to this change if the user had set a shared object with shared
-  cached DNS (CURL_LOCK_DATA_DNS) for their easy handle then that wasn't
-  used by any associated DOH handles, since they used the multi's default
-  hostcache.
+  Make sure the total amount of DL/UL bytes are counted before the
+  transfer finalizes. Otherwise if a transfer finishes too quick, its
+  total numbers are not added, and results in a DL%/UL% that goes above
+  100%.
   
-  This change means all the handles now use the same hostcache, which is
-  either the shared hostcache from the user created shared object if it
-  exists or if not then the multi's default hostcache.
+  Detail:
   
-  Reported-by: Manuj Bhatia
+  progress_meter() is called periodically, and it may not catch a
+  transfer's total bytes if the value was unknown during the last call,
+  and the transfer is finished and deleted (i.e., lost) during the next
+  call.
   
-  Fixes https://github.com/curl/curl/issues/6589
-  Closes https://github.com/curl/curl/pull/6607
+  Closes https://github.com/curl/curl/pull/6840
 
-Daniel Stenberg (15 Feb 2021)
-- http2: remove conn->data use
-  
-  ... but instead use a private alternative that points to the "driving
-  transfer" from the connection. We set the "user data" associated with
-  the connection to be the connectdata struct, but when we drive transfers
-  the code still needs to know the pointer to the transfer. We can change
-  the user data to become the Curl_easy handle, but with older nghttp2
-  version we cannot dynamically update that pointer properly when
-  different transfers are used over the same connection.
-  
-  Closes #6520
+- [Emil Engler brought this change]
 
-- openssl: remove conn->data use
-  
-  We still make the trace callback function get the connectdata struct
-  passed to it, since the callback is anchored on the connection.
-  
-  Repeatedly updating the callback pointer to set 'data' with
-  SSL_CTX_set_msg_callback_arg() doesn't seem to work, probably because
-  there might already be messages in the queue with the old pointer.
+  libssh: get rid of PATH_MAX
   
-  This code therefore makes sure to set the "logger" handle before using
-  OpenSSL calls so that the right easy handle gets used for tracing.
+  This removes the last occurrence of PATH_MAX inside our libssh
+  implementation by calculating the path length from the string length of
+  the two components.
   
-  Closes #6522
-
-- RELEASE-NOTES: synced
+  Closes #6829
 
-Jay Satiro (14 Feb 2021)
-- doh: add options to disable ssl verification
+Daniel Stenberg (5 Apr 2021)
+- http_proxy: only loop on 407 + close if we have credentials
   
-  - New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
-    CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
-    same as their respective counterparts.
+  ... to fix the retry-loop.
   
-  - New curl tool options --doh-insecure and --doh-cert-status do the same
-    as their respective counterparts.
+  Add test 718 to verify.
   
-  Prior to this change DOH SSL certificate verification settings for
-  verifyhost and verifypeer were supposed to be inherited respectively
-  from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
-  were not. As a result DOH verification remained at the default, ie
-  enabled, and it was not possible to disable. This commit changes
-  behavior so that the DOH verification settings are independent and not
-  inherited.
+  Reported-by: Daniel Kurečka
+  Fixes #6828
+  Closes #6850
+
+- h2: allow 100 streams by default
   
-  Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676
+  instead of 13, before the server has told how many streams it
+  accepts. The server can always reject new streams anyway if we go above
+  what it accepts.
   
-  Fixes https://github.com/curl/curl/issues/4578
-  Closes https://github.com/curl/curl/pull/6597
+  Ref: #6826
+  Closes #6852
 
-- hostip: fix crash in sync resolver builds that use DOH
+- [Luke Granger-Brown brought this change]
+
+  file: support GETing directories again
   
-  - Guard some Curl_async accesses with USE_CURL_ASYNC instead of
-    !CURLRES_SYNCH.
+  After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
+  expected_size for directories. This has the upshot that when we compare
+  even an empty Range with the available size, we fail.
   
-  This is another follow-up to 8335c64 which moved the async struct from
-  the connectdata struct into the Curl_easy struct. A previous follow-up
-  6cd167a fixed building for sync resolver by guarding some async struct
-  accesses with !CURLRES_SYNCH. The problem is since DOH (DNS-over-HTTPS)
-  is available as an asynchronous secondary resolver the async struct may
-  be used even when libcurl is built for the sync resolver. That means
-  that CURLRES_SYNCH and USE_CURL_ASYNC may be defined at the same time.
+  This brings back the previous behaviour, which was to succeed, but with
+  empty content. This also removes the "Accept-ranges: bytes" header,
+  which is nonsensical on directories.
   
-  Closes https://github.com/curl/curl/pull/6603
+  Adds test 3016
+  Fixes #6845
+  Closes #6846
 
-Daniel Stenberg (13 Feb 2021)
-- KNOWN_BUGS: cannot enable LDAPS on Windows with cmake
+- RELEASE-NOTES: synced
   
-  Reported-by: Jack Boos Yu
-  Closes #6284
+  and bumped to 7.76.1
 
-- KNOWN_BUGS: Excessive HTTP/2 packets with TCP_NODELAY
+- TLS: fix HTTP/2 selection
   
-  Reported-by: Alex Xu
-  Closes #6363
+  for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
+  wolfSSL...
+  
+  Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
+  Reported-by: Kenneth Davidson
+  Reported-by: romamik om github
+  Fixes #6825
+  Closes #6827
 
-- http: use credentials from transfer, not connection
+Jay Satiro (2 Apr 2021)
+- hostip: Fix for builds that disable all asynchronous DNS
   
-  HTTP auth "accidentally" worked before this cleanup since the code would
-  always overwrite the connection credentials with the credentials from
-  the most recent transfer and since HTTP auth is typically done first
-  thing, this has not been an issue. It was still wrong and subject to
-  possible race conditions or future breakage if the sequence of functions
-  would change.
+  - Define Curl_resolver_error function only when USE_CURL_ASYNC.
   
-  The data.set.str[] strings MUST remain unmodified exactly as set by the
-  user, and the credentials to use internally are instead set/updated in
-  state.aptr.*
+  Prior to this change building curl without an asynchronous resolver
+  backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
+  also asynchronous but independent of resolver backend) would cause a
+  build error since Curl_resolver_error is called by and evaluates
+  variables only available in asynchronous builds.
   
-  Added test 675 to verify different credentials used in two requests done
-  over a reused HTTP connection, which previously behaved wrongly.
+  Reported-by: Benbuck Nason
   
-  Fixes #6542
-  Closes #6545
+  Fixes https://github.com/curl/curl/issues/6831
+  Closes https://github.com/curl/curl/pull/6832
 
-- test433: clear some home dir env variables
-  
-  Follow-up to bd6b54ba1f55b5
-  
-  ... so that XDG_CONFIG_HOME is the only home dir variable set and thus
-  used correctly in the test!
+Daniel Stenberg (31 Mar 2021)
+- [Gilles Vollant brought this change]
+
+  openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
   
-  Fixes #6599
-  Closes #6600
+  Reported-by: Christian Schmitz
+  Fixes #6816
+  Closes #6820
 
+Version 7.76.0 (31 Mar 2021)
+
+Daniel Stenberg (31 Mar 2021)
 - RELEASE-NOTES: synced
   
-  bumped the version to 7.76.0
+  curl 7.76.0 release
 
-- travis: install libgsasl-dev to add that to the builds
-  
-  Closes #6588
+- THANKS: added names from 7.76.0
 
-- urldata: don't touch data->set.httpversion at run-time
-  
-  Rename it to 'httpwant' and make a cloned field in the state struct as
-  well for run-time updates.
-  
-  Also: refuse non-supported HTTP versions. Verified with test 129.
+- CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
   
-  Closes #6585
+  ... some users may not want that!
 
-Viktor Szakats (11 Feb 2021)
-- tests: disable .curlrc in more environments
+- define: remove CURL_DISABLE_NTLM ifdefs
   
-  by also setting CURL_HOME and XDG_CONFIG_HOME envvars to the local
-  directory.
+  It was never defined anywhere. Fixed disable-scan (test 1165) to also
+  scan headers, which found this issue.
   
-  Reviewed-by: Daniel Stenberg
-  Fixes #6595
-  Closes #6596
+  Closes #6809
 
-- docs/Makefile.inc: format to be update-friendly
-  
-  - one source file per line
-  - convert tabs to spaces
-  - do not align line-continuation backslashes
-  - sort source files alphabetically
+- vtls: fix addsessionid for non-proxy builds
   
-  Reviewed-by: Daniel Stenberg
-  Closes #6593
+  Follow-up to b09c8ee15771c61
+  Fixes #6812
+  Closes #6811
 
-Daniel Stenberg (11 Feb 2021)
-- curl: provide libgsasl version and feature info in -V output
-  
-  Closes #6592
+- [Li Xinwei brought this change]
 
-- gsasl: provide CURL_VERSION_GSASL if built-in
-  
-  To let applications know the feature is available.
+  cmake: support WinIDN
   
-  Closes #6592
+  Closes #6807
 
-- curl: add --fail-with-body
+- transfer: clear 'referer' in declaration
   
-  Prevent both --fail and --fail-with-body on the same command line.
+  To silence (false positive) compiler warnings about it.
   
-  Verify with test 349, 360 and 361.
+  Follow-up to 7214288898f5625
   
-  Closes #6449
+  Reviewed-by: Marcel Raad
+  Closes #6810
 
-- TODO: remove HSTS
-  
-  Provided now since commit 7385610d0c74
+- [Marc Hoersken brought this change]
 
-Jay Satiro (10 Feb 2021)
-- tests: Fix tests failing due to change in curl --help
-  
-  Follow-up to parent 3183217 which added add missing <mode> argument to
-  --create-file-mode <mode>.
+  config: fix SSPI enabling NTLM if crypto auth is disabled
   
-  Ref: https://github.com/curl/curl/issues/6590
-
-- tool_help: add missing argument for --create-file-mode
+  Avoid enabling NTLM feature based upon Windows SSPI
+  being enabled in case that crypto auth is disabled.
   
-  Prior to this change the required argument was not shown in curl --help.
+  Reported-by: Marcel Raad
   
-  before:
-       --create-file-mode File mode for created files
+  Follow-up to #6277
+  Fixes #6803
+  Closes #6808
+
+- HISTORY: add two 2021 events
+
+- vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
   
-  after:
-       --create-file-mode <mode> File mode (octal) for created files
+  To make sure we set and extract the correct session.
   
-  Reported-by: ZimCodes@users.noreply.github.com
+  Reported-by: Mingtao Yang
+  Bug: https://curl.se/docs/CVE-2021-22890.html
   
-  Fixes https://github.com/curl/curl/issues/6590
+  CVE-2021-22890
 
-- create-file-mode.d: add missing Arg tag
-  
-  Prior to this change the required argument was not shown.
+- [Viktor Szakats brought this change]
+
+  transfer: strip credentials from the auto-referer header field
   
-  curl.1 before: --create-file-mode
-  curl.1 after: --create-file-mode <mode>
+  Added test 2081 to verify.
   
-  Reported-by: ZimCodes@users.noreply.github.com
+  CVE-2021-22876
   
-  Fixes https://github.com/curl/curl/issues/6590
+  Bug: https://curl.se/docs/CVE-2021-22876.html
 
-Viktor Szakats (10 Feb 2021)
-- gsasl: fix errors/warnings building against libgsasl
-  
-  - also fix an indentation
-  - make Curl_auth_gsasl_token() use CURLcode (by Daniel Stenberg)
+- curl_sasl: fix compiler error with --disable-crypto-auth
   
-  Ref: https://github.com/curl/curl/pull/6372#issuecomment-776118711
-  Ref: https://github.com/curl/curl/pull/6588
+  ... if libgsasl was found.
   
-  Reviewed-by: Jay Satiro
-  Assisted-by: Daniel Stenberg
-  Reviewed-by: Simon Josefsson
-  Closes #6587
+  Closes #6806
+
+- [Patrick Monnerat brought this change]
 
-- Makefile.m32: add support for libgsasl dependency
+  ldap: only set the callback ptr for TLS context when TLS is used
   
-  Reviewed-by: Marcel Raad
-  Closes #6586
+  Follow-up to a5eee22e594c2460f
+  Fixes #6804
+  Closes #6805
 
-Marcel Raad (10 Feb 2021)
-- ngtcp2: clarify calculation precedence
+- copyright: update copyright year ranges to 2021
   
-  As suggested by Codacy/cppcheck.
+  Reviewed-by: Emil Engler
+  Closes #6802
+
+- send_speed: simplify the checks for if a speed limit is set
   
-  Closes https://github.com/curl/curl/pull/6576
+  ... as we know the value cannot be set to negative: enforced by
+  setopt()
 
-- server: remove redundant condition
+- http: cap body data amount during send speed limiting
   
-  `end` is always non-null here.
+  By making sure never to send off more than the allowed number of bytes
+  per second the speed limit logic is given more room to actually work.
   
-  Closes https://github.com/curl/curl/pull/6576
+  Reported-by: Fabian Keil
+  Bug: https://curl.se/mail/lib-2021-03/0042.html
+  Closes #6797
 
-- lib: remove redundant code
+- urldata: merge "struct DynamicStatic" into "struct UrlState"
   
-  Closes https://github.com/curl/curl/pull/6576
-
-- mqttd: remove unused variable
+  Both were used for the same purposes and there was no logical separation
+  between them. Combined, this also saves 16 bytes in less holes in my
+  test build.
   
-  Closes https://github.com/curl/curl/pull/6576
+  Closes #6798
 
-- tool_paramhlp: reduce variable scope
+- tests/README.md: mentioned that en_US.UTF-8 is required
   
-  Closes https://github.com/curl/curl/pull/6576
+  Reported-by: Oumph on github
+  Fixes #6768
 
-- tests: reduce variable scopes
+- HISTORY: fixed the Mac OS X 10.1 release date
   
-  Closes https://github.com/curl/curl/pull/6576
+  Based on what Wikipedia says
 
-- lib: reduce variable scopes
+Jay Satiro (26 Mar 2021)
+- examples: Remove threaded-shared-conn.c due to bug
   
-  Closes https://github.com/curl/curl/pull/6576
-
-- ftp: fix Codacy/cppcheck warning about null pointer arithmetic
+  Known bug 11.11 is the shared object's connection cache is not thread
+  safe, so we should not have an example for it.
   
-  Increment `bytes` only if it is non-null.
+  Ref: https://github.com/curl/curl/issues/4915
+  Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not
   
-  Closes https://github.com/curl/curl/pull/6576
-
-Daniel Stenberg (9 Feb 2021)
-- ngtcp2: adapt to the new recv_datagram callback
+  Closes https://github.com/curl/curl/pull/6795
 
-- quiche: fix build error: use 'int' for port number
+- KNOWN_BUGS: Update 11.9 - DoH option inheritance
   
-  Follow-up to cb2dc1ba8
-
-- ftp: add 'list_only' to the transfer state struct
+  - Add description: Explain that some options aren't inherited because
+    they are not relevant for the DoH SSL connections or may result in
+    unexpected behavior.
   
-  and rename it from 'ftp_list_only' since it is also used for SSH and
-  POP3. The state is updated internally for 'type=D' FTP URLs.
+  - Remove the reference to #4578 (SSL verify options not inherited) since
+    that was fixed by #6597 (separate DoH-specific options for verify).
+  
+  - Explain that DoH-specific options (those created by #6597) are
+    available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
+    CURLOPT_DOH_SSL_VERIFYSTATUS.
   
-  Added test case 1570 to verify.
+  - Add a reference to #6605 and explain that the user's debug function is
+    not inherited because it would be unexpected to pass internal handles
+    (ie DoH handles) to the user's callback.
   
-  Closes #6578
+  Closes https://github.com/curl/curl/issues/6605
+
+Daniel Stenberg (26 Mar 2021)
+- curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
+
+- [Jean-Philippe Menil brought this change]
 
-- ftp: add 'prefer_ascii' to the transfer state struct
+  openssl: ensure to check SSL_CTX_set_alpn_protos return values
   
-  ... and make sure the code never updates 'set.prefer_ascii' as it breaks
-  handle reuse which should use the setting as the user specified it.
+  SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure
   
-  Added test 1569 to verify: it first makes an FTP transfer with ';type=A'
-  and then another without type on the same handle and the second should
-  then use binary. Previously, curl failed this.
+  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
   
-  Closes #6578
-
-- RELEASE-NOTES: synced
-
-- [Jacob Hoffman-Andrews brought this change]
+  Closes #6794
 
-  vtls: initial implementation of rustls backend
+- multi: close the connection when h2=>h1 downgrading
   
-  This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
-  from https://github.com/abetterinternet/crustls.
+  Otherwise libcurl is likely to reuse the connection again in the next
+  attempt since the connection reuse logic doesn't take downgrades into
+  account.
   
-  Rustls is at https://github.com/ctz/rustls/.
+  Reported-by: Anthony Ramine
+  Fixes #6788
+  Closes #6793
+
+- openssl: set the transfer pointer for logging early
   
-  There is still a fair bit to be done, like sending CloseNotify on
-  connection shutdown, respecting CAPATH, and properly indicating features
-  like "supports TLS 1.3 ciphersuites." But it works well enough to make
-  requests and receive responses.
+  Otherwise, the transfer will be NULL in the trace function when the
+  early handshake details arrive and then curl won't show them.
   
-  Blog post for context:
-  https://www.abetterinternet.org/post/memory-safe-curl/
+  Regresssion in 7.75.0
   
-  Closes #6350
+  Reported-by: David Hu
+  Fixes #6783
+  Closes #6792
 
-- [Simon Josefsson brought this change]
+- RELEASE-NOTES: synced
 
-  sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
+- TODO: Custom progress meter update interval
   
-  Closes #6372
+  Ref: https://stackoverflow.com/q/66789977/93747
 
-Jay Satiro (9 Feb 2021)
-- lib: use int type for more port variables
+- docs/ABI: tighten up the language
   
-  This is a follow-up to 764c6bd. Prior to that change port variables
-  were usually type long.
+  Make the promises more firm
   
-  Closes https://github.com/curl/curl/pull/6553
+  Closes #6786
 
-- tool_writeout: refactor write-out and write-out json
-  
-  - Deduplicate the logic used by write-out and write-out json.
-  
-  Rather than have separate writeLong, writeString, etc, logic for
-  each of write-out and write-out json instead have respective shared
-  functions that can output either format and a 'use_json' parameter to
-  indicate whether it is json that is output.
+- openldap: disconnect better
   
-  This will make it easier to maintain. Rather than have to go through
-  two sets of logic now we only have to go through one.
+  Instead of clearing the callback argument in disconnect, set it to the
+  (new) transfer to make sure the correct data is passed to the callbacks.
   
-  - Support write-out %{errormsg} and %{exitcode} in json.
+  Follow-up to e467ea3bd937f38
+  Assisted-by: Patrick Monnerat
+  Closes #6787
+
+- libssh2: kdb_callback: get the right struct pointer
   
-  - Clarify in the doc that %{exitcode} is the exit code of the transfer.
+  After the recent conn/data refactor in this source file, this function
+  was mistakenly still getting the old struct pointer which would lead to
+  crash on servers with keyboard-interactive auth enabled.
   
-  Prior to this change it just said "The numerical exitcode" which
-  implies it's the exit code of the tool, and it's not necessarily that.
+  Follow-up to a304051620b92e12b (shipped in 7.75.0)
   
-  Closes https://github.com/curl/curl/pull/6544
+  Reported-by: Christian Schmitz
+  Fixes #6691
+  Closes #6782
 
-- lib: drop USE_SOCKETPAIR in favor of CURL_DISABLE_SOCKETPAIR
+- tftp: remove unused struct fields
   
-  .. since the former is undocumented and they both do the same thing.
+  Follow-up to d3d90ad9c00530d
   
-  Closes https://github.com/curl/curl/pull/6517
+  Closes #6781
 
-- curl_multibyte: fall back to local code page stat/access on Windows
-  
-  If libcurl is built with Unicode support for Windows then it is assumed
-  the filename string is Unicode in UTF-8 encoding and it is converted to
-  UTF-16 to be passed to the wide character version of the respective
-  function (eg wstat). However the filename string may actually be in the
-  local encoding so, even if it successfully converted to UTF-16, if it
-  could not be stat/accessed then try again using the local code page
-  version of the function (eg wstat fails try stat).
-  
-  We already do this with fopen (ie wfopen fails try fopen), so I think it
-  makes sense to extend it to stat and access functions.
+- openldap: avoid NULL pointer dereferences
   
-  Closes https://github.com/curl/curl/pull/6514
-
-- [Stephan Szabo brought this change]
+  Follow-up to a59c33ceffb8f78
+  Reported-by: Patrick Monnerat
+  Fixes #6676
+  Closes #6780
 
-  file: Support unicode urls on windows
+- http: strip default port from URL sent to proxy
   
-  Closes https://github.com/curl/curl/pull/6501
-
-- [Vincent Torri brought this change]
-
-  cmake: fix import library name for non-MS compiler on Windows
+  To make sure the Host: header and the URL provide the same authority
+  portion when sent to the proxy, strip the default port number from the
+  URL if one was provided.
   
-  - Use _imp.lib suffix only for Microsoft's compiler (MSVC).
+  Reported-by: Michael Brown
+  Fixes #6769
+  Closes #6778
+
+- azure: disable test 433 on azure-ubuntu
   
-  Prior to this change library suffix _imp.lib was used for the import
-  library on Windows regardless of compiler.
+  Something in that environment sets XDG_CONFIG_HOME for us in a way that
+  breaks the test.
   
-  With this change the other compilers should now use their default
-  suffix which should be .dll.a.
+  Reported-by: Marc Hörsken
+  Fixes #6739
+  Closes #6777
+
+- tftp: remove the 3600 second default timeout
   
-  This change is motivated by the usage of pkg-config on MSYS2.
-  Indeed, when 'pkg-config --libs libcurl' is used, -lcurl is
-  passed to ld. The documentation of ld on Windows :
+  ... it was never meant to be there.
   
-  https://sourceware.org/binutils/docs/ld/WIN32.html
+  Reported-by: Tomas Berger
+  Fixes #6774
+  Closes #6776
+
+- docs: make gen.pl support *italic* and **bold**
   
-  lists, in the 'direct linking to a dll' section, the pattern
-  of the searched import library, and libcurl_imp.lib is not there.
+  Remove some nroffisms from the cmdline doc files to simplify editing,
+  and instead support this markdown style.
   
-  Closes https://github.com/curl/curl/pull/6225
+  Closes #6771
 
-Daniel Stenberg (9 Feb 2021)
-- urldata: move 'followlocation' to UrlState
-  
-  As this is a state variable it does not belong in UserDefined which is
-  used to store values set by the user.
+- ngtcp2: sync with recent API updates
   
-  Closes #6582
+  Closes #6770
 
-- [Ikko Ashimine brought this change]
+- RELEASE-NOTES: synced
 
-  http_proxy: fix typo in http_proxy.c
+- libssh2:ssh_connect: clear session pointer after free
   
-  settting -> setting
+  If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
+  ssh session was freed but the pointer wasn't cleared which made libcurl
+  later call libssh2 to cleanup using the stale pointer.
   
-  Closes #6583
+  Fixes #6764
+  Closes #6766
 
-- [Fabian Keil brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  tests/server: Bump MAX_TAG_LEN to 200
+  docs: document version of crustls dependency
   
-  This is useful for tests containing HTML inside of <data> sections.
-  For <img> tags it's not uncommon to be longer than the previous
-  limit of 79 bytes.
+  This also pins a specific release in the Travis test so future
+  API-breaking changins in crustls won't break curl builds.
   
-  An example of a previously problem-causing tag is:
-  <img src="http://config.privoxy.org/send-banner?type=auto" border="0" title="Killed-http://www.privoxy.org/images/privoxy.png-by-size" width="88" height="31">
-  which is needed for a Privoxy test for the banners-by-size filter.
+  Add RUSTLS documentation to release tarball.
   
-  Previously it caused server failures like:
-  12:29:05.786961 ====> Client connect
-  12:29:05.787116 accept_connection 3 returned 4
-  12:29:05.787194 accept_connection 3 returned 0
-  12:29:05.787285 Read 119 bytes
-  12:29:05.787345 Process 119 bytes request
-  12:29:05.787407 Got request: GET /banners-by-size/9 HTTP/1.1
-  12:29:05.787464 Requested test number 9 part 0
-  12:29:05.787686 getpart() failed with error: -2
-  12:29:05.787744 - request found to be complete (9)
-  12:29:05.787912 getpart() failed with error: -2
-  12:29:05.788048 Wrote request (119 bytes) input to log/server.input
-  12:29:05.788157 Send response test9 section <data>
-  12:29:05.788443 getpart() failed with error: -2
-  12:29:05.788498 instructed to close connection after server-reply
-  12:29:05.788550 ====> Client disconnect 0
-  12:29:05.871448 exit_signal_handler: 15
-  12:29:05.871714 signalled to die
-  12:29:05.872040 ========> IPv4 sws (port 21108 pid: 51758) exits with signal (15)
-
-- [Fabian Keil brought this change]
-
-  tests/badsymbols.pl: when opening '$incdir' fails include it in the error message
-
-- [Fabian Keil brought this change]
-
-  runtests.1: document -o, -P, -L, and -E
-
-- [Fabian Keil brought this change]
-
-  runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
+  Enable running tests for rustls, minus FTP tests (require
+  connect_blocking, which rustls doesn't implement) and 313 (requires CRL
+  handling).
+  
+  Closes #6763
 
-- [Fabian Keil brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  runtests.pl: add an -o option to change internal variables
+  rustls: Handle close_notify.
   
-  runtests.pl has lots of internal variables one might want to
-  change in certain situations, but adding a dedicated option
-  for every single one of them isn't practical.
+  If we get a close_notify, treat that as EOF. If we get an EOF from the
+  TCP stream, treat that as an error (because we should have ended the
+  connection earlier, when we got a close_notify).
   
-  Usage:
-  ./runtests.pl -o TESTDIR=$privoxy_curl_test_dir -o HOSTIP=10.0.0.1 ...
-
-- [Fabian Keil brought this change]
+  Closes #6763
 
-  runtests.pl: cleanups
+- docs: clarify timeouts for queued transfers in multi API
   
-  - show the summarized test result in the last line of the report
-  - do not use $_ after mapping it to a named variable
-    Doing that makes the code harder to follow.
-  - log the restraints sorted by the number of their occurrences
-  - fix language when logging restraints that only occured once
-  - let runhttpserver() use $TESTDIR instead of $srcdir
-    ... so it works if a non-default $TESTDIR is being used.
-
-- [Fabian Keil brought this change]
+  Closes #6758
 
-  runtests.pl: add an -E option to specify an exclude file
-  
-  It can contain additional restraints for test numbers,
-  keywords and tools.
+- ftpserver: only load the preprocessed test file
   
-  The idea is to let third parties like the Privoxy project
-  distribute an exclude file with their tarballs that specifies
-  which curl tests are not expected to work when using Privoxy
-  as a proxy, without having to fork the whole curl test suite.
+  We always preprocess and tests are no longer sensible to load "raw"
   
-  The syntax could be changed to be extendable and maybe
-  more closely reflect the "curl test" syntax. Currently
-  it's a bunch of lines like these:
+  Closes #6738
+
+- tests: use %TESTNUMBER instead of fixed number
   
-  test:$TESTNUMBER:Reason why this test with number $TESTNUMBER should be skipped
-  keyword:$KEYWORD:Reason why tests whose keywords contain the $KEYWORD should be skipped
-  tool:$TOOL:Reason why tests with tools that contain $TOOL should be skipped
+  This makes the tests easier to copy and relocate to other test numbers
+  without having to update content.
   
-  To specify multiple $TESTNUMBERs, $KEYWORDs and $TOOLs
-  on a single line, split them with commas.
-
-- [Fabian Keil brought this change]
+  Closes #6738
 
-  runtests.pl: add -L parameter to require additional perl libraries
-  
-  This is useful to change the behaviour of the script without
-  having to modify the file itself, for example to use a custom
-  compareparts() function that ignores header differences that
-  are expected to occur when an external proxy is being used.
+- KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
   
-  Such differences are proxy-specific and thus the modifications
-  should be maintained together with the proxy.
+  Closes #5747
 
-- [Fabian Keil brought this change]
+- TODO: provide timing info for each redirect
+  
+  Closes #6743
 
-  runtests.pl: add a -P option to specify an external proxy
-  
-  ... that should be used when executing the tests.
+Jay Satiro (17 Mar 2021)
+- docs: Add SSL backend names to CURL_SSL_BACKEND
   
-  The assumption is that the proxy is an HTTP proxy.
+  - Document the names that can be used with CURL_SSL_BACKEND:
+    bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
+    schannel, secure-transport, wolfssl
   
-  This option should be used together with -L to provide
-  a customized compareparts() version that knows which
-  proxy-specific header differences should be ignored.
+  Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
+  Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201
   
-  This option doesn't work for all test types yet.
-
-- [Fabian Keil brought this change]
+  Closes https://github.com/curl/curl/pull/6755
 
-  tests: fixup several tests
+- docs: Explain DOH transfers inherit some SSL settings
   
-  missing CRs and modified %hostip
+  - Document in DOH that some SSL settings are inherited but DOH hostname
+    and peer verification are not and are controlled separately.
   
-  lib556/test556: use a real HTTP version to make test reuse more convenient
+  - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
+    we're considering changing behavior to no longer inherit it. Request
+    feedback.
   
-  make sure the weekday in Date headers matches the date
+  Closes https://github.com/curl/curl/pull/6688
+
+Daniel Stenberg (17 Mar 2021)
+- http: make 416 not fail with resume + CURLOPT_FAILONERRROR
   
-  test61: replace stray "^M" (5e 4d) at the end of a cookie with a '^M' (0d)
+  When asked to resume a download, libcurl will convert that to HTTP logic
+  and if then the entire file is already transferred it will result in a
+  416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
+  scenario, it should *not* lead to an error return.
   
-  Gets the test working with external proxies like Privoxy again.
+  Updated test 1156, added test 1273
   
-  Closes #6463
+  Reported-by: Jonathan Watt
+  Fixes #6740
+  Closes #6753
 
-- ftp: never set data->set.ftp_append outside setopt
+- Curl_timeleft: check both timeouts during connect
+  
+  The duration of a connect and the total transfer are calculated from two
+  different time-stamps. It can end up with the total timeout triggering
+  before the connect timeout expires and we should make sure to
+  acknowledge whichever timeout that is reached first.
   
-  Since the set value then risks getting used like that when the easy
-  handle is reused by the application.
+  This is especially notable when a transfer first sits in PENDING, as
+  that time is counted in the total time but the connect timeout is based
+  on the time since the handle changed to the CONNECT state.
   
-  Also: renamed the struct field from 'ftp_append' to 'remote_append'
-  since it is also used for SSH protocols.
+  The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
+  operation.
   
-  Closes #6579
+  Fixes #6744
+  Closes #6745
+  Reported-by: Andrei Bica
+  Assisted-by: Jay Satiro
 
-- urldata: remove the 'rtspversion' field
+- configure: remove use of deprecated macros
   
-  from struct connectdata and the corresponding code in http.c that set
-  it. It was never used for anything!
+  AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL
+
+- configure: make AC_TRY_* into AC_*_IFELSE
   
-  Closes #6581
+  ... as the former versions are deprecated.
 
-- CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
+- configure: s/AC_HELP_STRING/AS_HELP_STRING
   
-  ... so passed in commands may confuse libcurl's knowledge of state.
+  AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
+  already since 2.59 so bump the minimum required version to that.
   
-  Reported-by: Bodo Bergmann
-  Fixes #6577
-  Closes #6580
+  Reported-by: Emil Engler
+  Fixes #6647
+  Closes #6748
 
-- [Jacob Hoffman-Andrews brought this change]
+- RELEASE-NOTES: synced
 
-  vtls: factor out Curl_ssl_getsock to field of Curl_ssl
+- travis: use ubuntu nghttp2 package instead of build our own
   
-  Closes #6558
+  Closes #6751
 
-- RELEASE-PROCEDURE: remove old release dates, add new
+- travis: bump wolfssl to 4.7.0
 
-- docs/SSL-PROBLEMS: enhanced
-  
-  Elaborate on the intermediate cert issue, and mention that anything
-  below TLS 1.2 is generally considered insecure these days.
+- travis: only build wolfssl when needed
   
-  Closes #6572
-
-- THANKS: remove a Jon Rumsey dupe
+  Closes #6751
 
-Daniel Gustafsson (5 Feb 2021)
-- [nimaje brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  docs: fix FILE example url in --metalink documentation
+  rustls: allocate a buffer for TLS data.
   
-  In a url after <scheme>:// follows the possibly empty authority part
-  till the next /, so that url missed a /.
+  Previously, rustls was using an on-stack array for TLS data. However,
+  crustls has an (unusual) requirement that buffers it deals with are
+  initialized before writing to them. By using calloc, we can ensure the
+  buffer is initialized once and then reuse it across calls.
   
-  Closes #6573
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Closes #6742
 
-Daniel Stenberg (5 Feb 2021)
-- hostip: fix build with sync resolver
+- travis: add a rustls build
+  
+  ... that doesn't run any tests (yet)
   
-  Reported-by: David Goerger
-  Follow-up from 8335c6417
-  Fixes #6566
-  Closes #6568
+  Closes #6750
 
-- mailmap: Jon Rumsey
+- HTTP2: remove the outdated remark about multiplexing for the tool
 
-- [Jon Rumsey brought this change]
+- [Robert Ronto brought this change]
 
-  gskit: correct the gskit_send() prototype
-  
-  gskit_send() first paramater is a pointer to Curl_easy not connectdata
-  struct.
+  http2: don't set KEEP_SEND when there's no more data to be sent
   
-  Closes #6570
-  Fixes #6569
-
-- urldata: fix build without HTTP and MQTT
+  this should fix an issue where curl sometimes doesn't send out a request
+  with authorization info after a 401 is received over http2
   
-  Reported-by: Joseph Chen
-  Fixes #6562
-  Closes #6563
+  Closes #6747
 
-- ftp: avoid SIZE when asking for a TYPE A file
-  
-  ... as we ignore it anyway because servers don't report the correct size
-  and proftpd even blatantly returns a 550.
-  
-  Updates a set of tests accordingly.
+Marc Hoersken (15 Mar 2021)
+- config: fix building SMB with configure using Win32 Crypto
   
-  Reported-by: awesomenode on github
-  Fixes #6564
-  Closes #6565
-
-- pingpong: rename the curl_pp_transfer enum to use PP prefix
+  Align conditions for NTLM features between CMake and configure
+  builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
+  just like curl_setup.h does internally to detect support of:
   
-  Using an FTP prefix for PP provided functionality was misleading.
-
-- RELEASE-NOTES: synced
+  - USE_NTLM: required for NTLM crypto authentication feature
+  - USE_CURL_NTLM_CORE: required for SMB protocol
   
-  ... and bump pending version to 7.75.1 (for now)
-
-Jay Satiro (4 Feb 2021)
-- build: fix --disable-http-auth
+  Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
+  in wincrypt.h which are not available in the Windows App environment.
   
-  Broken since 215db08 (precedes 7.75.0).
+  Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
+  Fix condition of Schannel SSL backend in CMake build accordingly.
   
-  Reported-by: Benbuck Nason
+  Reviewed-by: Marcel Raad
   
-  Fixes https://github.com/curl/curl/issues/6567
+  Closes #6277
 
-- build: fix --disable-dateparse
-  
-  Broken since 215db08 (precedes 7.75.0).
+- config: fix detection of restricted Windows App environment
   
-  Bug: https://curl.se/mail/lib-2021-02/0008.html
-  Reported-by: Firefox OS
-
-Daniel Stenberg (4 Feb 2021)
-- [Jon Rumsey brought this change]
-
-  OS400: update for CURLOPT_AWS_SIGV4
+  Move the detection of the restricted Windows App environment
+  in curl_setup.h before the definition of USE_WIN32_CRYPTO
+  via included config-win32.h in case no build system is used.
   
-  chkstrings fails because a new string option that could require codepage
-  conversion has been added.
+  Reviewed-by: Marcel Raad
   
-  Closes #6561
-  Fixes #6560
-
-- BUG-BOUNTY: removed the cooperation mention
-
-Version 7.75.0 (3 Feb 2021)
-
-Daniel Stenberg (3 Feb 2021)
-- RELEASE-NOTES: synced
-
-- THANKS: added contributors from 7.75.0
+  Part of #6277
 
-- copyright: fix year ranges in need of updates
+Daniel Stenberg (15 Mar 2021)
+- HISTORY: curl 7.7.2 was the first version used in Mac OS X 10.1
 
-- TODO: remove items for next SONAME bump etc
+- gen.pl: quote "bare" minuses in the nroff curl.1
   
-  We want to avoid that completely, so we don't plan for things after such
-  an event.
-
-- [Jay Satiro brought this change]
+  Reported-by: Alejandro Colomar
+  Fixes #6698
+  Closes #6722
 
-  ngtcp2: Fix build error due to change in ngtcp2_settings
-  
-  - Separate ngtcp2_transport_params.
-  
-  ngtcp2/ngtcp2@05d7adc made ngtcp2_transport_params separate from
-  ngtcp2_settings.
+Daniel Gustafsson (14 Mar 2021)
+- hsts: remove unused defines
   
-  ngtcp2 master is required to build curl with http3 support.
+  MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
+  and mostly likely leftovers from early development.  Remove as they're not
+  used for anything.
   
-  Closes #6554
+  Closes #6741
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- vtls: remove md5sum
-  
-  As it is not used anymore.
-  
-  Reported-by: Jacob Hoffman-Andrews
-  Bug: https://curl.se/mail/lib-2021-02/0000.html
+Daniel Stenberg (12 Mar 2021)
+- github: add torture-ftp for FTP-only torture testing
   
-  Closes #6557
-
-- [Alessandro Ghedini brought this change]
-
-  quiche: don't use primary_ip / primary_port
+  and at 20% to try to keep the run-time reasonable
   
-  Closes #6555
-
-Alessandro Ghedini (1 Feb 2021)
-- travis: enable quiche's FFI feature
-
-Daniel Stenberg (30 Jan 2021)
-- [Dmitry Wagin brought this change]
+  Closes #6728
 
-  http: improve AWS HTTP v4 Signature auth
+- travis: split "torture" into a separate "events" build as well
   
-  - Add support services without region and service prefixes in
-  the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
-  by providing region and service parameters via aws-sigv4 option.
-  - Add [:region[:service]] suffix to aws-sigv4 option;
-  - Fix memory allocation errors.
-  - Refactor memory management.
-  - Use Curl_http_method instead() STRING_CUSTOMREQUEST.
-  - Refactor canonical headers generating.
-  - Remove repeated sha256_to_hex() usage.
-  - Add some docs fixes.
-  - Add some codestyle fixes.
-  - Add overloaded strndup() for debug - curl_dbg_strndup().
-  - Update tests.
+  Run torture without FTP and reducing coverage to 20%
   
-  Closes #6524
-
-- hyper: fix CONNECT to set 'data' as userdata
+  For some reason the torture tests now run a lot slower on travis and run
+  into the 50 minute limit all the time.
   
-  Follow-up to 14e075d1a7fd
-
-- [Layla brought this change]
+  Closes #6728
 
-  connect: fix compile errors in `Curl_conninfo_local`
+- ftp: fix memory leak in ftp_done
   
-  .. for the `#else` (`!HAVE_GETSOCKNAME`) case
+  If after a transfer is complete Curl_GetFTPResponse() returns an error,
+  curl would not free the ftp->pathalloc block.
   
-  Fixes https://github.com/curl/curl/issues/6548
-  Closes #6549
+  Found by torture-testing test 576
   
-  Signed-off-by: Layla <layla@insightfulvr.com>
+  Closes #6737
 
-- [Michał Antoniak brought this change]
+- [oxalica brought this change]
 
-  transfer: fix GCC 10 warning with flag '-Wint-in-bool-context'
-  
-  ... and return the error code from the Curl_mime_rewind call.
+  http2: fail if connection terminated without END_STREAM
   
-  Closes #6537
-
-- [Michał Antoniak brought this change]
-
-  avoid warning: enum constant in boolean context
-
-- copyright: fix missing year (range) updates
+  Closes #6736
 
 - RELEASE-NOTES: synced
 
-- openssl: lowercase the hostname before using it for SNI
-  
-  ... because it turns out several servers out there don't actually behave
-  correctly otherwise in spite of the fact that the SNI field is
-  specifically said to be case insensitive in RFC 6066 section 3.
-  
-  Reported-by: David Earl
-  Fixes #6540
-  Closes #6543
+- [Jacob Hoffman-Andrews brought this change]
 
-- KNOWN_BUGS: cmake: ExternalProject_Add does not set CURL_CA_PATH
+  rustls: support CURLOPT_SSL_VERIFYPEER
   
-  Closes #6313
-
-- KNOWN_BUGS: Multi perform hangs waiting for threaded resolver
+  This requires the latest main branch of crustls, which provides
+  rustls_client_config_builder_dangerous_set_certificate_verifier and
+  rustls_client_config_builder_set_enable_sni.
+  
+  This refactors the session setup into its own function, and adds a new
+  function cr_hostname_is_ip. Because crustls doesn't support verification
+  of IP addresses, special handling is needed: We disable SNI and set a
+  placeholder hostname (which never actually gets sent on the wire).
   
-  Closes #4852
+  Closes #6719
 
-- KNOWN_BUGS: "pulseUI VPN client" is known to be buggy
+Daniel Gustafsson (12 Mar 2021)
+- cookies: Fix potential NULL pointer deref with PSL
   
-  First entry in the new section "applications" for known problems in
-  libcurl using applications.
+  Curl_cookie_init can be called with data being NULL, and this can in turn
+  be passed to Curl_cookie_add, meaning that both functions must be careful
+  to only use data where it's checked for being a NULL pointer.  The libpsl
+  support code does however dereference data without checking, so if we are
+  indeed having an unset data pointer we cannot PSL check the cookiedomain.
   
-  Closes #6306
-
-- tool_writeout: make %{errormsg} blank for no errors
+  This is currently not a reachable dereference, as the only caller with a
+  NULL data isn't passing a file to initialize cookies from, but since the
+  API has this contract let's ensure we hold it.
   
-  Closes #6539
+  Closes #6731
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-Jay Satiro (27 Jan 2021)
-- [Gisle Vanem brought this change]
+Daniel Stenberg (12 Mar 2021)
+- [Michael Hordijk brought this change]
 
-  build: fix djgpp builds
-  
-  - Update build instructions in packages/DOS/README
+  configure: only add OpenSSL paths if they are defined
   
-  - Extend 'VPATH' with 'vquic' and 'vssh'.
+  Add paths for OpenSSL compiling and linking only if they have been
+  defined.  If they haven't been defined, we'll assume that the paths are
+  already available to the toolchain.
   
-  - Allow 'Makefile.dist' to build both 'lib' and 'src'.
+  Closes #6730
+
+Jay Satiro (12 Mar 2021)
+- retry.d: Clarify transient 5xx HTTP response codes
   
-  - Allow using the Windows hosted djgpp cross compiler to build for MSDOS
-    under Windows.
+  - Clarify the only 5xx response codes that are treated as transient are
+    500, 502, 503 and 504.
   
-  - 'USE_SSL' -> 'USE_OPENSSL'
+  Prior to this change it said it treated all 5xx as transient, but the
+  code says otherwise.
   
-  - Added a 'link_EXE' macro. Etc, etc.
+  Ref: https://github.com/curl/curl/blob/curl-7_75_0/src/tool_operate.c#L462-L495
   
-  - Linking 'curl.exe' needs '$(CURLX_CFILES)' too.
+  Closes https://github.com/curl/curl/pull/6724
+
+- retry-all-errors.d: Explain curl errors versus HTTP response errors
   
-  - Do not pick-up '../lib/djgpp/*.o' files. Recompile locally.
+  - Add a paragraph explaining that curl does not consider HTTP response
+    errors as curl errors, and how that behavior can be modified by using
+    --retry and --fail.
   
-  - Generate a gzipped 'tool_hugehelp.c' if 'USE_ZLIB=1'.
+  The --retry-all-errors doc says "Retry on any error" which some users
+  may find misleading without the added explanation.
   
-  - Remove 'djgpp-clean'
+  Ref: https://curl.se/docs/faq.html#Why_do_I_get_downloaded_data_eve
+  Ref: https://curl.se/docs/faq.html#curl_doesn_t_return_error_for_HT
   
-  - Adapt to new C-ares directory structure
+  Reported-by: Lawrence Gripper
   
-  - Use conditional variable assignments
+  Fixes https://github.com/curl/curl/issues/6712
+  Closes https://github.com/curl/curl/pull/6720
+
+Daniel Stenberg (11 Mar 2021)
+- travis: switch ngtcp2 build over to quictls
   
-  Clarify the 'conditional variable assignment' in 'common.dj'.
+  The ngtcp2 project switched over to using the quictls OpenSSL fork
+  instead of their own patched OpenSSL. We follow suit.
   
-  Closes https://github.com/curl/curl/pull/6382
+  Closes #6729
 
-Daniel Stenberg (27 Jan 2021)
-- [Ikko Ashimine brought this change]
+- test220/314: adjust to run with Hyper
 
-  hyper: fix typo in c-hyper.c
-  
-  settting -> setting
+- c-hyper: support automatic content-encoding
   
-  Closes #6538
+  Closes #6727
 
-- libssh2: fix CURL_LIBSSH2_DEBUG-enabled build
-  
-  Follow-up to 2dcc940959772a
+- http: remove superfluous NULL assign
   
-  Reported-by: Gisle Vanem
-  Bug: https://github.com/curl/curl/commit/2dcc940959772a652f6813fb6bd3092095a4877b#commitcomment-46420088
+  Closes #6727
 
-Jay Satiro (27 Jan 2021)
-- asyn-thread: fix build for when getaddrinfo missing
-  
-  This is a follow-up to 8315343 which several days ago moved the resolver
-  pointer into the async struct but did not update the code that uses it
-  when getaddrinfo is not present.
+- tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
   
-  Closes https://github.com/curl/curl/pull/6536
+  Closes #6727
 
-Daniel Stenberg (27 Jan 2021)
-- urldata: move 'ints' to the end of 'connectdata'
+- setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
   
-  To optimize storage slightly.
+  Not supported.
   
-  Closes #6534
+  Closes #6727
 
-- urldata: store ip version in a single byte
+- test306: make it not run with Hyper
   
-  Closes #6534
+  ... as it tests HTTP/0.9 which Hyper doesn't support.
 
-- urldata: remove duplicate 'upkeep_interval_ms' from connectdata
-  
-  ... and rely only on the value already set in Curl_easy.
-  
-  Closes #6534
+- test304: header CRLF cleanup to work with Hyper
 
-- urldata: remove 'local_ip' from the connectdata struct
+- FTP: allow SIZE to fail when doing (resumed) upload
   
-  As the info is already stored in the transfer handle anyway, there's no
-  need to carry around a duplicate buffer for the life-time of the handle.
+  Added test 362 to verify.
   
-  Closes #6534
+  Reported-by: Jordan Brown
+  Regression since 7ea2e1d0c5a7f (7.73.0)
+  Fixes #6715
+  Closes #6725
 
-- urldata: remove duplicate port number storage
+- configure: provide Largefile feature for curl-config
   
-  ... and use 'int' for ports. We don't use 'unsigned short' since -1 is
-  still often used internally to signify "unknown value" and 0 - 65535 are
-  all valid port numbers.
+  ... as cmake now does it correctly, and make test1014 check for it
   
-  Closes #6534
+  Closes #6702
 
-- urldata: remove the duplicate 'ip_addr_str' field
+- config: remove CURL_SIZEOF_CURL_OFF_T use only SIZEOF_CURL_OFF_T
   
-  ... as the numerical IP address is already stored and kept in 'primary_ip'.
+  Make the code consistently use a single name for the size of the
+  "curl_off_t" type.
   
-  Closes #6534
+  Closes #6702
 
-- select: convert Curl_select() to private static function
-  
-  The old function should not be used anywhere anymore (the only remaining
-  gskit use has to be fixed to instead use Curl_poll or none at all).
-  
-  The static function version is now called our_select() and is only built
-  if necessary.
-  
-  Closes #6531
+Jay Satiro (10 Mar 2021)
+- [Jun-ya Kato brought this change]
 
-- Curl_chunker: shrink the struct
+  ngtcp2: Fix build error due to change in ngtcp2_addr_init
   
-  ... by removing a field, converting the hex index into a byte and
-  rearranging the order. Cuts it down from 48 bytes to 32 on x86_64.
+  ngtcp2/ngtcp2@b8d90a9 changed the function prototype.
   
-  Closes #6527
-
-- curl: include the file name in --xattr/--remote-time error msgs
+  Closes https://github.com/curl/curl/pull/6716
 
-- curl: s/config->global/global/ in single_transfer()
+Daniel Stenberg (10 Mar 2021)
+- [ejanchivdorj brought this change]
 
-- curl: move fprintf outputs to warnf
+  multi: update pending list when removing handle
   
-  For setting and getting time of the download. To make the outputs
-  respect --silent etc.
+  when removing a handle, most of the lists are updated but pending list
+  is not updated. Updating now.
   
-  Reported-by: Viktor Szakats
-  Fixes #6533
-  Closes #6535
+  Closes #6713
 
-- [Tatsuhiro Tsujikawa brought this change]
+- [kokke brought this change]
 
-  ngtcp2: Fix http3 upload stall
+  lib1536: check ptr against NULL before dereferencing it
   
-  Closes #6521
+  Closes #6710
 
-- [Tatsuhiro Tsujikawa brought this change]
+- [kokke brought this change]
 
-  ngtcp2: Fix stack buffer overflow
+  lib1537: check ptr against NULL before dereferencing it
   
-  Closes #6521
+  Fixes #6707
+  Closes #6708
 
-- warnless.h: remove the prototype for curlx_ultosi
+- travis: make torture tests skip TLS-SRP tests
   
-  Follow-up to 217552503ff3
-
-- warnless: remove curlx_ultosi
+  ... as it seems to often hang.
   
-  ... not used anywhere
+  Also: skip the "normal" tests as they're already run by many other
+  builds.
   
-  Closes #6530
-
-- [Patrick Monnerat brought this change]
+  Closes #6705
 
-  lib: remove conn->data uses
+- openssl: adapt to v3's new const for a few API calls
   
-  Closes #6515
+  Closes #6703
 
-- pingpong: remove the 'conn' struct member
-  
-  ... as it's superfluous now when Curl_easy is passed in and we can
-  derive the connection from that instead and avoid the duplicate copy.
+- quiche: fix crash when failing to connect
   
-  Closes #6525
+  Reported-by: ウさん
+  Fixes #6664
+  Closes #6701
 
-- hostip/proxy: remove conn->data use
+- RELEASE-NOTES: synced
   
-  Closes #6513
+  Fixed the release counter and added a missing contributor
+
+- RELEASE-NOTES: synced
 
-- url: reduce conn->data references
+- dynbuf: bump the max HTTP request to 1MB
   
-  ... there are a few left but let's keep them to last
+  Raised from 128KB to allow longer request headers.
   
-  Closes #6512
-
-- scripts/singleuse: add curl_easy_option*
+  Reported-by: Carl Zogheib
+  Fixes #6681
+  Closes #6685
 
-Jay Satiro (25 Jan 2021)
-- test410: fix for windows
+Jay Satiro (6 Mar 2021)
+- schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
+  
+  - Change use of those options from CURLOPT_SSL_OPTIONS that are not
+    already evaluated via SSL_SET_OPTION in schannel and secure transport
+    to use that instead of data->set.ssl.optname.
   
-  - Pass the very long request header via file instead of command line.
+  Example:
   
-  Prior to this change the 49k very long request header string was passed
-  via command line and on Windows that is too long so it was truncated and
-  the test would fail (specifically msys CI).
+  Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
   
-  Closes https://github.com/curl/curl/pull/6516
-
-Daniel Stenberg (25 Jan 2021)
-- libssh2: move data from connection object to transfer object
+  This change is because options set via CURLOPT_SSL_OPTIONS
+  (data->set.ssl.optname) are separate from those set for HTTPS proxy via
+  CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
+  SSL_SET_OPTION macro determines whether the connection is for HTTPS
+  proxy and based on that which option to evaluate.
   
-  Readdir data, filenames and attributes are strictly related to the
-  transfer and not the connection. This also reduces the total size of the
-  fixed connectdata struct.
+  Since neither Schannel nor Secure Transport backends currently support
+  HTTPS proxy in libcurl, this change is for posterity and has no other
+  effect.
   
-  Closes #6519
-
-- RELEASE-NOTES: synced
+  Closes https://github.com/curl/curl/pull/6690
 
-- [Patrick Monnerat brought this change]
+- [kokke brought this change]
 
-  lib: remove conn->data uses
+  c-hyper: Remove superfluous pointer check
   
-  Closes #6499
-
-- hyper: remove the conn->data references
+  `n` pointer is never NULL once set. Found by static analysis.
   
-  Closes #6508
+  Ref: https://github.com/curl/curl/issues/6696
+  
+  Closes https://github.com/curl/curl/pull/6697
 
-- travis: build ngtcp2 --with-gnutls
+- version.d: Add missing features to the features list
   
-  ... since they disable it by default since a few days back.
+  - Add missing entries for gsasl, Kerberos, NTLM_WB, TrackMemory,
+    Unicode and zstd.
   
-  Closes #6506
-  Fixes #6493
-
-- hostip: remove conn->data from resolver functions
+  - Remove krb4 since it's no longer a feature.
   
-  This also moves the 'async' struct from the connectdata struct into the
-  Curl_easy struct, which seems like a better home for it.
+  Reported-by: Ádler Jonas Gross
   
-  Closes #6497
+  Fixes https://github.com/curl/curl/issues/6677
+  Closes https://github.com/curl/curl/pull/6687
+
+- [Vladimir Varlamov brought this change]
 
-Jay Satiro (22 Jan 2021)
-- strerror: skip errnum >= 0 assertion on windows
+  docs: add missing Arg tag to --stderr
   
-  On Windows an error number may be greater than INT_MAX and negative once
-  cast to int.
+  Prior to this change the required argument was not shown.
   
-  The assertion is checked only in debug builds.
+  curl.1 before: --stderr
+  curl.1 after: --stderr <file>
   
-  Closes https://github.com/curl/curl/pull/6504
-
-Daniel Stenberg (21 Jan 2021)
-- doh: make Curl_doh_is_resolved survive a NULL pointer
+  curl --help before:
+       --stderr        Where to redirect stderr
   
-  ... if Curl_doh() returned a NULL, this function gets called anyway as
-  in a asynch procedure. Then the doh struct pointer is NULL and signifies
-  an OOM situation.
+  curl --help after:
+       --stderr <file>  Where to redirect stderr
   
-  Follow-up to 6246a1d8c6776
+  Closes https://github.com/curl/curl/pull/6692
 
-- wolfssh: remove conn->data references
-  
-  ... and repair recent build breakage
+- projects: Update VS projects for OpenSSL 1.1.x
   
-  Closes #6507
-
-- http: empty reply connection are not left intact
+  - Update VS project templates to use the OpenSSL lib names and include
+    directories for OpenSSL 1.1.x.
   
-  ... so mark the connection as closed in this condition to prevent that
-  verbose message to wrongly appear.
+  This change means the VS project files will now build only with OpenSSL
+  1.1.x when an OpenSSL configuration is chosen. Prior to this change the
+  project files built only with OpenSSL 1.0.x (end-of-life) when an
+  OpenSSL configuration was chosen.
   
-  Reported-by: Matt Holt
-  Bug: https://twitter.com/mholt6/status/1352130240265375744
-  Closes #6503
-
-- chunk/encoding: remove conn->data references
+  The template changes in this commit were made by script:
   
-  ... by anchoring more functions on Curl_easy instead of connectdata
+  libeay32.lib => libcrypto.lib
+  ssleay32.lib => libssl.lib
+  ..\..\..\..\..\openssl\inc32 => ..\..\..\..\..\openssl\include
   
-  Closes #6498
-
-Jay Satiro (20 Jan 2021)
-- [Erik Olsson brought this change]
-
-  lib: save a bit of space with some structure packing
+  And since the output directory now contains the includes it's prepended:
+  ..\..\..\..\..\openssl\build\Win{32,64}\VC{6..15}\{DLL,LIB}
+  {Debug,Release}\include
   
-  - Reorder some internal struct members so that less padding is used.
+  - Change build-openssl.bat to copy the build's include directory to the
+    output directory (as seen above).
   
-  This is an attempt at saving a bit of space by packing some structs
-  (using pahole to find the holes) where it might make sense to do
-  so without losing readability.
+  Each build has its own opensslconf.h which is different so we can't just
+  include the source include directory any longer.
   
-  I.e., I tried to avoid separating fields that seem grouped
-  together (like the cwd... fields in struct ftp_conn for instance).
-  Also abstained from touching fields behind conditional macros as
-  that quickly can get complicated.
+  Note the include directory in the output directory is a full copy from
+  the build so technically we don't need to include the OpenSSL source
+  include directory in the template. However, I left it last in case the
+  user made a custom OpenSSL build using the old method which would put
+  opensslconf in the OpenSSL source include directory.
   
-  Closes https://github.com/curl/curl/pull/6483
-
-Daniel Stenberg (20 Jan 2021)
-- INSTALL.md: fix typo
+  - Change build-openssl.bat to use a temporary install directory that is
+    different from the temporary build directory.
   
-  Found-by: Marcel Raad
-
-- [Fabian Keil brought this change]
-
-  http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
+  For OpenSSL 1.1.x the temporary paths must be separate not a descendant
+  of the other, otherwise pdb files will be lost between builds.
   
-  Added test 1613 to verify.
+  Ref: https://curl.se/mail/lib-2018-10/0049.html
+  Ref: https://gist.github.com/jay/125191c35bbeb894444eff827651f755
+  Ref; https://github.com/openssl/openssl/issues/10005
   
-  Closes #6490
-
-- Merge branch 'bagder/curl_range-data-conn'
-
-- ftp: remove conn->data leftover
+  Fixes https://github.com/curl/curl/issues/984
+  Closes https://github.com/curl/curl/pull/6675
 
-- curl_range: remove conn->data
+- doh: Inherit CURLOPT_STDERR from user's easy handle
   
-  Closes #6496
-
-- INSTALL: now at 85 operating systems
-
-- quiche: fix unused parameter ‘conn’
+  Prior to this change if the user set their easy handle's error stream
+  to something other than stderr it was not inherited by the doh handles,
+  which meant that they would still write to the default standard error
+  stream (stderr) for verbose output.
   
-  Follow-up to 2bdec0b3
-
-- transfer: fix ‘conn’ undeclared mistake for iconv build
+  Bug: https://github.com/curl/curl/issues/6605
+  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
   
-  Follow-up to 219d9f8620d
+  Closes https://github.com/curl/curl/pull/6661
 
-- doh: allocate state struct on demand
+Marc Hoersken (1 Mar 2021)
+- CI/azure: replace python-impacket with python3-impacket
   
-  ... instead of having it static within the Curl_easy struct. This takes
-  away 1176 bytes (18%) from the Curl_easy struct that aren't used very
-  often and instead makes the code allocate it when needed.
+  As of this month Azure DevOps uses Ubuntu 20.04 LTS which
+  no longer supports Python 2 and instead ships Python 3.
   
-  Closes #6492
+  Closes #6678
 
-- socks: use the download buffer instead
-  
-  The SOCKS code now uses the generic download buffer for temporary
-  storage during the connection procedure, instead of having its own
-  private 600 byte buffer that adds to the connectdata struct size. This
-  works fine because this point the buffer is allocated but is not use for
-  download yet since the connection hasn't completed.
-  
-  This reduces the connection struct size by 22% on a 64bit arch!
+- runtests.pl: kill processes locking test log files
   
-  The SOCKS buffer needs to be at least 600 bytes, and the download buffer
-  is guaranteed to never be smaller than 1000 bytes.
+  Introduce a new runtests.pl command option: -rm
   
-  Closes #6491
-
-- urldata: make magic be the first struct field
+  For now only required and implemented for Windows.
+  Ignore stunnel logs due to long running processes.
   
-  By making the `magic` identifier the same size and at the same place
-  within the structs (easy, multi, share), libcurl will be able to more
-  reliably detect and safely error out if an application passes in the
-  wrong handle to APIs. Easier to detect and less likely to cause crashes
-  if done.
+  Requires Sysinternals handle[64].exe to be on PATH.
   
-  Such mixups can't be detected at compile-time due to them being
-  typedefed void pointers - unless `CURL_STRICTER` is defined.
+  Reviewed-by: Jay Satiro
   
-  Closes #6484
+  Ref: #6058
+  Closes #6179
 
-- http_chunks: correct and clarify a comment on hexnumber length
+- pathhelp.pm: fix use of pwd -L in Msys environment
   
-  ... and also rename the define for max length.
+  While Msys2 has a pwd binary which supports -L,
+  Msys1 only has a shell built-in with that feature.
   
-  Closes #6489
-
-- curl_path: remove conn->data use
+  Reviewed-by: Jay Satiro
   
-  Closes #6487
+  Part of #6179
 
-- transfer: remove conn->data use
+Daniel Gustafsson (1 Mar 2021)
+- ldap: use correct memory free function
   
-  Closes #6486
-
-- quic: remove conn->data use
+  unescaped is coming from Curl_urldecode and not a unicode conversion
+  function, so reclaiming its memory should be performed with a normal
+  call to free rather than curlx_unicodefree.  In reality, this is the
+  same thing as curlx_unicodefree is implemented as a call to free but
+  that's not guaranteed to always hold.  Using the curlx macro present
+  issues with memory debugging as well.
   
-  Closes #6485
-
-- [Fabian Keil brought this change]
-
-  Add test1181: Proxy request with --proxy-header "Connection: Keep-Alive"
-
-- [Fabian Keil brought this change]
+  Closes #6671
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  Add test1180: Proxy request with -H "Proxy-Connection: Keep-Alive"
+- url: fix typo in comment
   
-  At the moment the test fails as curl sends two Proxy-Connection
-  headers.
-
-- c-hyper: avoid duplicated Proxy-Connection headers
+  Correct a small typo which snuck in with a304051620.
 
-- http: make providing Proxy-Connection header not cause duplicated headers
-  
-  Fixes test 1180
+Jay Satiro (28 Feb 2021)
+- tool_help: Increase space between option and description
   
-  Bug: https://curl.se/mail/lib-2021-01/0095.html
-  Reported-by: Fabian Keil
-  Closes #6472
-
-- runtests: preprocess DISABLED to allow conditionals
+  - Increase the minimum number of spaces between the option and the
+    description from 1 to 2.
   
-  ... with this function provided, we can disable tests for specific
-  environments and setups directly within this file.
+  Before:
+  ~~~
+   -u, --user <user:password> Server user and password
+   -A, --user-agent <name> Send User-Agent <name> to server
+   -v, --verbose       Make the operation more talkative
+   -V, --version       Show version number and quit
+   -w, --write-out <format> Use output FORMAT after completion
+       --xattr         Store metadata in extended file attributes
+  ~~~
   
-  Closes #6477
-
-- runtests: turn preprocessing into a separate function
+  After:
+  ~~~
+   -u, --user <user:password>  Server user and password
+   -A, --user-agent <name>  Send User-Agent <name> to server
+   -v, --verbose       Make the operation more talkative
+   -V, --version       Show version number and quit
+   -w, --write-out <format>  Use output FORMAT after completion
+       --xattr         Store metadata in extended file attributes
+  ~~~
   
-  ... and remove all other variable substitutions as they're now done once
-  and for all in the preprocessor.
+  Closes https://github.com/curl/curl/pull/6674
 
-- lib/Makefile.inc: convert to listing each file on its own line
-  
-  ... to make it diff friendlier and easier to read.
+Daniel Stenberg (27 Feb 2021)
+- curl: set CURLOPT_NEW_FILE_PERMS if requested
   
-  Closes #6448
-
-- ftplistparser: remove use of conn->data
+  The --create-file-mode code logic accepted the value but never actually
+  passed it on to libcurl!
   
-  Closes #6482
+  Follow-up to a7696c73436f (shipped in 7.75.0)
+  Reported-by: Johannes Lesr
+  Fixes #6657
+  Closes #6666
 
-- lib: more conn->data cleanups
+- tool_operate: check argc before accessing argv[1]
   
-  Closes #6479
+  Follow-up to 09363500b
+  Reported-by: Emil Engler
+  Reviewed-by: Daniel Gustafsson
+  Closes #6668
 
-- [Patrick Monnerat brought this change]
+Daniel Gustafsson (26 Feb 2021)
+- [Jean-Philippe Menil brought this change]
 
-  vtls: reduce conn->data use
+  openssl: remove get_ssl_version_txt in favor of SSL_get_version
   
-  Closes #6474
-
-- hyper: deliver data to application with Curl_client_write
+  openssl: use SSL_get_version to get connection protocol
   
-  ... just as the native code path does. Avoids sending too large data
-  chunks in the callback and more.
+  Replace our bespoke get_ssl_version_txt in favor of SSL_get_version.
+  We can get rid of few lines of code, since SSL_get_version achieve
+  the exact same thing
   
-  Reported-by: Gisle Vanem
-  Fixes #6462
-  Closes #6473
-
-- gopher: remove accidental conn->data leftover
+  Closes #6665
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>

contrib/libs/curl/README

@@ -40,7 +40,7 @@ GIT
 
     git clone https://github.com/curl/curl.git
 
-  (you'll get a directory named curl created, filled with the source code)
+  (you will get a directory named curl created, filled with the source code)
 
 SECURITY PROBLEMS
 

contrib/libs/curl/RELEASE-NOTES

@@ -1,23 +1,139 @@
-curl and libcurl 7.79.1
+curl and libcurl 7.80.0
 
- Public curl releases:         203
- Command line options:         242
- curl_easy_setopt() options:   290
- Public functions in libcurl:  85
- Contributors:                 2489
+ Public curl releases:         204
+ Command line options:         243
+ curl_easy_setopt() options:   294
+ Public functions in libcurl:  86
+ Contributors:                 2533
+
+This release includes the following changes:
+
+ o CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse [25]
+ o CURLOPT_PREREQFUNCTION: add new callback [17]
+ o libssh2: add SHA256 fingerprint support [4]
+ o urlapi: add curl_url_strerror() [21]
+ o urlapi: support UNC paths in file: URLs on Windows [20]
+ o wolfssl: allow setting of groups/curves [22]
 
 This release includes the following bugfixes:
 
- o Curl_http2_setup: don't change connection data on repeat invokes [10]
- o curl_multi_fdset: make FD_SET() not operate on sockets out of range [4]
- o dist: provide lib/.checksrc in the tarball [6]
- o FAQ: add GOPHERS + curl works on data, not files
- o hsts: CURLSTS_FAIL from hsts read callback should fail transfer [8]
- o hsts: handle unlimited expiry [3]
- o http: fix the broken >3 digit response code detection [1]
- o strerror: use sys_errlist instead of strerror on Windows [5]
- o test1184: disable [9]
- o tests/sshserver.pl: make it work with openssh-8.7p1 [2]
+ o .github: retry macos "brew install" command on failure [125]
+ o aws-sigv4: make signature work when post data is binary [68]
+ o BINDINGS: URL updates [30]
+ o build: remove checks for WinSock 1 [36]
+ o c-hyper: don't abort CONNECT responses early when auth-in-progress [71]
+ o c-hyper: make Curl_http propagate errors better [50]
+ o c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work [97]
+ o c-hyper: make test 217 run [74]
+ o c-hyper: use hyper_request_set_uri_parts to make h2 better [39]
+ o checksrc: ignore preprocessor lines [64]
+ o CI/makefiles: introduce dedicated test target [34]
+ o ci: update Lift config to match requirements of curl build [1]
+ o cirrus: remove FreeBSD 11.4 from the matrix [62]
+ o cirrus: switch to openldap24-client [63]
+ o cleanup: constify unmodified static structs [2]
+ o cmake: add CURL_ENABLE_SSL option [46]
+ o cmake: fix error getting LOCATION property on non-imported target [59]
+ o CMake: restore support for SecureTransport on iOS [103]
+ o cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED [14]
+ o cmdline-opts: made the 'Added:' field mandatory [37]
+ o configure.ac: replace krb5-config with pkg-config [80]
+ o configure: when hyper is selected, deselect nghttp2 [94]
+ o connect: use sysaddr_un from sys/un.h or custom-defined for windows [23]
+ o curl-confopts.m4:  remove --enable/disable-hidden-symbols [70]
+ o curl-openssl.m4: modify library order for openssl linking [40]
+ o curl-openssl: pass argument to sed single-quoted [15]
+ o curl.1: remove mentions of really old version changes [38]
+ o curl: actually append "-" to --range without number only [57]
+ o curl: correct grammar in generated libcurl code [53]
+ o curl: print help descriptions in an aligned right column [16]
+ o curl_gssapi: fix link error on macOS Monterey [55]
+ o curl_multi_socket_action.3: add a "RETURN VALUE" section [106]
+ o curl_ntlm_core: use OpenSSL only if DES is available [42]
+ o Curl_updateconninfo: store addresses for QUIC connections too [90]
+ o CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred [126]
+ o CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required [114]
+ o CURLOPT_HTTPHEADER.3: add descripion for specific headers [35]
+ o docs/HTTP3: improve build instructions [102]
+ o docs/Makefile.am: repair 'make html' [52]
+ o docs: fix typo in CURLOPT_TRAILERFUNCTION example [93]
+ o docs: provide "RETURN VALUE" section for more func manpages [105]
+ o docs: reduce use of "very" [107]
+ o doh: remove experimental code for DoH with GET [61]
+ o examples/htmltidy: correct wrong printf() use [66]
+ o examples/imap-append: fix end-of-data check [7]
+ o ftp: make the MKD retry to retry once per directory [113]
+ o gen.pl: insert the current date and version in generated man page [11]
+ o gen.pl: replace leading single quotes with \(aq [110]
+ o http2: make getsock not wait for write if there's no remote window [56]
+ o HTTP3: fix the HTTP/3 Explained book link [27]
+ o http: fix Basic auth with empty name field in URL [24]
+ o http: reject HTTP response codes < 100 [92]
+ o http: remove assert that breaks hyper [47]
+ o http: set content length earlier [67]
+ o http_proxy: make hyper CONNECT() return the correct error code [51]
+ o http_proxy: multiple CONNECT with hyper done better [78]
+ o hyper: disable test 1294 since hyper doesn't allow such crazy headers [96]
+ o hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING [72]
+ o hyper: pass the CONNECT line to the debug callback [79]
+ o imap: display quota information [115]
+ o INSTALL: update symbol hiding option [77]
+ o lib/mk-ca-bundle.pl: skip certs passed Not Valid After date [18]
+ o lib: avoid fallthrough cases in switch statements [33]
+ o libcurl.rc: switch out the copyright symbol for plain ASCII [5]
+ o libssh2: Get the version at runtime if possible [12]
+ o limit-rate.d: this is average over several seconds [119]
+ o llist: remove redundant code, branch will not be executed [10]
+ o Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options [100]
+ o maketgz: redirect updatemanpages.pl output to /dev/null
+ o man pages: require all to use the same section header order [101]
+ o manpage: adjust the asterisk in some SYNOPSIS sections [82]
+ o md5: fix compilation with OpenSSL 3.0 API [43]
+ o misc: fix a few issues on MidnightBSD [28]
+ o misc: fix typos in docs and comments [3]
+ o ngtcp2: advertise h3 as well as h3-29 [109]
+ o ngtcp2: compile with the latest nghttp3 [117]
+ o ngtcp2: specify the missing required callback functions [108]
+ o ngtcp2: use latest QUIC TLS RFC9001 [122]
+ o NTLM: use DES_set_key_unchecked with OpenSSL [13]
+ o openssl: if verifypeer is not requested, skip the CA loading [69]
+ o openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway [44]
+ o Revert "src/tool_filetime: disable -Wformat on mingw for this file" [88]
+ o sasl: binary messages [31]
+ o schannel: fix memory leak due to failed SSL connection [89]
+ o scripts/delta: count command line options in the new file
+ o sendf: accept zero-length data in Curl_client_write() [95]
+ o sha256: use high-level EVP interface for OpenSSL [41]
+ o smooth-gtk-thread.c: enhance the mutex lock use [112]
+ o sws: fix memory leak on exit [49]
+ o test1160: edited to work with hyper [83]
+ o test1173: make manpage-syntax.pl spot \n errors in examples
+ o test1185: verify checksrc [58]
+ o test1266/1267: disabled on hyper: no HTTP/0.9 support [99]
+ o test1287: make work on hyper [98]
+ o test207: accept a different error code for hyper [76]
+ o test262: don't attempt with hyper [73]
+ o test552: updated to work with hyper [87]
+ o test559: add 'HTTP' in keywords [86]
+ o tests/smbserver.py: fix compatibility with impacket 0.9.23+ [104]
+ o tests: add Schannel-specific tests and disable unsupported ones [91]
+ o tests: disable test 2043 [54]
+ o tests: kill some test servers afterwards to avoid locked logfiles [111]
+ o tests: use python3 in test 1451 [48]
+ o tls: remove newline from three infof() calls [85]
+ o tool_cb_prg: make resumed upload progress bar show better [9]
+ o tool_listhelp: easier generated with gen.pl [19]
+ o tool_main: fix typo in comment [29]
+ o tool_operate: a failed etag save now only fails that transfer [124]
+ o URL-SYNTAX: add IMAP UID SEARCH example [81]
+ o url: check the return value of curl_url() [75]
+ o url: set "k->size" -1 at start of request [60]
+ o urlapi: skip a strlen(), pass in zero [65]
+ o urlapi: URL decode percent-encoded host names [26]
+ o version_win32: use actual version instead of manifested version [45]
+ o vtls: Fix a memory leak if an SSL session cannot be added to the cache [8]
+ o wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity [32]
+ o zuul: pin the quiche build to use an older cmake-rs [84]
 
 This release includes the following known bugs:
 
@@ -26,19 +142,146 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  0xee on github, Daniel Stenberg, Evangelos Foutras, Glenn de boer,
-  Jonathan Cardoso Machado, Kamil Dudka, Marcel Raad, Ray Satiro,
-  RiderALT on github, tawmoto on github, Viktor Szakats,
-  (11 contributors)
+  8U61ife on github, a1346054 on github, Abhinav Singh, Alexander Chuykov,
+  Alexander Kanavin, Amaury Denoyelle, Anthony Hu, Axel Morawietz,
+  beslick5 on github, billionai on github, Bo Anderson, Boris Rasin,
+  Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, David Cook, David Hu,
+  Earnestly on github, Eddie Lumpkin, Érico Nogueira, Erik Stenlund,
+  Gisle Vanem, Gleb Ivanovsky, Godwin Stewart, h1zzz on github, Harry Sintonen,
+  Hayden Roche, Jakub Zakrzewski, Jan Mazur, Jeffrey Tolar, Jerome Mao,
+  Joel Depooter, Jonathan Cardoso Machado, Josip Medved, Jun-ya Kato,
+  Kerem Kat, Kevin Burke, Kirill Efimov, Lucas Holt, Malik Idrees Hasan Khan,
+  Marcel Raad, Marc Hörsken, Mats Lindestam, Max Dymond, Michael Afanasiev,
+  Michael Baentsch, Michael Kaufmann, Momoka Yamamoto, Noam Moshe,
+  orycho on github, Patrick Monnerat, Rafał Mikrut, Randall S. Becker,
+  Raul Onitza-Klugman, Ray Satiro, Ricardo Martins, Rick Lane,
+  Rikard Falkeborn, Roger Young, Roy Li, ryancaicse on github, Ryan Mast,
+  Samuel Henrique, Sean Molenaar, Sergey Markelov, Sergio Durigan Junior,
+  sergio-nsk on github, Sharon Brizinov, Stathis Kapnidis,
+  Steini2000 on github, Tatsuhiro Tsujikawa, Thomas M. DuBuisson,
+  tlahn on github, Viktor Szakats, Vitaly Varyvdin, Wyatt O'Day,
+  x2018 on github, Борис Верховский,
+  (78 contributors)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.se/bug/?i=7738
- [2] = https://curl.se/bug/?i=7724
- [3] = https://curl.se/bug/?i=7720
- [4] = https://curl.se/bug/?i=7718
- [5] = https://curl.se/bug/?i=7735
- [6] = https://curl.se/bug/?i=7733
- [8] = https://curl.se/bug/?i=7726
- [9] = https://curl.se/bug/?i=7725
- [10] = https://curl.se/bug/?i=7730
+ [1] = https://curl.se/bug/?i=7761
+ [2] = https://curl.se/bug/?i=7759
+ [3] = https://curl.se/bug/?i=7747
+ [4] = https://curl.se/bug/?i=7646
+ [5] = https://curl.se/bug/?i=7765
+ [7] = https://curl.se/bug/?i=7774
+ [8] = https://curl.se/bug/?i=7683
+ [9] = https://curl.se/bug/?i=7760
+ [10] = https://curl.se/bug/?i=7770
+ [11] = https://curl.se/bug/?i=7782
+ [12] = https://curl.se/bug/?i=7768
+ [13] = https://curl.se/bug/?i=7779
+ [14] = https://curl.se/bug/?i=7767
+ [15] = https://curl.se/bug/?i=7758
+ [16] = https://curl.se/bug/?i=7792
+ [17] = https://curl.se/bug/?i=7477
+ [18] = https://curl.se/bug/?i=7801
+ [19] = https://curl.se/bug/?i=7787
+ [20] = https://curl.se/bug/?i=7366
+ [21] = https://curl.se/bug/?i=7605
+ [22] = https://curl.se/bug/?i=7728
+ [23] = https://curl.se/bug/?i=7737
+ [24] = https://curl.se/bug/?i=7819
+ [25] = https://curl.se/mail/lib-2021-09/0058.html
+ [26] = https://curl.se/bug/?i=7830
+ [27] = https://curl.se/bug/?i=7813
+ [28] = https://curl.se/bug/?i=7812
+ [29] = https://curl.se/bug/?i=7811
+ [30] = https://curl.se/bug/?i=7809
+ [31] = https://curl.se/bug/?i=6930
+ [32] = https://curl.se/bug/?i=7806
+ [33] = https://curl.se/bug/?i=7322
+ [34] = https://curl.se/bug/?i=7785
+ [35] = https://curl.se/bug/?i=7829
+ [36] = https://curl.se/bug/?i=7778
+ [37] = https://curl.se/bug/?i=7786
+ [38] = https://curl.se/bug/?i=7786
+ [39] = https://curl.se/bug/?i=7679
+ [40] = https://curl.se/bug/?i=7826
+ [41] = https://curl.se/bug/?i=7808
+ [42] = https://curl.se/bug/?i=7808
+ [43] = https://curl.se/bug/?i=7808
+ [44] = https://curl.se/bug/?i=7840
+ [45] = https://curl.se/bug/?i=7742
+ [46] = https://curl.se/bug/?i=7822
+ [47] = https://curl.se/bug/?i=7852
+ [48] = https://curl.se/bug/?i=7899
+ [49] = https://curl.se/bug/?i=7849
+ [50] = https://curl.se/bug/?i=7851
+ [51] = https://curl.se/bug/?i=7825
+ [52] = https://curl.se/bug/?i=7853
+ [53] = https://curl.se/bug/?i=7802
+ [54] = https://curl.se/bug/?i=7845
+ [55] = https://curl.se/bug/?i=7657
+ [56] = https://curl.se/bug/?i=7821
+ [57] = https://curl.se/bug/?i=7837
+ [58] = https://curl.se/bug/?i=7866
+ [59] = https://curl.se/bug/?i=7885
+ [60] = https://curl.se/bug/?i=7871
+ [61] = https://curl.se/bug/?i=7870
+ [62] = https://curl.se/bug/?i=7869
+ [63] = https://curl.se/bug/?i=7868
+ [64] = https://curl.se/bug/?i=7863
+ [65] = https://curl.se/bug/?i=7862
+ [66] = https://curl.se/bug/?i=7860
+ [67] = https://github.com/curl/curl/commit/8a16e54#r57374914
+ [68] = https://curl.se/bug/?i=7844
+ [69] = https://curl.se/bug/?i=7892
+ [70] = https://curl.se/bug/?i=7891
+ [71] = https://curl.se/bug/?i=7889
+ [72] = https://curl.se/bug/?i=7889
+ [73] = https://curl.se/bug/?i=7889
+ [74] = https://curl.se/bug/?i=7889
+ [75] = https://curl.se/bug/?i=7917
+ [76] = https://curl.se/bug/?i=7889
+ [77] = https://curl.se/bug/?i=7890
+ [78] = https://curl.se/bug/?i=7888
+ [79] = https://curl.se/bug/?i=7887
+ [80] = https://curl.se/bug/?i=7916
+ [81] = https://github.com/curl/curl/issues/7626
+ [82] = https://curl.se/bug/?i=7884
+ [83] = https://curl.se/bug/?i=7912
+ [84] = https://curl.se/bug/?i=7927
+ [85] = https://curl.se/bug/?i=7879
+ [86] = https://curl.se/bug/?i=7911
+ [87] = https://curl.se/bug/?i=7911
+ [88] = https://curl.se/bug/?i=7941
+ [89] = https://curl.se/bug/?i=7877
+ [90] = https://curl.se/bug/?i=7939
+ [91] = https://curl.se/bug/?i=7968
+ [92] = https://curl.se/bug/?i=7909
+ [93] = https://curl.se/bug/?i=7910
+ [94] = https://curl.se/bug/?i=7908
+ [95] = https://curl.se/bug/?i=7898
+ [96] = https://curl.se/bug/?i=7905
+ [97] = https://curl.se/bug/?i=7905
+ [98] = https://curl.se/bug/?i=7905
+ [99] = https://curl.se/bug/?i=7905
+ [100] = https://curl.se/bug/?i=7895
+ [101] = https://curl.se/bug/?i=7904
+ [102] = https://curl.se/bug/?i=7842
+ [103] = https://curl.se/bug/?i=7501
+ [104] = https://curl.se/bug/?i=7924
+ [105] = https://curl.se/bug/?i=7902
+ [106] = https://curl.se/bug/?i=7901
+ [107] = https://curl.se/bug/?i=7936
+ [108] = https://curl.se/bug/?i=7929
+ [109] = https://curl.se/bug/?i=7979
+ [110] = https://curl.se/bug/?i=7933
+ [111] = https://curl.se/bug/?i=7925
+ [112] = https://curl.se/bug/?i=7926
+ [113] = https://curl.se/bug/?i=7967
+ [114] = https://curl.se/bug/?i=7923
+ [115] = https://curl.se/bug/?i=6973
+ [117] = https://curl.se/bug/?i=7978
+ [119] = https://curl.se/bug/?i=7970
+ [122] = https://curl.se/bug/?i=7960
+ [124] = https://curl.se/bug/?i=7945
+ [125] = https://curl.se/bug/?i=7955
+ [126] = https://curl.se/bug/?i=7957

contrib/libs/curl/include/curl/curl.h

@@ -46,8 +46,8 @@
 #include <stdio.h>
 #include <limits.h>
 
-#if defined(__FreeBSD__) && (__FreeBSD__ >= 2)
-/* Needed for __FreeBSD_version symbol definition */
+#if (defined(__FreeBSD__) && (__FreeBSD__ >= 2)) || defined(__MidnightBSD__)
+/* Needed for __FreeBSD_version or __MidnightBSD_version symbol definition */
 #include <osreldate.h>
 #endif
 
@@ -73,6 +73,7 @@
     defined(ANDROID) || defined(__ANDROID__) || defined(__OpenBSD__) || \
     defined(__CYGWIN__) || defined(AMIGA) || defined(__NuttX__) || \
    (defined(__FreeBSD_version) && (__FreeBSD_version < 800000)) || \
+   (defined(__MidnightBSD_version) && (__MidnightBSD_version < 100000)) || \
     defined(__VXWORKS__)
 #include <sys/select.h>
 #endif
@@ -470,6 +471,20 @@ typedef int (*curl_debug_callback)
         size_t size,       /* size of the data pointed to */
         void *userptr);    /* whatever the user please */
 
+/* This is the CURLOPT_PREREQFUNCTION callback prototype. */
+typedef int (*curl_prereq_callback)(void *clientp,
+                                    char *conn_primary_ip,
+                                    char *conn_local_ip,
+                                    int conn_primary_port,
+                                    int conn_local_port);
+
+/* Return code for when the pre-request callback has terminated without
+   any errors */
+#define CURL_PREREQFUNC_OK 0
+/* Return code for when the pre-request callback wants to abort the
+   request */
+#define CURL_PREREQFUNC_ABORT 1
+
 /* All possible error codes from all sorts of curl functions. Future versions
    may return other values, stay prepared.
 
@@ -2043,7 +2058,8 @@ typedef enum {
   /* alt-svc cache file name to possibly read from/write to */
   CURLOPT(CURLOPT_ALTSVC, CURLOPTTYPE_STRINGPOINT, 287),
 
-  /* maximum age of a connection to consider it for reuse (in seconds) */
+  /* maximum age (idle time) of a connection to consider it for reuse
+   * (in seconds) */
   CURLOPT(CURLOPT_MAXAGE_CONN, CURLOPTTYPE_LONG, 288),
 
   /* SASL authorisation identity */
@@ -2102,6 +2118,20 @@ typedef enum {
      this option is used only if PROXY_SSL_VERIFYPEER is true */
   CURLOPT(CURLOPT_PROXY_CAINFO_BLOB, CURLOPTTYPE_BLOB, 310),
 
+  /* used by scp/sftp to verify the host's public key */
+  CURLOPT(CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPTTYPE_STRINGPOINT, 311),
+
+  /* Function that will be called immediately before the initial request
+     is made on a connection (after any protocol negotiation step).  */
+  CURLOPT(CURLOPT_PREREQFUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 312),
+
+  /* Data passed to the CURLOPT_PREREQFUNCTION callback */
+  CURLOPT(CURLOPT_PREREQDATA, CURLOPTTYPE_CBPOINT, 313),
+
+  /* maximum age (since creation) of a connection to consider it for reuse
+   * (in seconds) */
+  CURLOPT(CURLOPT_MAXLIFETIME_CONN, CURLOPTTYPE_LONG, 314),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 

contrib/libs/curl/include/curl/curlver.h

@@ -30,13 +30,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.79.1"
+#define LIBCURL_VERSION "7.80.0"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 79
-#define LIBCURL_VERSION_PATCH 1
+#define LIBCURL_VERSION_MINOR 80
+#define LIBCURL_VERSION_PATCH 0
 
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparisons by programs. The LIBCURL_VERSION_NUM define will
@@ -57,7 +57,7 @@
    CURL_VERSION_BITS() macro since curl's own configure script greps for it
    and needs it to contain the full number.
 */
-#define LIBCURL_VERSION_NUM 0x074f01
+#define LIBCURL_VERSION_NUM 0x075000
 
 /*
  * This is the date and time when the full source package was created. The
@@ -68,7 +68,7 @@
  *
  * "2007-11-23"
  */
-#define LIBCURL_TIMESTAMP "2021-09-22"
+#define LIBCURL_TIMESTAMP "2021-11-10"
 
 #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
 #define CURL_AT_LEAST_VERSION(x,y,z) \

contrib/libs/curl/include/curl/typecheck-gcc.h

@@ -317,6 +317,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t,
    (option) == CURLOPT_SERVICE_NAME ||                                        \
    (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE ||                               \
    (option) == CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 ||                             \
+   (option) == CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 ||                          \
    (option) == CURLOPT_SSH_KNOWNHOSTS ||                                      \
    (option) == CURLOPT_SSH_PRIVATE_KEYFILE ||                                 \
    (option) == CURLOPT_SSH_PUBLIC_KEYFILE ||                                  \
@@ -363,6 +364,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t,
    (option) == CURLOPT_INTERLEAVEDATA ||                                      \
    (option) == CURLOPT_IOCTLDATA ||                                           \
    (option) == CURLOPT_OPENSOCKETDATA ||                                      \
+   (option) == CURLOPT_PREREQDATA ||                                          \
    (option) == CURLOPT_PROGRESSDATA ||                                        \
    (option) == CURLOPT_READDATA ||                                            \
    (option) == CURLOPT_SEEKDATA ||                                            \

contrib/libs/curl/include/curl/urlapi.h

@@ -47,7 +47,8 @@ typedef enum {
   CURLUE_NO_HOST,             /* 14 */
   CURLUE_NO_PORT,             /* 15 */
   CURLUE_NO_QUERY,            /* 16 */
-  CURLUE_NO_FRAGMENT          /* 17 */
+  CURLUE_NO_FRAGMENT,         /* 17 */
+  CURLUE_LAST
 } CURLUcode;
 
 typedef enum {
@@ -118,6 +119,12 @@ CURL_EXTERN CURLUcode curl_url_get(CURLU *handle, CURLUPart what,
 CURL_EXTERN CURLUcode curl_url_set(CURLU *handle, CURLUPart what,
                                    const char *part, unsigned int flags);
 
+/*
+ * curl_url_strerror() turns a CURLUcode value into the equivalent human
+ * readable error string.  This is useful for printing meaningful error
+ * messages.
+ */
+CURL_EXTERN const char *curl_url_strerror(CURLUcode);
 
 #ifdef __cplusplus
 } /* end of extern "C" */