CONTRIB-2513 Update contrib/libs/curl to 7.79.1

ref:cfccba5015904b0f0cadfc018200e2a1b4d50ae6

contrib/libs/curl/.yandex_meta/devtools.copyrights.report

@@ -42,6 +42,18 @@ BELONGS ya.make
         lib/curl_sha256.h [10:11]
         lib/sha256.c [8:9]
 
+KEEP     COPYRIGHT_SERVICE_LABEL 07b936b4d91754a9e3594aa53e39e425
+BELONGS ya.make
+    License text:
+         * Copyright (C) 2013 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+         * Copyright (C) 2010, 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        lib/vtls/mbedtls_threadlock.c [8:9]
+
 KEEP     COPYRIGHT_SERVICE_LABEL 0adcfdb2f3aabeff35065b0b55f45563
 BELONGS ya.make
     License text:
@@ -59,7 +71,7 @@ BELONGS ya.make
 KEEP     COPYRIGHT_SERVICE_LABEL 0bd7e5cd48a574907e3f8e5d5cfa308f
 BELONGS ya.make
     License text:
-         * Copyright (C) 2013 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+         * Copyright (C) 2013 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
          * Copyright (C) 2010, 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
     Scancode info:
         Original SPDX id: COPYRIGHT_SERVICE_LABEL
@@ -149,6 +161,7 @@ BELONGS ya.make
         lib/hostip.h [10:10]
         lib/hostip4.c [8:8]
         lib/hostip6.c [8:8]
+        lib/hostsyn.c [8:8]
         lib/http.c [8:8]
         lib/http.h [10:10]
         lib/http2.c [8:8]
@@ -199,6 +212,8 @@ BELONGS ya.make
         lib/smtp.c [8:8]
         lib/socks.c [8:8]
         lib/socks.h [10:10]
+        lib/strdup.c [8:8]
+        lib/strdup.h [10:10]
         lib/telnet.c [8:8]
         lib/tftp.c [8:8]
         lib/timeval.c [8:8]
@@ -232,6 +247,7 @@ BELONGS ya.make
         lib/warnless.c [8:8]
         lib/warnless.h [10:10]
         lib/x509asn1.c [8:8]
+        lib/x509asn1.h [11:11]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 1b9e8d9d7c9588e9a9cbcbd17572b2e4
 BELONGS ya.make
@@ -541,18 +557,6 @@ BELONGS ya.make
     Files with this license:
         lib/socks_gssapi.c [8:9]
 
-KEEP     COPYRIGHT_SERVICE_LABEL 7e4a48765cad1793cccd7bb998bec514
-BELONGS ya.make
-    License text:
-         * Copyright (C) 2013 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
-         * Copyright (C) 2010, 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
-    Scancode info:
-        Original SPDX id: COPYRIGHT_SERVICE_LABEL
-        Score           : 100.00
-        Match type      : COPYRIGHT
-    Files with this license:
-        lib/vtls/mbedtls_threadlock.c [8:9]
-
 KEEP     COPYRIGHT_SERVICE_LABEL 83b79d1f310aaae5890091cddeacd1f9
 BELONGS ya.make
     License text:
@@ -629,7 +633,6 @@ BELONGS ya.make
         lib/hash.h [10:10]
         lib/hmac.c [8:8]
         lib/hostcheck.h [10:10]
-        lib/hostsyn.c [8:8]
         lib/idn_win32.c [8:8]
         lib/if2ip.c [8:8]
         lib/if2ip.h [10:10]
@@ -654,8 +657,6 @@ BELONGS ya.make
         lib/speedcheck.h [10:10]
         lib/strcase.c [8:8]
         lib/strcase.h [10:10]
-        lib/strdup.c [8:8]
-        lib/strdup.h [10:10]
         lib/strerror.h [10:10]
         lib/strtok.c [8:8]
         lib/strtok.h [10:10]
@@ -996,8 +997,8 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/md4.c [213:218]
-        lib/md5.c [204:209]
+        lib/md4.c [217:222]
+        lib/md5.c [205:210]
 
 KEEP     COPYRIGHT_SERVICE_LABEL f5681c9f9526985592061799304792ee
 BELONGS ya.make

contrib/libs/curl/.yandex_meta/licenses.list.txt

@@ -144,7 +144,7 @@
 
 
 ====================COPYRIGHT====================
- * Copyright (C) 2013 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2013 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
  * Copyright (C) 2010, 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
 
 

contrib/libs/curl/CHANGES

@@ -6,8086 +6,8271 @@
 
                                   Changelog
 
-Version 7.78.0 (21 Jul 2021)
+Version 7.79.1 (22 Sep 2021)
 
-Daniel Stenberg (21 Jul 2021)
+Daniel Stenberg (22 Sep 2021)
 - RELEASE-NOTES: synced
   
-  curl 7.78.0 release
+  curl 7.79.1 release
 
-- winbuild/MakefileBuild.vc: bump copyright year
+- THANKS: added names from the 7.79.1 release
 
-Jay Satiro (21 Jul 2021)
-- docs: mention max-filesize options also apply to MQTT transfers
+- test897: verify delivery of IMAP post-body header content
   
-  Also make it clearer that the caveat 'if the file size is unknown it
-  the option will have no effect' may apply to protocols other than FTP
-  and HTTP.
+  The "content" is delivered as "body" by curl, but the envelope continues
+  after the body and the rest of it should be delivered as header.
   
-  Reported-by: Josh Soref
+  The IMAP server can now get 'POSTFETCH' set to include more data to
+  include after the body and test 897 is done to verify that such "extra"
+  header data is in fact delivered by curl as header.
   
-  Fixes https://github.com/curl/curl/issues/7453
-
-- [Josh Soref brought this change]
+  Ref: #7284 but fails to reproduce the issue
+  
+  Closes #7748
 
-  docs/cmdline: fix grammar and typos
+- KNOWN_BUGS: connection migration doesn't work
+  
+  Closes #7695
 
-- [Josh Soref brought this change]
+- RELEASE-NOTES: synced
 
-  dump-header.d: Drop suggestion to use for cookie storage
+- http: fix the broken >3 digit response code detection
   
-  Since --cookie-jar is the preferred way to store cookies, no longer
-  suggest using --dump-header to do so.
+  When the "reason phrase" in the HTTP status line starts with a digit,
+  that was treated as the forth response code digit and curl would claim
+  the response to be non-compliant.
   
-  Co-authored-by: Daniel Stenberg
+  Added test 1466 to verify this case.
   
-  Closes https://github.com/curl/curl/issues/7414
-
-- [Josh Soref brought this change]
+  Regression brought by 5dc594e44f73b17
+  Reported-by: Glenn de boer
+  Fixes #7738
+  Closes #7739
 
-  doc/cmdline: fix grammar and typos
+Jay Satiro (17 Sep 2021)
+- strerror: use sys_errlist instead of strerror on Windows
   
-  Closes https://github.com/curl/curl/pull/7454
-  Closes https://github.com/curl/curl/pull/7455
-  Closes https://github.com/curl/curl/pull/7456
-  Closes https://github.com/curl/curl/pull/7459
-  Closes https://github.com/curl/curl/pull/7460
-  Closes https://github.com/curl/curl/pull/7461
-  Closes https://github.com/curl/curl/pull/7462
-  Closes https://github.com/curl/curl/pull/7463
-
-Daniel Stenberg (20 Jul 2021)
-- vtls: fix connection reuse checks for issuer cert and case sensitivity
+  - Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
+    retrieve the error message on Windows.
   
-  CVE-2021-22924
+  Windows' strerror writes to a static buffer and is not thread-safe.
   
-  Reported-by: Harry Sintonen
-  Bug: https://curl.se/docs/CVE-2021-22924.html
+  Follow-up to 2f0bb86 which removed most instances of strerror in favor
+  of calling Curl_strerror (which calls strerror_r for other platforms).
+  
+  Ref: https://github.com/curl/curl/pull/7685
+  Ref: https://github.com/curl/curl/commit/2f0bb86
+  
+  Closes https://github.com/curl/curl/pull/7735
 
-- sectransp: check for client certs by name first, then file
+Daniel Stenberg (16 Sep 2021)
+- dist: provide lib/.checksrc in the tarball
   
-  CVE-2021-22926
+  So that debug builds work (checksrc really)
   
-  Bug: https://curl.se/docs/CVE-2021-22926.html
+  Reported-by: Marcel Raad
+  Reported-by: tawmoto on github
+  Fixes #7733
+  Closes #7734
+
+- TODO: Improve documentation about fork safety
   
-  Assisted-by: Daniel Gustafsson
-  Reported-by: Harry Sintonen
+  Closes #6968
 
-- telnet: fix option parser to not send uninitialized contents
+- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
   
-  CVS-2021-22925
+  ... and have CURLE_ABORTED_BY_CALLBACK returned.
   
-  Reported-by: Red Hat Product Security
-  Bug: https://curl.se/docs/CVE-2021-22925.html
+  Extended test 1915 to verify.
+  
+  Reported-by: Jonathan Cardoso
+  Fixes #7726
+  Closes #7729
 
-Jay Satiro (20 Jul 2021)
-- connect: fix wrong format specifier in connect error string
+- test1184: disable
   
-  0842175 (not in any release) used the wrong format specifier (long int)
-  for timediff_t. On an OS such as Windows libcurl's timediff_t (usually
-  64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the
-  upper 32-bits of the timediff_t were erroneously then used by the next
-  format specifier. Usually since the timeout isn't larger than 32-bits
-  this would result in null as a pointer to the string with the reason for
-  the connection failing. On other OSes or maybe other compilers it could
-  probably result in garbage values (ie crash on deref).
+  The test should be fine and it works for me repeated when run manually,
+  but clearly it causes CI failures and it needs more research.
   
-  Before:
-  Failed to connect to localhost port 12345 after 1201 ms: (nil)
+  Reported-by: RiderALT on github
+  Fixes #7725
+  Closes #7732
+
+- Curl_http2_setup: don't change connection data on repeat invokes
   
-  After:
-  Failed to connect to localhost port 12345 after 1203 ms: Connection refused
+  Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
+  transfer oriented inits to before the check but also erroneously moved a
+  few connection oriented ones, which causes problems.
   
-  Closes https://github.com/curl/curl/pull/7449
+  Reported-by: Evangelos Foutras
+  Fixes #7730
+  Closes #7731
 
-- winbuild: support alternate nghttp2 static lib name
+- RELEASE-NOTES: synced
   
-  - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2.
+  and bump to 7.79.1
+
+Kamil Dudka (16 Sep 2021)
+- tests/sshserver.pl: make it work with openssh-8.7p1
   
-  nghttp2 briefly changed its static lib name to nghttp2_static, but then
-  made the _static suffix optional.
+  ... by not using options with no argument where an argument is required:
   
-  Ref: https://github.com/nghttp2/nghttp2/pull/1394
-  Ref: https://github.com/nghttp2/nghttp2/pull/1418
-  Ref: https://github.com/nghttp2/nghttp2/issues/1466
+  === Start of file tests/log/ssh_server.log
+  curl_sshd_config line 6: no argument after keyword "DenyGroups"
+  curl_sshd_config line 7: no argument after keyword "AllowGroups"
+  curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
+  curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
+  curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
+  curl_sshd_config line 40: Deprecated option RSAAuthentication
+  curl_sshd_config line 41: Deprecated option ServerKeyBits
+  curl_sshd_config line 45: Deprecated option UseLogin
+  curl_sshd_config line 56: no argument after keyword "AcceptEnv"
+  curl_sshd_config: terminating, 3 bad configuration options
+  === End of file tests/log/ssh_server.log
   
-  Reported-by: Pierre Yager
+  === Start of file log/sftp_server.log
+  curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
+  curl_sftp_config line 34: Unsupported option "rsaauthentication"
+  curl_sftp_config line 52: no argument after keyword "sendenv"
+  curl_sftp_config: terminating, 1 bad configuration options
+  Connection closed.
+  Connection closed
+  === End of file log/sftp_server.log
   
-  Fixes https://github.com/curl/curl/issues/7446
-  Closes https://github.com/curl/curl/pull/7447
-
-- [Josh Soref brought this change]
+  Closes #7724
 
-  docs/cmdline: fix grammar and typos
+Daniel Stenberg (15 Sep 2021)
+- hsts: handle unlimited expiry
   
-  Closes https://github.com/curl/curl/pull/7432
-  Closes https://github.com/curl/curl/pull/7436
-  Closes https://github.com/curl/curl/pull/7438
-  Closes https://github.com/curl/curl/pull/7440
-  Closes https://github.com/curl/curl/pull/7445
-
-- [Josh Soref brought this change]
-
-  delegation.d: mention what happens when used multiple times
+  When setting a blank expire string, meaning unlimited, curl would pass
+  TIME_T_MAX to getime_r() when creating the output, while on 64 bit
+  systems such a large value cannot be convetered to a tm struct making
+  curl to exit the loop with an error instead. It can't be converted
+  because the year it would represent doesn't fit in the 'int tm_year'
+  field!
   
-  Closes https://github.com/curl/curl/pull/7408
-
-- [Josh Soref brought this change]
+  Starting now, unlimited expiry is instead handled differently by using a
+  human readable expiry date spelled out as "unlimited" instead of trying
+  to use a distant actual date.
+  
+  Test 1660 and 1915 have been updated to help verify this change.
+  
+  Reported-by: Jonathan Cardoso
+  Fixes #7720
+  Closes #7721
 
-  create-file-mode.d: mention what happens when used multiple times
+- curl_multi_fdset: make FD_SET() not operate on sockets out of range
   
-  Closes https://github.com/curl/curl/pull/7407
+  The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
+  built to use select(), even though the curl_multi_fdset() function
+  always and unconditionally uses FD_SET and needs the check.
+  
+  Reported-by: 0xee on github
+  Fixes #7718
+  Closes #7719
 
-- [Josh Soref brought this change]
+- FAQ: add GOPHERS + curl works on data, not files
 
-  config.d: split comments and option-per line
-  
-  Closes https://github.com/curl/curl/pull/7405
+Version 7.79.0 (14 Sep 2021)
 
-Daniel Stenberg (19 Jul 2021)
-- misc: copyright year range updates
+Daniel Stenberg (14 Sep 2021)
+- RELEASE-NOTES: synced
+  
+  For the 7.79.0 release
 
-- mailmap: add Tobias and Timur
+- THANKS: add contributors from 7.79.0 release cycle
 
-Daniel Gustafsson (18 Jul 2021)
-- [Josh Soref brought this change]
+- FAQ: add two dev related questions
+  
+    8.1 Why does curl use C89?
+    8.2 Will curl be rewritten?
+  
+  Spell-checked-by: Paul Johnson
+  Closes #7715
 
-  docs: spell out directories instead of dirs in create-dirs
+- zuul.d/jobs: disable three tests for *-openssl-disable-proxy
   
-  Write out directories rather than using the dirs abbrevation. Also
-  use plural form consistently, even if the code in the end might just
-  create a single directory.
+  ... as they mysteriously seem to permfail without being related to
+  proxy.
   
-  Closes #7406
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Closes #7714
 
-- [Tobias Nyholm brought this change]
+- [Patrick Monnerat brought this change]
 
-  docs: correct spelling errors and a broken link
+  ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
   
-  Update grammar and spelling in docs and source code comments.
+  If a server pipelines future responses within the STARTTLS response, the
+  former are preserved in the pingpong cache across TLS negotiation and
+  used as responses to the encrypted commands.
   
-  Closes: #7427
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  This fix detects pipelined STARTTLS responses and rejects them with an
+  error.
+  
+  CVE-2021-22947
+  
+  Bug: https://curl.se/docs/CVE-2021-22947.html
 
-Marc Hoersken (18 Jul 2021)
-- CI/cirrus: install impacket from PyPI instead of FreeBSD packages
+- [Patrick Monnerat brought this change]
+
+  ftp,imap,pop3: do not ignore --ssl-reqd
   
-  Availability of impacket as FreeBSD package is too flaky.
+  In imap and pop3, check if TLS is required even when capabilities
+  request has failed.
   
-  Stick to legacy version of cryptography which still
-  supports OpenSSL version 1.0.2 due to FreeBSD 11.
+  In ftp, ignore preauthentication (230 status of server greeting) if TLS
+  is required.
   
-  Reviewed-by: Daniel Stenberg
+  Bug: https://curl.se/docs/CVE-2021-22946.html
   
-  Closes #7418
+  CVE-2021-22946
 
-Daniel Stenberg (18 Jul 2021)
-- [Josh Soref brought this change]
+- [z2_ on hackerone brought this change]
 
-  docs/cmdline: mention what happens when used multiple times
+  mqtt: clear the leftovers pointer when sending succeeds
   
-  For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers
+  CVE-2021-22945
   
-  Closes #7410
-  Closes #7411
-  Closes #7412
+  Bug: https://curl.se/docs/CVE-2021-22945.html
+
+- zuul: bump the rustls job to use v0.7.2
+  
+  ... and add -lm when using a rust library.
+  
+  Closes #7701
 
-- [MAntoniak brought this change]
+- RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023
 
-  lib: fix compiler warnings with CURL_DISABLE_NETRC
+- SECURITY-PROCESS: tweak a little to match current practices
   
-  warning C4189: 'netrc_user_changed': local variable is initialized but
-  not referenced
+  Closes #7713
+
+- http_proxy: fix the User-Agent inclusion in CONNECT
   
-  warning C4189: 'netrc_passwd_changed': local variable is initialized but
-  not referenced
+  It should not refer to the uagent string that is allocated and created
+  for the end server http request, as that pointer may be cleared on
+  subsequent CONNECT requests.
   
-  Closes #7423
+  Added test case 1184 to verify.
+  
+  Reported-by: T200proX7 on github
+  Fixes #7705
+  Closes #7707
 
-- disable-epsv.d: remove duplicate "(FTP)"
+- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
   
-  ... since the tooling adds that to the output based on the "Protocols:"
-  tag.
+  Reported-by: Jonathan Cardoso
+  Fixes #7710
+  Closes #7711
 
-- [Max Zettlmeißl brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  docs: make the documentation for --etag-save match the program behaviour
+  ngtcp2: fix build with ngtcp2 and nghttp3
   
-  When using curl with the option `--etag-save` I expected it to save the
-  ETag without its surrounding quotes, as stated by the documentation in
-  the repository and by the generated man pages.
+  ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
+  Check the wrapped functions instead.
   
-  My first endeavour was to fix the program, but while investigating the
-  history of the relevant parts, I discovered that curl once saved the
-  ETag without the quotes.  This was undone by Daniel Stenberg in commit
-  `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in
-  this case the documentation should be adjusted to match the behaviour of
-  curl.
+  ngtcp2_stream_close callback now takes flags parameter.
   
-  The changed save behaviour also made parts of the `--etag-compare`
-  documentation wrong or superfluous, so I adjusted those accordingly.
+  Closes #7709
+
+- write-out.d: clarify size_download/upload
   
-  Closes #7429
+  They show the number of "body" bytes transfered.
+  Fixes #7702
+  Closes #7706
 
-- [Josh Soref brought this change]
+- http2: Curl_http2_setup needs to init stream data in all invokes
+  
+  Thus function was written to avoid doing multiple connection data
+  initializations, which is fine, but since it also initiates stream
+  related data it is crucial that it doesn't skip those even if called
+  again for the same connection. Solved by moving the stream
+  initializations before the "doing-it-again" check.
+  
+  Reported-by: Inho Oh
+  Fixes #7630
+  Closes #7692
 
-  write-out.d: add missing periods
+- url: fix compiler warning in no-verbose builds
   
-  Closes #7404
+  Follow-up from 2f0bb864c12
+  
+  Closes #7700
 
-- [Josie Huddleston brought this change]
+- non-ascii: fix build errors from strerror fix
+  
+  Follow-up to 2f0bb864c12
+  
+  Closes #7697
 
-  easy: during upkeep, attach Curl_easy to connections in the cache
+- parse_args: redo the warnings for --remote-header-name combos
   
-  During the protocol-specific parts of connection upkeep, some code
-  assumes that the data->conn pointer already is set correctly.  However,
-  there's currently no guarantee of that in the code.
+  ... to avoid the memory leak risk pointed out by scan-build.
   
-  This fix temporarily attaches each connection to the Curl_easy object
-  before performing the protocol-specific connection check on it, in a
-  similar manner to the connection checking in extract_if_dead().
+  Follow-up from 7a3e981781d6c18a
   
-  Fixes #7386
-  Closes #7387
-  Reported-by: Josie Huddleston
+  Closes #7698
 
-- [Josh Soref brought this change]
+- ngtcp2: adapt to new size defintions upstream
+  
+  Reviewed-by: Tatsuhiro Tsujikawa
+  Closes #7699
 
-  cleanup: spell DoH with a lowercase o
+- rustls: add strerror.h include
   
-  Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
+  Follow-up to 2f0bb864c12
+
+- docs: the security list is reached at security at curl.se now
   
-  Closes #7413
+  Also update the FAQ section a bit to encourage users to rather submit
+  security issues on hackerone than sending email.
+  
+  Closes #7689
 
-- [Josh Soref brought this change]
+Marc Hoersken (9 Sep 2021)
+- runtests: add option -u to error on server unexpectedly alive
+  
+  Let's try to actually handle the server unexpectedly alive
+  case by first making them visible on CI builds as failures.
+  
+  This is needed to detect issues with killing of the test
+  servers completely including nested process chains with
+  multiple PIDs per test server (including bash and perl).
+  
+  On Windows/cygwin platforms this is especially helpful with
+  debugging PID mixups due to cygwin using its own PID space.
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #7180
 
-  TheArtOfHttpScripting: polish
+Daniel Stenberg (9 Sep 2021)
+- opts docs: unify phrasing in NAME header
   
-  - add missing backticks and comma
+  - avoid writing "set ..." or "enable/disable ..." or "specify ..."
+    *All* options for curl_easy_setopt() are about setting or enabling
+    things and most of the existing options didn't use that way of
+    description.
   
-  - fix proxy description:
+  - start with lowercase letter, unless abbreviation. For consistency.
   
-  * example proxy isn't local
-  * locally doesn't really make sense
+  - Some additional touch-ups
   
-  Closes #7416
+  Closes #7688
 
-- [Josh Soref brought this change]
+- strerror.h: remove the #include from files not using it
 
-  form.d: add examples of `,`/`;` for file[name]
+- lib: don't use strerror()
   
-  Fixes #7415
-  Closes #7417
-
-- [MAntoniak brought this change]
+  We have and provide Curl_strerror() internally for a reason: strerror()
+  is not necessarily thread-safe so we should always try to avoid it.
+  
+  Extended checksrc to warn for this, but feature the check disabled by
+  default and only enable it in lib/
+  
+  Closes #7685
 
-  mbedtls: Remove unnecessary include
+Daniel Gustafsson (8 Sep 2021)
+- cirrus: Add FreeBSD 13.0 job and disable sanitizer build
   
-  - curl_setup.h: all references to mbedtls_md4* functions and structures
-    are in the md4.c. This file already includes the <mbedtls/md4.h> file
-    along with the file existence control (defined (MBEDTLS_MD4_C))
+  As alluded to the in the now removed comment, a 13.0 image became
+  available and is now ready to be used.
   
-  - curl_ntlm_core.c: unnecessary include - repeated below
+  The sanitizer builds were running on the 12.1 image which since has
+  been removed from the config, leaving the builds not running at all.
+  When enabled it turns out that they don't actually work due to very
+  long timeouts in executing the tests, so keep the disabled for now
+  but a bit more controlled.
   
-  Closes #7419
+  Closes #7592
+
+Daniel Stenberg (8 Sep 2021)
+- copyrights: update copyright year ranges
 
 - RELEASE-NOTES: synced
 
-Jay Satiro (16 Jul 2021)
-- [User Sg brought this change]
+- INTERNALS: c-ares has a new home: c-ares.org
 
-  multi: fix crash in curl_multi_wait / curl_multi_poll
+- docs: remove experimental mentions from HSTS and MQTT
   
-  Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a
-  VALID_SOCK check to one of the loops through the sockets but not the
-  other.
+  Reported-by: Jonathan Cardoso
+  Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
+  Closes #7681
+
+- [Cao ZhenXiang brought this change]
+
+  curl: add warning for incompatible parameters usage
   
-  Reported-by: sylgal@users.noreply.github.com
-  Authored-by: sylgal@users.noreply.github.com
+  --continue-at - and --remote-header-name are known incompatible parameters
   
-  Fixes https://github.com/curl/curl/issues/7379
-  Closes https://github.com/curl/curl/pull/7389
+  Closes #7674
 
-- [Daniel Gustafsson brought this change]
+- [git-bruh brought this change]
 
-  tool_help: remove unused define
-  
-  The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
-  cleaned out but one occurrence remained.
+  examples/*hiperfifo.c: fix calloc arguments to match function proto
   
-  Closes https://github.com/curl/curl/pull/7380
+  Closes #7678
 
-- [Sergey Markelov brought this change]
+- INTERNALS: bump c-ares requirement to 1.16.0
+  
+  Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0
 
-  build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
+- curl: stop retry if Retry-After: is longer than allowed
   
-  fix compiler warnings about unused variables and parameters when
-  built with --disable-verbose.
+  If Retry-After: specifies a period that is longer than what fits within
+  --retry-max-time, then stop retrying immediately.
   
-  Closes https://github.com/curl/curl/pull/7377
+  Added test 366 to verify.
+  
+  Reported-by: Kari Pahula
+  Fixes #7675
+  Closes #7676
 
-- [Andrea Pappacoda brought this change]
+- [Michał Antoniak brought this change]
 
-  build: fix IoctlSocket FIONBIO check
+  mbedtls: avoid using a large buffer on the stack
   
-  Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked
-  for (lowercase) ioctlsocket when it should have checked for IoctlSocket.
+  Use dynamic memory allocation for the buffer used in checking "pinned
+  public key". The PUB_DER_MAX_BYTES parameter with default settings is
+  set to a value greater than 2kB.
   
-  Closes https://github.com/curl/curl/pull/7375
+  Co-authored-by: Daniel Stenberg
+  Closes #7586
 
-- [Timur Artikov brought this change]
+- configure: make --disable-hsts work
+  
+  The AC_ARG_ENABLE() macro itself uses a variable called
+  'enable_[option]', so when our script also used a variable with that
+  name for the purpose of storing what the user wants, it also
+  accidentally made it impossible to switch off the feature with
+  --disable-hsts. Fix this by renaming our variable.
+  
+  Reported-by: Michał Antoniak
+  Fixes #7669
+  Closes #7672
 
-  configure: fix nghttp2 library name for static builds
+Jay Satiro (5 Sep 2021)
+- config.d: note that curlrc is used even when --config
   
-  Don't hardcode the nghttp2 library name,
-  because it can vary, be "nghttp2_static" for example.
+  Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751
+  Reported-by: Viktor Szakats
   
-  Fixes https://github.com/curl/curl/issues/7367
-  Closes https://github.com/curl/curl/pull/7368
+  Closes https://github.com/curl/curl/pull/7667
 
-Gisle Vanem (16 Jul 2021)
-- [PellesC] fix _lseeki64() macro
+Daniel Stenberg (4 Sep 2021)
+- RELEASE-NOTES: synced
 
-- [SChannel] Use '_tcsncmp()' instead
+- test1173: check references to libcurl options
   
-  Revert previous change for PellesC.
+  ... that they refer to actual existing libcurl options.
   
-  Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`.
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-- [PellesC] missing '_tcsnccmp'
+- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
   
-  PellesC compiler does not have this macro in it's `<tchar.h>`
+  Closes #7656
 
-Daniel Gustafsson (14 Jul 2021)
-- TODO: add mention of mbedTLS 3 incompatibilities
+- opt-docs: verify man page sections + order
   
-  Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
-  and curl no longer builds with it. Document the need to fix our support
-  until so has been done.
+  In every libcurl option man page there are now 8 mandatory sections that
+  must use the right name in the correct order and test 1173 verifies
+  this. Only 14 man pages needed adjustments.
   
-  Closes #7390
-  Fixes #7385
-  Reported-by: Wyatt OʼDay
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-
-- docs: fix inconsistencies in EGDSOCKET documentation
+  The sections and the order is as follows:
   
-  Only the OpenSSL backend actually use the EGDSOCKET, and also use
-  TLS consistently rather than mixing SSL and TLS. While there, also
-  fix a minor spelling nit.
+   - NAME
+   - SYNOPSIS
+   - DESCRIPTION
+   - PROTOCOLS
+   - EXAMPLE
+   - AVAILABILITY
+   - RETURN VALUE
+   - SEE ALSO
   
-  Closes: #7391
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-
-- [Борис Верховский brought this change]
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-  docs: document missing arguments to commands
+- opt-docs: make sure all man pages have examples
   
-  This is a followup to commit f410b9e538129e77607fef1 fixing a few
-  more commands which takes arguments.
+  Extended manpage-syntax.pl (run by test 1173) to check that every man
+  page for a libcurl option has an EXAMPLE section that is more than two
+  lines. Then fixed all errors it found and added examples.
   
-  Closes #7382
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Randolf J brought this change]
+  Reviewed-by: Daniel Gustafsson
+  Closes #7656
 
-  docs: fix incorrect argument name reference
-  
-  The documentation for the read callback was erroneously referencing
-  the nitems argument by nmemb.  The error was introduced in commit
-  ce0881edee3c7.
+- get.d: provide more useful examples
   
-  Closes #7383
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-
-- [Борис Верховский brought this change]
+  Closes #7668
 
-  tool_help: Document that --tlspassword takes a password
+- page-header: add GOPHERS, simplify wording in the 1st para
   
-  Closes #7378
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #7665
 
-- scripts: Fix typo in release-notes instructions
+- connect: get local port + ip also when reusing connections
   
-  The command to run had a typo in the pathname which prevented copy
-  pasting it to work, which has annoyed me enough to fix this now.
-
-- RELEASE-NOTES: synced
-
-Jay Satiro (10 Jul 2021)
-- write-out.d: Clarify urlnum is not unique for de-globbed URLs
+  Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage
+  (connection + easy handle), so this info needs be extracted again even
+  for re-used connections.
   
-  Reported-by: Коваленко Анатолий Викторович
+  Add test 435 to verify
   
-  Fixes https://github.com/curl/curl/issues/7342
-  Closes https://github.com/curl/curl/pull/7369
+  Reported-by: Max Dymond
+  Fixes #7660
+  Closes #7662
 
-Daniel Gustafsson (3 Jul 2021)
-- [William Desportes brought this change]
+Marcel Raad (2 Sep 2021)
+- multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
+  
+  `use_wakeup` is unused in this case.
+  
+  Closes https://github.com/curl/curl/pull/7661
 
-  docs: Fix typos
+Daniel Stenberg (1 Sep 2021)
+- tests: adjust the tftpd output to work with hyper mode
   
-  Closes: #7370
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  By making them look less like http headers, the hyper mode "tweak"
+  doesn't interfere.
+  
+  Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated
+  but should be enabled).
+  
+  Closes #7658
 
-Daniel Stenberg (8 Jul 2021)
-- [Jonathan Wernberg brought this change]
+Daniel Gustafsson (1 Sep 2021)
+- [Gisle Vanem brought this change]
 
-  Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
+  openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
   
-  The reverted commit introduced a logic error in code that was
-  correct.
+  This adds support for the previously unhandled supplemental data which
+  in -v output was printed like:
   
-  The client using libcurl would notice the error since FTP file
-  uploads in active transfer mode would somtimes complete with
-  success despite no transfer having been performed and the
-  "uploaded" file thus not being on the remote server afterwards.
+      TLSv1.2 (IN), TLS header, Unknown (23):
   
-  The FTP server would notice the error because it receives a
-  RST on the data connection it has established with the client
-  before any data was transferred at all.
+  These will now be printed with proper annotation:
   
-  The logic error happens if the STOR response from the server have
-  arrived by the time ftp_multi_statemach() in the affected code path
-  is called, but the incoming data connection have not arrived yet.
-  In that case, the processing of the STOR response will cause
-  'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
-  in the code. Since 'complete' will also be set, later logic would
-  believe the transfer was done.
+      TLSv1.2 (OUT), TLS header, Supplemental data (23):
   
-  In most cases, the STOR response will not have arrived yet when
-  the affected code path is executed, or the incoming connection will
-  also have arrived, and thus the error would not express itself.
-  But if the speed difference of the device using libcurl and the
-  FTP server is exactly right, the error may happen as often as in
-  one out of hundred file transfers.
+  Closes #7652
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (1 Sep 2021)
+- curl.1: provide examples for each option
   
-  This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
+  The file format for each option now features a "Example:" header that
+  can provide one or more examples that get rendered appropriately in the
+  output. All options MUST have at least one example or gen.pl complains
+  at build-time.
   
-  Bug: https://curl.se/mail/lib-2021-07/0025.html
-  Closes #7362
+  This fix also does a few other minor format and consistency cleanups.
+  
+  Closes #7654
 
-- msnprintf: return number of printed characters excluding null byte
+- progress: make trspeed avoid floats
   
-  ... even when the output is "capped" by the maximum length argument.
+  and compiler warnings for data conversions.
   
-  Clarified in the docs.
+  Reported-by: Michał Antoniak
+  Fixes #7645
+  Closes #7653
+
+- test365: verify response with chunked AND Content-Length headers
+
+- http: ignore content-length if any transfer-encoding is used
   
-  Closes #7361
+  Fixes #7643
+  Closes #7649
 
-- infof: remove newline from format strings, always append it
+- RELEASE-NOTES: synced
+
+- Revert "http2: skip immediate parsing of payload following protocol switch"
   
-  - the data needs to be "line-based" anyway since it's also passed to the
-    debug callback/application
+  This reverts commit 455a63c66f188598275e87d32de2c4e8e26b80cb.
   
-  - it makes infof() work like failf() and consistency is good
+  Reported-by: Tk Xiong
+  Fixes #7633
+  Closes #7648
+
+- KNOWN_BUGS: HTTP/3 doesn't support client certs
   
-  - there's an assert that triggers on newlines in the format string
+  Closes #7625
+
+- mailing lists: move from cool.haxx.se to lists.haxx.se
+
+- http_proxy: only wait for writable socket while sending request
   
-  - Also removes a few instances of "..."
+  Otherwise it would wait socket writability even after the entire CONNECT
+  request has sent and make curl basically busy-loop while waiting for a
+  response to come back.
   
-  - Removes the code that would append "..." to the end of the data *iff*
-    it was truncated in infof()
+  The previous fix attempt in #7484 (c27a70a591a4) was inadequate.
   
-  Closes #7357
+  Reported-by: zloi-user on github
+  Reported-by: Oleguer Llopart
+  Fixes #7589
+  Closes #7647
 
-- examples/multi-single: fix scan-build warning
+- http: disallow >3-digit response codes
   
-  warning: Value stored to 'mc' during its initialization is never read
+  Make the built-in HTTP parser behave similar to hyper and reject any
+  HTTP response using more than 3 digits for the response code.
   
-  Follow-up to ae8e11ed5fd2ce
+  Updated test 1432 accordingly.
+  Enabled test 1432 in the hyper builds.
   
-  Closes #7360
+  Closes #7641
 
-- wolfssl: failing to set a session id is not reason to error out
-  
-  ... as it is *probably* just timed out.
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: stop buffering crypto data
   
-  Reported-by: Francisco Munoz
+  Stop buffering crypto data because libngtcp2 now buffers submitted
+  crypto data.
   
-  Closes #7358
+  Closes #7637
 
-- docs/examples: use curl_multi_poll() in multi examples
+- test1280: CRLFify the response to please hyper
   
-  The API is soon two years old and deserves being shown as the primary
-  way to drive multi code as it makes it much easier to write code.
+  Closes #7639
+
+- tests: enable test 1129 for hyper builds
   
-  multi-poll: removed
+  Closes #7638
+
+- curl: better error message when -O fails to get a good name
   
-  multi-legacy: add to show how we did multi API use before
-  curl_multi_wait/poll.
+  Due to how this currently works internally, it needs a working initial
+  file name to store contents in, so it may still fail even with -J is
+  used (and thus accepting a name from content-disposition:) if the file
+  name part of the URL isn't "good enough".
   
-  Closes #7352
+  Fixes #7628
+  Closes #7635
 
-- KNOWN_BUGS: flaky Windows CI builds
+- curl_easy_setopt: tweak the string copy wording
   
-  Closes #6972
+  Reported-by: Yaobin Wen
+  Fixes #7632
+  Closes #7634
 
 - RELEASE-NOTES: synced
 
-- test1147: hyper doesn't allow "crazy" request headers like built-in
+- [Don J Olmstead brought this change]
+
+  cmake: sync CURL_DISABLE options
   
-  ... so strip that from the test.
+  Adds the full listing of CURL_DISABLE options to the CMake build. Moves
+  all option code, except for CURL_DISABLE_OPENSSL_AUTO_LOA_CONFIG which
+  resides near OpenSSL configuration, to the same block of code. Also
+  sorts the options here and in the cmake config header.
   
-  Closes #7349
+  Additionally sorted the CURL-DISABLE listing and fixed the
+  CURL_DISABLE_POP3 option.
+  
+  Closes #7624
 
-- c-hyper: bail on too long response headers
+Jay Satiro (25 Aug 2021)
+- KNOWN_BUGS: FTPS upload data loss with TLS 1.3
   
-  To match with built-in behaviors. Makes test 1154 work.
+  Bug: https://github.com/curl/curl/issues/6149
+  Reported-by: Bylon2@users.noreply.github.com
   
-  Closes #7350
+  Closes https://github.com/curl/curl/pull/7623
 
-- test1151: added missing CRLF to work with hyper
+Daniel Stenberg (24 Aug 2021)
+- cmake: avoid poll() on macOS
   
-  Closes #7350
-
-- c-hyper: add support for transfer-encoding in the request
+  ... like we do in configure builds. Since poll() on macOS is not
+  reliable enough.
   
-  Closes #7348
-
-- [Andrea Pappacoda brought this change]
+  Reported-by: marc-groundctl
+  Fixes #7595
+  Closes #7619
 
-  cmake: remove libssh2 feature checks
+- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
   
-  libssh2 features are detected based on version since commit
-  9dbbba997608f7c3c5de1c627c77c8cd2aa85b73
+  Enable test 1074
   
-  Closes #7343
+  Closes #7617
 
-- test1116: hyper doesn't pass through "surprise-trailers"
+- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
   
-  Closes #7344
+  Enable test 1130 and 1131
+  
+  Closes #7616
 
-- socks4: scan for the IPv4 address in resolve results
+- [a1346054 brought this change]
+
+  tests: be explicit about using 'python3' instead of 'python'
   
-  Follow-up to 84d2839740 which changed the resolving to always resolve
-  both address families, but since SOCKS4 only supports IPv4 it should
-  scan for and use the first available IPv4 address.
+  This fixes running tests in virtualenvs (or on distros) that no longer
+  have a symlink from python to python2 or python3.
   
-  Reported-by: shithappens2016 on github
-  Fixes #7345
-  Closes #7346
+  Closes #7602
 
-Jay Satiro (5 Jul 2021)
-- proto.d: fix formatting for paragraphs after margin changes
-  
-  Closes https://github.com/curl/curl/pull/7341
+- [a1346054 brought this change]
 
-- pinnedpubkey.d: fix formatting for version support lists
+  scripts: invoke interpreters through /usr/bin/env
   
-  Closes https://github.com/curl/curl/pull/7340
+  Closes #7602
 
-Daniel Stenberg (2 Jul 2021)
-- TODO: "Support in-memory certs/ca certs/keys" done
+- DISABLED: enable 11 more tests for hyper builds
   
-  Has been suppored for a while now with the *BLOB options.
+  Closes #7612
 
-- examples: safer and more proper read callback logic
+- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
   
-  The same callback code is used in:
-  
-   imap-append.c
-   smtp-authzid.c
-   smtp-mail.c
-   smtp-multi.c
-   smtp-ssl.c
-   smtp-tls.c
+  Since this option is also used for FTP, it needs to work to set for
+  applications even if hyper doesn't support it for HTTP. Verified by test
+  1137.
   
-  It should not assume that it can copy full lines into the buffer as it
-  will encourage sloppy coding practices. Instead use byte-wise logic and
-  check/acknowledge the buffer size appropriately.
+  Updated docs to specify that the option doesn't work for HTTP when using
+  the hyper backend.
   
-  Reported-by: Harry Sintonen
-  Fixes #7330
-  Closes #7331
+  Closes #7614
 
-- test1519: adjusted to work with hyper
+- test1138: remove trailing space to make work with hyper
   
-  Closes #7333
+  Closes #7613
 
-- test1518: adjusted to work with hyper
+- libcurl-errors.3: clarify two CURLUcode errors
   
-  ... by making sure the stdout output doesn't look like HTTP headers.
+  CURLUE_BAD_HANDLE and CURLUE_BAD_PARTPOINTER should be for "bad" or
+  wrong pointers in a generic sense, not just for NULL pointers.
   
-  Closes #7333
+  Reviewed-by: Jay Satiro
+  
+  Ref: #7605
+  Closes #7611
 
-- test1514: add a CRLF to the response to make it correct
+Jay Satiro (23 Aug 2021)
+- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
   
-  Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on
-  us.
+  ... and also change the 'Removed' column name to 'Last' since that
+  column is for the last version to contain the symbol.
   
-  Closes #7334
+  Closes https://github.com/curl/curl/pull/7609
 
-- formdata: avoid "Argument cannot be negative" warning
-  
-  ... when converting a curl_off_t to size_t, by using
-  CURL_ZERO_TERMINATED before passing the argument to the function.
+Daniel Stenberg (23 Aug 2021)
+- urlapi.c:seturl: assert URL instead of using if-check
   
-  Detected by Coverity CID 1486590.
+  There's no code flow possible where this can happen. The assert makes
+  sure it also won't be introduced undetected in the future.
   
-  Closes #7328
-  Assisted-by: Daniel Gustafsson
+  Closes #7610
 
-- lib: more %u for port and int for %*s fixes
+- curl-openssl.m4: show correct output for OpenSSL v3
   
-  Detected by Coverity
+  Using 3.0.0 versions configure should now show this:
   
-  Closes #7329
-
-- doh: (void)-prefix call to curl_easy_setopt
-
-- lib: fix type of len passed to *printf's %*s
+  checking for OpenSSL headers version... 3.0.0 - 0x300
+  checking for OpenSSL library version... 3.0.0
+  checking for OpenSSL headers and library versions matching... yes
   
-  ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc)
+  This output doesn't actually change what configure generates but is only
+  "cosmetic".
   
-  Closes #7326
+  Reported-by: Randall S. Becker
+  Fixes #7606
+  Closes #7608
 
-- lib: use %u instead of %ld for port number printf
+Jay Satiro (22 Aug 2021)
+- mksymbolsmanpage.pl: Fix showing symbol's last used version
   
-  Follow-up to 764c6bd3bf which changed the type of some port number
-  fields. Detected by Coverity (CID 1486624) etc.
+  Prior to this change the symbol's deprecated version was erroneously
+  shown as its last used version.
   
-  Closes #7325
+  Bug: https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509
+  Reported-by: i-ky@users.noreply.github.com
 
-- version: turn version number functions into returning void
+Daniel Stenberg (21 Aug 2021)
+- mksymbolsmanpage.pl: match symbols case insenitively
   
-  ... as we never use the return codes from them.
+  Follow-up to 4e53b9430c750 which made this bug show.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #7319
+  Reported-by: i-ky
+  Bug: https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253
+  Closes #7607
 
-- mqtt: extend the error message for no topic
+- asyn-ares: call ares_freeaddrinfo() to clean up addrinfo results
   
-  ... and mention that it needs URL encoding.
+  As this leaks memory otherwise
   
-  Reported-by: Peter Körner
-  Fixes #7316
-  Closes #7317
+  Follow-up to ba904db0705c931
+  
+  Closes #7599
 
-- formdata: correct typecast in curl_mime_data call
+- [Ehren Bendler brought this change]
+
+  wolfssl: clean up wolfcrypt error queue
   
-  Coverity pointed out it the mismatch. CID 1486590
+  If wolfSSL is built in certain ways (OPENSSL_EXTRA or Debug), the error
+  queue gets added on to for each session and never freed. Fix it by
+  calling ERR_clear_error() like in vtls/openssl when needed. This func is
+  a no-op in wolfcrypt if the error queue is not enabled.
   
-  Closes #7327
+  Closes #7594
 
-- url: (void)-prefix a curl_url_get() call
+- man pages: remove trailing whitespaces
   
-  Coverity (CID 1486645) pointed out a use of curl_url_get() in the
-  parse_proxy function where the return code wasn't checked. A
-  (void)-prefix makes the intention obvious.
+  Extended test 1173 (via the manpage-syntax.pl script) to detect and warn
+  for them.
   
-  Closes #7320
+  Ref: #7602
+  Reported-by: a1346054 on github
+  Closes #7604
 
-- glob: pass an 'int' as len when using printf's %*s
-  
-  Detected by Coverity CID 1486629.
-  
-  Closes #7324
+- mailmap: add Gleb Ivanovsky
 
-- vtls: use free() not curl_free()
-  
-  curl_free() is provided for users of the API to free returned data,
-  there's no need to use it internally.
+- config.d: escape the backslash properly
   
-  Closes #7318
+  Closes #7603
 
-- zuul: use the new rustls directory name
-  
-  Follow-up to 6d972c8b1cbb3 which missed updating this directory name.
-  
-  Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1
-  
-  Closes #7311
+- [Don J Olmstead brought this change]
 
-Jay Satiro (29 Jun 2021)
-- http: fix crash in rate-limited upload
+  curl_setup.h: sync values for HTTP_ONLY
   
-  - Don't set the size of the piece of data to send to the rate limit if
-    that limit is larger than the buffer size that will hold the piece.
+  The values for HTTP_ONLY differed between CMakeLists.txt and
+  curl_setup.h. Sync them and sort the values in curl_setup.h to make it
+  easier to spot differences.
   
-  Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
-  (curl tool: --limit-rate) was set then it was possible that a temporary
-  buffer used for uploading could be written to out of bounds. A likely
-  scenario for this would be a non-trivial amount of post data combined
-  with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
+  Closes #7601
+
+Jay Satiro (21 Aug 2021)
+- configure: set classic mingw minimum OS version to XP
   
-  The bug was introduced in 24e469f which is in releases since 7.76.0.
+  - If the user has not specified a minimum OS version (via WINVER or
+    _WIN32_WINNT macros) then set it to Windows XP.
   
-  perl -e "print '0' x 200000" > tmp
-  curl --limit-rate 128k -d @tmp httpbin.org/post
+  Prior to this change classic MinGW defaulted the minimum OS version
+  to Windows NT 4.0 which is way too old. At least Windows XP is needed
+  for getaddrinfo (which resolves hostnames to IPv6 addresses).
   
-  Reported-by: Richard Marion
+  Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
   
-  Fixes https://github.com/curl/curl/issues/7308
-  Closes https://github.com/curl/curl/pull/7315
+  Closes https://github.com/curl/curl/pull/7581
 
-Daniel Stenberg (29 Jun 2021)
-- copyright: add boiler-plate headers to CI config files
+- schannel: Work around typo in classic mingw macro
   
-  And whitelist .zuul.ignore
+  - Define ALG_CLASS_DHASH (the typo from the include) to ALG_CLASS_HASH.
   
-  Closes #7314
-
-- CI: remove travis details
+  Prior to this change there was an incomplete fix to ignore the
+  CALG_TLS1PRF macro on those versions of MinGW where it uses the
+  ALG_CLASS_DHASH typoed macro.
   
-  Rename still used leftovers to "zuul" as that's now the CI using them.
+  Ref: 48cf45c
+  Ref: https://osdn.net/projects/mingw/ticket/38391
+  Ref: https://github.com/curl/curl/issues/2924
   
-  Closes #7313
+  Closes https://github.com/curl/curl/pull/7580
 
+Daniel Stenberg (20 Aug 2021)
 - RELEASE-NOTES: synced
 
-- openssl: avoid static variable for seed flag
+- http_proxy: fix user-agent and custom headers for CONNECT with hyper
   
-  Avoid the race condition risk by instead storing the "seeded" flag in
-  the multi handle. Modern OpenSSL versions handle the seeding itself so
-  doing the seeding once per multi-handle instead of once per process is
-  less of an issue.
+  Enable test 287
   
-  Reported-by: Gerrit Renker
-  Fixes #7296
-  Closes #7306
+  Closes #7598
 
-- configure: inhibit the implicit-fallthrough warning on gcc-12
+- c-hyper: initial support for "dumping" 1xx HTTP responses
   
-  ... since it no longer acknowledges the comment markup we use for that
-  purpose.
+  With the use hyper_request_on_informational()
   
-  Reported-by: Younes El-karama
-  Fixes #7295
-  Closes #7307
+  Enable test 155 and 158
+  
+  Closes #7597
 
-Daniel Gustafsson (28 Jun 2021)
-- [Andrei Rybak brought this change]
+Marc Hoersken (18 Aug 2021)
+- tests/*server.pl: flush output before executing subprocess
+  
+  Also avoid shell processes staying around by using exec.
+  This is necessary to avoid output data being buffering
+  inside the process chain of Perl, Bash/Shell and our
+  test server binaries. On non-Windows systems the exec
+  will also make the subprocess replace the intermediate
+  shell, but on Windows it will at least bind the processes
+  together since there is no real fork or exec available.
+  
+  See: https://cygwin.com/cygwin-ug-net/highlights.html
+  and: https://docs.microsoft.com/cpp/c-runtime-library/exec-wexec-functions
+  Ref: https://github.com/curl/curl/pull/7530#issuecomment-900949010
+  
+  Reviewed-by: Daniel Stenberg
+  Reviewed-by: Jay Satiro
+  Closes #7530
 
-  misc: fix typos in comments which repeat a word
+- CI: use GitHub Container Registry instead of Docker Hub
   
-  Fix typos in code comments which repeat various words.  In trivial
-  cases, just delete the repeated word.  Reword the affected sentence in
-  "lib/url.c" for it to make sense.
+  Avoid limits on Docker Hub and improve image pull/download speed.
   
-  Closes #7303
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Closes #7587
 
-Daniel Stenberg (27 Jun 2021)
-- lib677: make it survive torture testing
+Daniel Stenberg (18 Aug 2021)
+- openssl: when creating a new context, there cannot be an old one
   
-  Follow-up to a5ab72d5edd7
+  Remove the previous handling that would call SSL_CTX_free(), and instead
+  add an assert that halts a debug build if there ever is a context
+  already set at this point.
   
-  Closes #7300
+  Closes #7585
 
-- [Tommy Chiang brought this change]
+Jay Satiro (18 Aug 2021)
+- KNOWN_BUGS: Renegotiate from server may cause hang for OpenSSL backend
+  
+  Closes https://github.com/curl/curl/issues/6785
 
-  docs/BINDINGS: fix outdated links
+Viktor Szakats (17 Aug 2021)
+- docs/BINDINGS: URL update
+
+Marc Hoersken (17 Aug 2021)
+- tests/server/*.c: align handling of portfile argument and file
   
-  * luacurl page is now not accessible, fix it with wayback machine page
-  * Scheme one seems not providing https now, change it back to http one
+  1. Call the internal variable portname (like pidname) everywhere.
+  2. Have a variable wroteportfile (like wrotepidfile) everywhere.
+  3. Make sure the file is cleaned up on exit (like pidfile).
+  4. Add parameter --portfile to usage outputs everywhere.
   
-  Closes #7301
+  Reviewed-by: Daniel Stenberg
+  
+  Replaces #7523
+  Closes #7574
 
-- [Jacob Hoffman-Andrews brought this change]
+Daniel Gustafsson (17 Aug 2021)
+- KNOWN_BUGS: Fix a number of typos in KNOWN_BUGS
+  
+  Fixes a set of typos found in section 11.3.
 
-  curstls: bump crustls version and use new URL
+Daniel Stenberg (17 Aug 2021)
+- getparameter: fix the --local-port number parser
   
-  crustls moved to https://github.com/rustls/rustls-ffi. This also bumps
-  the expected version to 0.7.0.
+  It could previously get tricked into parsing the uninitialized stack
+  based buffer.
   
-  Closes #7297
+  Reported-by: Brian Carpenter
+  Closes #7582
 
-- RELEASE-NOTES: synced
+- KNOWN_BUGS: Can't use Secure Transport with Crypto Token Kit
+  
+  Closes #7048
 
-- examples: length-limit two sscanf() uses of %s
+- [Jan Verbeek brought this change]
+
+  curl: add warning for ignored data after quoted form parameter
   
-  Reported-by: Jishan Shaikh
-  Fixes #7293
-  Closes #7294
+  In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc`
+  is ignored. This adds a warning if the ignored data isn't all
+  whitespace.
+  
+  Closes #7394
 
-- [Richard Whitehouse brought this change]
+Jay Satiro (17 Aug 2021)
+- codeql: fix error "Resource not accessible by integration"
+  
+  - Enable codeql writing security-events.
+  
+  GitHub set the default permissions to read, apparently since earlier
+  this year.
+  
+  Ref: https://github.com/github/codeql-action/issues/464
+  Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+  
+  Fixes https://github.com/curl/curl/issues/7575
+  Closes https://github.com/curl/curl/pull/7576
 
-  multi: alter transfer timeout ordering
+- tool_operate: Fix --fail-early with parallel transfers
   
-  - Check whether a connection has succeded before checking whether it's
-    timed out.
+  - Abort via progress callback to fail early during parallel transfers.
   
-    This means if we've connected quickly, but subsequently been
-    descheduled, we allow the connection to succeed. Note, if we timeout,
-    but between checking the timeout, and connecting to the server the
-    connection succeeds, we will allow it to go ahead. This is viewed as
-    an acceptable trade off.
+  When a critical error occurs during a transfer (eg --fail-early
+  constraint) then other running transfers will be aborted via progress
+  callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this
+  case, the callback error does not become the most recent error and a
+  custom error message is used for those transfers:
   
-  - Add additional failf logging around failed connection attempts to
-    propogate the cause up to the caller.
+  curld --fail --fail-early --parallel
+  https://httpbin.org/status/404 https://httpbin.org/delay/10
   
-  Co-Authored-by: Martin Howarth
-  Closes #7178
+  curl: (22) The requested URL returned error: 404
+  curl: (42) Transfer aborted due to critical error in another transfer
+  
+  > echo %ERRORLEVEL%
+  22
+  
+  Fixes https://github.com/curl/curl/issues/6939
+  Closes https://github.com/curl/curl/pull/6984
 
-- test677: IMAP CONNECT_ONLY, custom command and then exit
+Daniel Stenberg (17 Aug 2021)
+- [Sergey Markelov brought this change]
+
+  sectransp: support CURLINFO_CERTINFO
   
-  Adjusted ftpserver.pl to add support for the IMAP IDLE command
+  Fixes #4130
+  Closes #7372
+
+- ngtcp2: remove the acked_crypto_offset struct field init
   
-  Adjusted test 660 to sync with the fix
+  ... as it is gone from the API upstream.
+  
+  Closes #7578
 
-- multi: do not switch off connect_only flag when closing
+- misc: update incorrect copyright year ranges
   
-  ... as it made protocol specific disconnect commands wrongly get used.
+  Closes #7577
+
+- KNOWN_BUGS: HTTP/3 quiche upload large file fails
   
-  Bug: https://curl.se/mail/lib-2021-06/0024.html
-  Reported-by: Aleksander Mazur
-  Closes #7288
+  Closes #7532
 
-- http: make the haproxy support work with unix domain sockets
+- KNOWN_BUGS: CMake build with MIT Kerberos does not work
   
-  ... it should then pass on "PROXY UNKNOWN" since it doesn't know the
-  involved IP addresses.
+  Closes #6904
+
+- TODO: add asynch getaddrinfo support
   
-  Reported-by: Valentín Gutiérrez
-  Fixes #7290
-  Closes #7291
+  Closes #6746
 
-- [Xiang Xiao brought this change]
+- RELEASE-NOTES: synced
 
-  curl.h: include sys/select.h for NuttX RTOS
+- [Artur Sinila brought this change]
+
+  http2: revert call the handle-closed function correctly on closed stream
   
-  Closes #7287
+  Reverts 252790c5335a221
+  
+  Assisted-by: Gergely Nagy
+  Fixes #7400
+  Closes #7525
 
-- [Bin Meng brought this change]
+- [Patrick Monnerat brought this change]
 
-  curl.h: remove the execution bit
+  auth: do not append zero-terminator to authorisation id in kerberos
   
-  The execution bit of curl.h file was wrongly added:
+  RFC4752 Section 3.1 states "The authorization identity is not terminated
+  with a zero-valued (%x00) octet". Although a comment in code said it may
+  be needed anyway, nothing confirms it. In addition, servers may consider
+  it as part of the identity, causing a failure.
   
-    commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
+  Closes #7008
+
+- [Patrick Monnerat brought this change]
+
+  auth: use sasl authzid option in kerberos
   
-  and should be removed.
+  ... instead of deriving it from active ticket.
+  Closes #7008
+
+- [Patrick Monnerat brought this change]
+
+  auth: we do not support a security layer after kerberos authentication
   
-  Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
-  Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-  Closes #7286
+  Closes #7008
 
-- [Bin Lan brought this change]
+- [Patrick Monnerat brought this change]
 
-  curl.h: <sys/select.h> is supported by VxWorks7
+  auth: properly handle byte order in kerberos security message
   
-  Closes #7285
+  Closes #7008
 
-- [Bachue Zhou brought this change]
+- [z2_ brought this change]
 
-  quiche: use send() instead of sendto() to avoid macOS issue
+  x509asn1: fix heap over-read when parsing x509 certificates
   
-  sendto() always returns "Socket is already connected" error on macos
+  Assisted-by: Patrick Monnerat
+  Closes #7536
+
+- KNOWN_BUGS: Disconnects don't do verbose
   
-  Closes #7260
+  Closes #6995
 
-- [Li Xinwei brought this change]
+- mailmap: fixup Michał Antoniak
 
-  cmake: fix support for UnixSockets feature on Win32
+- [Michał Antoniak brought this change]
+
+  build: fix compiler warnings
   
-  Move the definition of sockaddr_un struct from config-win32.h to
-  curl_setup.h, so that it could be shared by all build systems.
+  For when CURL_DISABLE_VERBOSE_STRINGS and DEBUGBUILD flags are both
+  active.
   
-  Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use
-  unix sockets.
+  - socks.c : warning C4100: 'lineno': unreferenced formal parameter
+    (co-authored by Daniel Stenberg)
   
-  Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS
-  is defined.
+  - mbedtls.c: warning C4189: 'port': local variable is initialized but
+    not referenced
   
-  Closes #7034
+  - schannel.c: warning C4189: 'hostname': local variable is initialized
+    but not referenced
+  
+  Cloes #7528
 
-- [Gregory Muchka brought this change]
+- [Gleb Ivanovsky brought this change]
 
-  hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
-  
-  From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
-  dictionary of key-value pairs that represent the current internet proxy
-  settings, or NULL if no proxy settings have been defined or if an error
-  occurred. You must release the returned value."
+  CODE_STYLE-md: fix bold font style
   
-  Failure to release the returned value of SCDynamicStoreCopyProxies can
-  result in a memory leak.
-  
-  Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
+  Markdown gets confused with abundance of asterisks, so use underscores
+  instead.
   
-  Closes #7265
+  Reviewed-by: Daniel Gustafsson
+  Closes #7569
 
-- RELEASE-NOTES: synced
+- [Gleb Ivanovsky brought this change]
 
-Jay Satiro (21 Jun 2021)
-- vtls: fix warning due to function prototype mismatch
+  CODE_STYLE-md: add missing comma
   
-  b09c8ee changed the function prototype. Caught by Visual Studio.
+  Reviewed-by: Daniel Gustafsson
+  Closes #7570
 
-- curl_multibyte: Remove local encoding fallbacks
+- [Daniel Gustafsson brought this change]
+
+  examples/ephiperfifo.c: simplify signal handler
   
-  - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
-    no longer fall back to assuming the string is in a local encoding.
+  The signal handler registered for SIGINT is only handling SIGINT
+  so there isn't much need for inspecting the signo.  While there,
+  rename the handler to be more specific.
   
-  Background:
+  g_should_exit should really be of sig_atomic_t type, but relying
+  on autoconf in the examples seems like a bad idea so keep that
+  for now.
   
-  Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
-  pass to the Windows CRT API wide-character functions since in Windows
-  UTF-8 is not a valid locale (or at least 99% of the time right now).
+  Reviewed-by: Daniel Stenberg
+  Closes #7310
+
+- c-hyper: initial step for 100-continue support
   
-  Prior to this change if the Unicode encoding conversion failed then
-  libcurl would assume, for backwards compatibility with applications that
-  may have written their code for non-Unicode builds, attempt to convert
-  the string from local encoding to UTF-16.
+  Enabled test 154
   
-  That type of "best effort" could theoretically cause some type of
-  security or other problem if a string that was locally encoded was also
-  valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
-  could occur.
+  Closes #7568
+
+- [Ikko Ashimine brought this change]
+
+  vtls: fix typo in schannel_verify.c
   
-  Ref: https://github.com/curl/curl/pull/7246
+  occurence -> occurrence
   
-  Closes https://github.com/curl/curl/pull/7257
+  Closes #7566
 
-Daniel Stenberg (20 Jun 2021)
-- curl_endian: remove the unused Curl_write64_le function
+- [Emil Engler brought this change]
+
+  curl_url_get.3: clarify about path and query
   
-  The last usage was removed in cca455a36
+  The current man-page lacks some details regarding the obtained path and
+  query.
   
-  Closes #7280
+  Closes #7563
 
-- vtls: only store TIMER_APPCONNECT for non-proxy connect
-  
-  Introducing a 'isproxy' argument to the connect function so that it
-  knows wether to store the time stamp or not.
+- c-hyper: fix header value passed to debug callback
   
-  Reported-by: Yongkang Huang
-  Fixes #7274
-  Closes #7274
+  Closes #7567
 
-- gnutls: set the preferred TLS versions in correct order
+Viktor Szakats (12 Aug 2021)
+- cleanup: URL updates
   
-  Regression since 781864bedbc57 (curl 7.77.0)
+  - replace broken URL with the one it was most probably pointing to
+    when added (lib/tftp.c)
+  - replace broken URL with archive.org link (lib/curl_ntlm_wb.c)
+  - delete unnecessary protocol designator from archive.org URL
+    (docs/BINDINGS.md)
   
-  Reported-by: civodul on github
-  Assisted-by: Nikos Mavrogiannopoulos
-  Fixes #7277
-  Closes #7278
+  Closes #7562
 
-- [Gergely Nagy brought this change]
+Daniel Stenberg (12 Aug 2021)
+- [April King brought this change]
 
-  configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r
+  DEPRECATE.md: linkify curl-library mailing list
   
-  Closes #7276
+  Closes #7561
 
-- [Gergely Nagy brought this change]
+- [Barry Pollard brought this change]
 
-  configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r
+  output.d: add method to suppress response bodies
   
-  Closes #7276
+  Closes #7560
 
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove unused define HAVE_PERROR
+- TODO: remove 'c-ares deviates on http://1346569778'
   
-  Closes #7276
+  Fixed since 56a037cc0ad1b2 (7.77.0)
 
-- [Gergely Nagy brought this change]
+- [Colin O'Dell brought this change]
 
-  configure: remove unused check for gai_strerror
+  BINDINGS.md: update links to use https where available
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  Closes #7558
 
-  configure/cmake: remove unused define HAVE_FREEIFADDRS
+- asyn-ares.c: move all version number checks to the top
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
+  ... and use #ifdef [feature] in the code as per our guidelines.
 
-  configure/cmake: remove unused define HAVE_FORK
+- ares: use ares_getaddrinfo()
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove unused define HAVE_FDOPEN
+  ares_getaddrinfo() is the getaddrinfo() cloned provided by c-ares, introduced
+  in version 1.16.0.
   
-  Closes #7276
-
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove checks for unused sgtty.h
+  With older c-ares versions, curl invokes ares_gethostbyname() twice - once for
+  IPv4 and once for IPv6 to resolve both addresses, and then combines the
+  returned results.
   
-  Closes #7276
+  Reported-by: jjandesmet
+  Fixes #7364
+  Closes #7552
 
-- [Gergely Nagy brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
 
-  configure/cmake: remove remaining checks for rsa.h
+  ngtcp2: utilize crypto API functions to simplify
   
-  Closes #7276
+  Closes #7551
 
-- [Gergely Nagy brought this change]
+- [megatronking brought this change]
 
-  configure/cmake: remove remaining checks for err.h
+  ngtcp2: reset the oustanding send buffer again when drained
   
-  Closes #7276
+  Closes #7538
 
-- [Gergely Nagy brought this change]
-
-  configure/cmake: remove remaining checks for crypto.h
+Michael Kaufmann (10 Aug 2021)
+- progress: fix a compile warning on some systems
   
-  Closes #7276
+  lib/progress.c:380:40: warning: conversion to 'long double' from
+  'curl_off_t {aka long long int}' may alter its value [-Wconversion]
+  
+  Closes #7549
 
-- [Gergely Nagy brought this change]
+Daniel Stenberg (10 Aug 2021)
+- RELEASE-NOTES: synced
 
-  configure/cmake: remove checks for unused getservbyport_r
+- http: consider cookies over localhost to be secure
   
-  Closes #7276
+  Updated test31.
+  Added test 392 to verify secure cookies used for http://localhost
+  
+  Reviewed-by: Daniel Gustafsson
+  Fixes #6733
+  Closes #7263
 
-- --socks4[a]: clarify where the host name is resolved
+- TODO: erase secrets from heap/stack after use
   
-  Closes #7273
+  Closes #7268
 
-- libcurl-security.3: mention file descriptors and forks
+Jay Satiro (10 Aug 2021)
+- hostip: Make Curl_ipv6works function independent of getaddrinfo
   
-  ... and move the security report section last.
+  - Do not assume IPv6 is not working when getaddrinfo is not present.
   
-  Reported-by: Harry Sintonen
-  Closes #7270
-
-- [Alex Xu (Hello71) brought this change]
-
-  configure.ac: make non-executable
+  The check to see if IPv6 actually works is now independent of whether
+  there is any resolver that can potentially resolve a hostname to IPv6.
   
-  it needs to be processed by autoconf or autoreconf, and doesn't have a
-  suitable shebang to be directly executed. other projects normally set
-  configure.ac -x.
+  Prior to this change if getaddrinfo() was not found at compile time then
+  Curl_ipv6works() would be defined as a macro that returns FALSE.
   
-  Closes #7272
-
-- configure: do not strip out debug flags
+  When getaddrinfo is not found then libcurl is built with CURLRES_IPV4
+  defined instead of CURLRES_IPV6, meaning that it cannot do IPv6 lookups
+  in the traditional way. With this commit if libcurl is built with IPv6
+  support (ENABLE_IPV6) but without getaddrinfo (CURLRES_IPV6), and the
+  IPv6 stack is actually working, then it is possible for libcurl to
+  resolve IPv6 addresses by using DoH.
   
-  To allow users to set them when invoking configure without using
-  --with-debug.
+  Ref: https://github.com/curl/curl/issues/7483#issuecomment-890765378
   
-  Reported-by: Alex Xu
-  Fixes #7216
-  Closes #7267
+  Closes https://github.com/curl/curl/pull/7529
 
-- libssh2: limit time a disconnect can take to 1 second
+- test1565: fix windows build errors
   
-  Closes #7271
-
-- TLS: prevent shutdown loops to get stuck
+  - Use our wait_ms() instead of sleep() since Windows doesn't have the
+    latter.
   
-  ... by making sure the loops are only allowed to read the shutdown
-  traffic a limited number of times.
+  - Use a separate variable to keep track of whether the pthread_t thread
+    id is valid.
   
-  Reported-by: Harry Sintonen
-  Closes #7271
+  On Windows pthread_t is not an integer type. pthread offers no macro for
+  invalid pthread_t thread id, so validity is kept track of separately.
+  
+  Closes https://github.com/curl/curl/pull/7527
 
-- hyper: propagate errors back up from read callbacks
+- [Jeremy Falcon brought this change]
+
+  winbuild/README.md: clarify GEN_PDB option
   
-  Makes test 513 work with hyper
+  - Document that GEN_PDB option creates an external database.
   
-  Closes #7266
+  Ref: https://github.com/curl/curl/issues/7502
 
-- KNOWN_BUGS: Negotiate on Windows fails
-  
-  Closes #5881
+Daniel Stenberg (9 Aug 2021)
+- [Tatsuhiro Tsujikawa brought this change]
 
-- KNOWN_BUGS: renames instead of locking for atomic operations
+  ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
   
-  Closes #6882
-  Closes #6884
+  Closes #7546
 
-- zuul: add two missing CI jobs
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
   
-  ... that were configured, just not run
+  Rework the return value handling of ngtcp2_conn_writev_stream and treat
+  NGTCP2_ERR_STREAM_SHUT_WR separately.
   
-  Closes #7261
+  Closes #7546
 
-Viktor Szakats (15 Jun 2021)
-- idn: fix libidn2 with windows unicode builds
-  
-  Unicode Windows builds use UTF-8 strings internally in libcurl,
-  so make sure to call the UTF-8 flavour of the libidn2 API. Also
-  document that Windows builds with libidn2 and UNICODE do expect
-  CURLOPT_URL as an UTF-8 string.
+- configure: error out if both ngtcp2 and quiche are specified
   
-  Reported-by: dEajL3kA on github
-  Assisted-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Closes #7246
-  Fixes #7228
+  Reported-by: Vincent Grande
+  See #7539
+  Closes #7545
 
-Daniel Stenberg (15 Jun 2021)
-- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
+- [Jeff Mears brought this change]
+
+  easy: use a custom implementation of wcsdup on Windows
   
-  They were never officially allowed and slipped in only due to sloppy
-  parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
-  being part of a URL.
+  ... so that malloc/free overrides from curl_global_init are used for
+  wcsdup correctly.
   
-  The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
-  allow spaces.
+  Closes #7540
+
+- zuul: add an mbedtls3 CI job
   
-  Updated test 1560 to verify.
+  Closes #7544
+
+- [Benau brought this change]
+
+  mbedTLS: initial 3.0.0 support
   
-  Closes #7073
+  Closes #7428
 
 - RELEASE-NOTES: synced
+
+- configure.ac: revert bad nghttp2 library detection improvements
   
-  ... and bump to version 7.78.0 for the next planned release.
+  This reverts commit b4b34db65f9f8, 673753344c5f and 29c7cf79e8b.
+  
+  The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
+  nothing else.
+  
+  Reported-by: Rui Pinheiro
+  Reported-by: Alex Crichton
+  Fixes #7514
+  Closes #7515
 
-Jay Satiro (15 Jun 2021)
-- docs: Remove outdated curl tool limitation
+- happy-eyeballs-timeout-ms.d: polish the wording
   
-  - Document that HTTP/2 multiplexing is supported by the curl tool when
-    parallel transfers are used.
+  Reported-by: Josh Soref
+  Fixes #7433
+  Closes #7542
+
+- [modbw brought this change]
+
+  mbedtls_threadlock: fix unused variable warning
   
-  Supported since 7.66.0 via --parallel, but the doc wasn't updated.
+  Closes #7393
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: compile with the latest ngtcp2 and nghttp3
   
-  Closes https://github.com/curl/curl/pull/7259
+  Closes #7541
 
-- http2: Clarify 'Using HTTP2' verbose message
+Marc Hoersken (31 Jul 2021)
+- CI/cirrus: reduce compile time with increased parallism
   
-  - Change phrasing from multi-use to multiplexing since the former may
-    not be as well understood.
+  Cirrus CI VMs have 2 CPUs, let's use them also for Windows builds.
   
-  Before: * Using HTTP2, server supports multi-use
+  Reviewed-by: Daniel Stenberg
+  Closes #7505
+
+Daniel Stenberg (30 Jul 2021)
+- [Bin Lan brought this change]
+
+  tool/tests: fix potential year 2038 issues
   
-  After: * Using HTTP2, server supports multiplexing
+  The length of 'long' in a 32-bit system is 32 bits, which cannot be used
+  to save timestamps after 2038. Most operating systems have extended
+  time_t to 64 bits.
   
-  Bug: https://github.com/curl/curl/discussions/7255
-  Reported-by: David Hu
+  Remove the castings to long.
   
-  Closes https://github.com/curl/curl/pull/7258
+  Closes #7466
 
-Daniel Stenberg (14 Jun 2021)
-- winbuild/README: VC should be set to 6 'or larger'
+- compressed.d: it's a request, not an order
   
-  Previously it listed all versions up to 15 (missing 16) but this new
-  phrasing is more open ended.
+  Clarified
   
-  Reported-by: Hugh Macdonald
-  Fixes #7253
-  Closes #7254
+  Reported-by: Dan Jacobson
+  Reviewed-by: Daniel Gustafsson
+  Fixes #7516
+  Closes #7517
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Bernhard M. Wiedemann brought this change]
 
-  rustls: remove native_roots fallback
+  tests: make three tests pass until 2037
   
-  For the commandline tool, we expect to be passed
-  SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
-  trusted roots (like in other TLS backends).
+  after 2038 something in test1915 fails on 32-bit OSes
   
-  This also removes a dependency on Security.framework when building on
-  macOS.
+  Closes #7512
+
+Daniel Gustafsson (30 Jul 2021)
+- connect: remove superfluous conditional
   
-  Closes #7250
+  Commit dbd16c3e2 cleaned up the logic for traversing the addrinfos,
+  but the move left a conditional on ai which no longer is needed as
+  the while loop reevaluation will cover it.
+  
+  Closes #7511
+  Reviewed-by: Carlo Marcelo Arenas Belón
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- [Albin Vass brought this change]
+Daniel Stenberg (29 Jul 2021)
+- RELEASE-NOTES: synced
+  
+  and bump curlver to 7.79.0 for next release
 
-  travis: remove jobs that have migrated to zuul
+Marc Hoersken (29 Jul 2021)
+- tests/*server.py: remove pidfile on server termination
   
-  Closes #7245
+  Avoid pidfile leaking/laying around after server already exited.
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #7506
 
-- [Mohammed Naser brought this change]
+Daniel Gustafsson (27 Jul 2021)
+- tool_main: fix typo in comment
+  
+  The referred to library is NSPR, so fix the switched around characters.
 
-  CI: add jobs using Zuul
+Daniel Stenberg (28 Jul 2021)
+- [Aleksandr Krotov brought this change]
+
+  bearssl: support CURLOPT_CAINFO_BLOB
   
-  It also includes a few changes to get the builds going:
-  - Added autoconf to common dependencies
-  - Added automake to common dependencies
-  - Added libtool to common dependencies
-  - Added libssl-dev to common dependencies
+  Closes #7468
+
+- curl.1: mention "global" flags
   
-  Co-authored-by: Albin Vass
+  Mention options that are "global". A global command line option is one
+  that doesn't get reset at --next uses and therefore don't need to be
+  used again.
   
-  Closes #7245
+  Reported-by: Josh Soref
+  
+  Fixes #7457
+  Closes #7510
 
-- netrc: skip 'macdef' definitions
+- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
   
-  Add test 494 to verify
+  Reported-by: Daniel Woelfel
+  Fixes #7441
+  Closes #7509
+
+- KNOWN_BUGS: add more HTTP/3 problems
   
-  Reported-by: Harry Sintonen
-  Fixes #7238
-  Closes #7244
+  Closes #7351
+  Closes #7339
+  Closes #7125
 
-- multi: add scan-build-6 work-around in curl_multi_fdset
+Marc Hoersken (27 Jul 2021)
+- CI/azure: reduce compile time with increased parallism
   
-  scan-build-6 otherwise warns, saying: warning: The left operand of '>='
-  is a garbage value otherwise, which is false.
+  Azure Pipelines CI VMs have 2 CPUs, let's use them.
   
-  Later scan-builds don't claim this on the same code.
+  Closes #7489
+
+Jay Satiro (27 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs: fix grammar
   
-  Closes #7248
+  Fixes https://github.com/curl/curl/issues/7444
+  Fixes https://github.com/curl/curl/issues/7451
+  Fixes https://github.com/curl/curl/issues/7465
+  Closes https://github.com/curl/curl/pull/7495
 
-- asyn-ares: remove check for 'data' in Curl_resolver_cancel
+- mail-rcpt.d: fix grammar
   
-  It implied it would survive a NULL in there which it won't. Instead do
-  an assert.
+  Remove confusing sentence that says to specify an e-mail address for
+  mail transfer, since that's implied.
   
-  Pointed out by scan-build.
+  Reported-by: Josh Soref
   
-  Closes #7248
+  Fixes https://github.com/curl/curl/issues/7452
+  Closes https://github.com/curl/curl/pull/7495
 
-- url.c: remove two variable assigns that are never read
+Daniel Stenberg (27 Jul 2021)
+- c-hyper: remove the hyper_executor_poll() loop from Curl_http
   
-  Pointed out by scan-build
+  1. it's superfluous
+  2. it didn't work identically to the Curl_hyper_stream one which could
+     cause problems like #7486
   
-  Closes #7248
-
-- [Gealber Morales brought this change]
+  Pointed-out-by: David Cook
+  Closes #7499
 
-  mqtt: add support for username and password
+- curl-openssl.m4: check lib64 for the pkg-config file
   
-  Minor-edits-by: Daniel Stenberg
-  Added test 2200 to 2205
+  OpenSSL recently started putting the libs in $prefix/lib64 on 'make
+  install', so we check that directory for pkg-config data if the 'lib'
+  check fails.
   
-  Closes #7243
+  Closes #7503
 
-- travis: remove the arm job
+- CURLOPT_SSL_CTX_*.3: tidy up the example
   
-  We do it on circle CI instead
+  Use the proper code style. Don't store return codes that aren't read.
+  Copy the same example into CURLOPT_SSL_CTX_FUNCTION.3 as well.
+  
+  Closes #7500
 
-- CI: add .circleci/config.yml
+- example/cookie_interface: fix scan-build printf warning
   
-  Assisted-by: Gabriel Simmer
+  Follow-up to 4b79c4fb565
   
-  Closes #7239
+  Fixes #7497
+  Closes #7498
 
-- RELEASE-NOTES: synced
+- [Josh Soref brought this change]
 
-- runtests: init $VERSION to avoid warnings when using -l
+  limit-rate.d: clarify base unit
+  
+  Fixes #7439
+  Closes #7494
 
-- openssl: don't remove session id entry in disassociate
+- [Carlo Marcelo Arenas Belón brought this change]
+
+  examples/cookie_interface: avoid printfing time_t directly
   
-  When a connection is disassociated from a transfer, the Session ID entry
-  should remain.
+  time_t representation is undefined and varies on bitsize and signedness,
+  and as of C11 could be even non integer.
   
-  Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
-  Reported-by: Gergely Nagy
-  Reported-by: Paul Groke
+  instead of casting to unsigned long (which would truncate in systems
+  with a 32bit long after 2106) use difftime to get the elapsed time as a
+  double and print that (without decimals) instead.
   
-  Fixes #7222
-  Closes #7230
+  alternatively a cast to curl_off_t and its corresponding print
+  formatting could have been used (at least in POSIX) but portability and
+  curl agnostic code was prioritized.
+  
+  Closes #7490
 
-- single_transfer: ignore blank --output-dir
+Marc Hoersken (25 Jul 2021)
+- tests/servers: remove obsolete pid variable
   
-  ... as otherwise it creates a rather unexpected target directory with a
-  leading slash.
+  Variable is not used since pidfile handling moved to util.[ch]
   
-  Reported-by: Harry Sintonen
-  Fixes #7218
-  Closes #7233
+  Reviewed-by: Jay Satiro
+  Closes #7482
 
-- tests: update README about servers and port numbers
+- tests/servers: use our platform-aware pid for server verification
   
-  Closes #7242
-
-- conn_shutdown: if closed during CONNECT cleanup properly
+  The pid used for server verification is later stored as pid2 in
+  the hash of running test servers and therefore used for shutdown.
   
-  Reported-by: Alex Xu
-  Reported-by: Phil E. Taylor
+  The pid used for shutdown must be the platform-aware (Win32) pid
+  to avoid leaking test servers while running them using Cygwin/msys.
   
-  Fixes #7236
-  Closes #7237
+  Reviewed-by: Jay Satiro
+  Closes #7481
 
-- [Christian Weisgerber brought this change]
+- tests/runtests.pl: cleanup copy&paste mistakes and unused code
+  
+  Reviewed-by: Jay Satiro
+  Part of #7481
 
-  sws: malloc request struct instead of using stack
+Daniel Stenberg (25 Jul 2021)
+- RELEASE-NOTES: synced
   
-  ... 2MB requests is otherwise just too big for some systems.
+  bumped to 7.78.1 for next release
+
+- http_proxy: clear 'sending' when the outgoing request is sent
   
-  (The allocations are not freed properly.)
+  ... so that Curl_connect_getsock() will know how to wait for the socket
+  to become readable and not writable after the entire CONNECT request has
+  been issued.
   
-  Bug: https://curl.se/mail/lib-2021-06/0018.html
+  Regression added in 7.77.0
   
-  Closes #7235
+  Reported-by: zloi-user on github
+  Assisted-by: Jay Satiro
+  Fixes #7155
+  Closes #7484
 
-- [Mark Swaanenburg brought this change]
+Jay Satiro (25 Jul 2021)
+- [Josh Soref brought this change]
 
-  lib: don't compare fd to FD_SETSIZE when using poll
-  
-  FD_SETSIZE is irrelevant when using poll. So ensuring that the file
-  descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
-  multi_wait to ignore perfectly valid file descriptors and simply wait
-  for 1s to avoid hammering the CPU in a busy loop.
+  openssl: fix grammar
   
-  Fixes #7240
-  Closes #7241
+  Closes https://github.com/curl/curl/pull/7480
 
-- [zhangxiuhua brought this change]
-
-  doh: fix wrong DEBUGASSERT for doh private_data
+- configure.ac: tweak nghttp2 library name fix again
   
-  Closes #7227
-
-- [yb999 brought this change]
+  - Change extraction to handle multiple library names returned by
+    pkg-config (eg a possible scenario with pkg-config --static).
+  
+  Ref: https://github.com/curl/curl/pull/7472
+  
+  Closes https://github.com/curl/curl/pull/7485
 
-  tests: update README.md with a missing single quote
+Dan Fandrich (23 Jul 2021)
+- Get rid of the unused HAVE_SIG_ATOMIC_T et. al.
   
-  Closes #7231
+  It was added in 2006 but I see no evidence it was ever used.
 
-- GHA: run all tests for hyper too
+Jay Satiro (23 Jul 2021)
+- docs: change max-filesize caveat again
   
-  As it lists disabled ones in DISABLED now
+  - Add protocols field to max-filesize.d.
   
-  Closes #7209
-
-- tests/data/DISABLED: add tests not working with hyper
+  - Revert wording on unknown file size caveat and do not discuss specific
+    protocols in that section.
   
-  The goal is to remove them all from here over time.
+  Partial revert of ecf0225. All max-filesize options now have the list of
+  protocols and it's clearer just to have that list without discussing
+  specific protocols in the caveat.
   
-  Closes #7209
-
-- runtests: also find the last test in Makefile.inc
+  Reported-by: Josh Soref
   
-  Closes #7209
+  Ref: https://github.com/curl/curl/issues/7453#issuecomment-884128762
 
-- test3010: work with hyper mode
-  
-  Closes #7209
+Daniel Stenberg (22 Jul 2021)
+- [Christian Weisgerber brought this change]
 
-- configure: disable RTSP when hyper is selected
+  configure: tweak nghttp2 library name fix
   
-  Makes test 1013 work
+  commit 29c7cf79e8b44cf (shipped in 7.78.0) introduced a problem by
+  assuming that LIB_H2 does not have any leading whitespace.  At least
+  OpenBSD's native pkg-config can produce such whitespace, though:
   
-  Closes #7209
-
-- test1594/1595/1596: fix to work in hyper mode
+      $ pkg-config --libs-only-l libnghttp2
+       -lnghttp2
   
-  Closes #7209
-
-- test1438/1457: add HTTP keyword to make hyper mode work
+  As a result, the configure check for libnghttp2 will erroneously fail.
   
-  Closes #7209
+  Bug: https://curl.se/mail/lib-2021-07/0050.html
+  Closes #7472
 
-- test1340/1341: adjusted for hyper mode
-  
-  Closes #7209
+- [Bastian Krause brought this change]
 
-- test1218: adjusted for hyper mode
+  docs/MQTT: update state of username/password support
   
-  Closes #7209
-
-- test1216: adjusted for hyper mode
+  PR #7243 implemented username/password support for MQTT, so let's drop
+  these items from the caveats.
   
-  Closes #7209
-
-- test1230: adjust to work in hyper mode
+  Signed-off-by: Bastian Krause <bst@pengutronix.de>
   
-  Closes #7209
+  Closes #7474
 
-- c-hyper: abort CONNECT response reading early on non 2xx responses
-  
-  Fixes test 493
-  
-  Closes #7209
+- [Oleg Pudeyev brought this change]
 
-- test434: add HTTP keyword
+  CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
   
-  Closes #7209
+  Closes #7470
 
-- test599: adjusted to work in hyper mode
+Version 7.78.0 (21 Jul 2021)
+
+Daniel Stenberg (21 Jul 2021)
+- RELEASE-NOTES: synced
   
-  Closes #7209
+  curl 7.78.0 release
 
-- c-hyper: fix the uploaded field in progress callbacks
+- winbuild/MakefileBuild.vc: bump copyright year
+
+Jay Satiro (21 Jul 2021)
+- docs: mention max-filesize options also apply to MQTT transfers
   
-  Makes test 578 work
+  Also make it clearer that the caveat 'if the file size is unknown it
+  the option will have no effect' may apply to protocols other than FTP
+  and HTTP.
   
-  Closes #7209
-
-- test566: adjust to work with hyper mode
+  Reported-by: Josh Soref
   
-  Closes #7209
+  Fixes https://github.com/curl/curl/issues/7453
 
-- [Fawad Mirza brought this change]
+- [Josh Soref brought this change]
 
-  CURLOPT_WRITEFUNCTION.3: minor update of the example
+  docs/cmdline: fix grammar and typos
+
+- [Josh Soref brought this change]
+
+  dump-header.d: Drop suggestion to use for cookie storage
   
-  Safely avoid chunk.size garbage value if declared non globally.
+  Since --cookie-jar is the preferred way to store cookies, no longer
+  suggest using --dump-header to do so.
   
-  Closes #7219
+  Co-authored-by: Daniel Stenberg
+  
+  Closes https://github.com/curl/curl/issues/7414
 
-- [Bastian Krause brought this change]
+- [Josh Soref brought this change]
 
-  configure: rename get-easy-option configure option to get-easy-options
+  doc/cmdline: fix grammar and typos
   
-  "get-easy-options" is the configure option advertised by the help text
-  anyway, so use that.
+  Closes https://github.com/curl/curl/pull/7454
+  Closes https://github.com/curl/curl/pull/7455
+  Closes https://github.com/curl/curl/pull/7456
+  Closes https://github.com/curl/curl/pull/7459
+  Closes https://github.com/curl/curl/pull/7460
+  Closes https://github.com/curl/curl/pull/7461
+  Closes https://github.com/curl/curl/pull/7462
+  Closes https://github.com/curl/curl/pull/7463
+
+Daniel Stenberg (20 Jul 2021)
+- vtls: fix connection reuse checks for issuer cert and case sensitivity
   
-  Fixes #7211
-  Closes #7213
+  CVE-2021-22924
   
-  Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
-  Suggested-by: Daniel Stenberg <daniel@haxx.se>
-  Signed-off-by: Bastian Krause <bst@pengutronix.de>
+  Reported-by: Harry Sintonen
+  Bug: https://curl.se/docs/CVE-2021-22924.html
 
-- runtests: skip disabled tests unless -f is used
+- sectransp: check for client certs by name first, then file
   
-  To make it easier to write ranges like '115 to 229' without that
-  explicitly enabling tests that are listed in DISABLED, this makes
-  runtests always skip disabled tests unless the -f command line option is
-  used.
+  CVE-2021-22926
   
-  Previously the code attempted to not run such tests, but didn't do it
-  correctly.
+  Bug: https://curl.se/docs/CVE-2021-22926.html
   
-  Closes #7212
-
-- [Jun-ya Kato brought this change]
+  Assisted-by: Daniel Gustafsson
+  Reported-by: Harry Sintonen
 
-  ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
+- telnet: fix option parser to not send uninitialized contents
   
-  The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
-  mode for middle box but it is enabled by default, which is unnecessary
-  for QUIC.
+  CVS-2021-22925
   
-  Fixes #6896
-  Closes #7202
+  Reported-by: Red Hat Product Security
+  Bug: https://curl.se/docs/CVE-2021-22925.html
 
-- test644: remove as duplicate of test 587
+Jay Satiro (20 Jul 2021)
+- connect: fix wrong format specifier in connect error string
   
-  Closes #7208
-
-Daniel Gustafsson (8 Jun 2021)
-- RELEASE-NOTES: synced
-
-- cookies: track expiration in jar to optimize removals
+  0842175 (not in any release) used the wrong format specifier (long int)
+  for timediff_t. On an OS such as Windows libcurl's timediff_t (usually
+  64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the
+  upper 32-bits of the timediff_t were erroneously then used by the next
+  format specifier. Usually since the timeout isn't larger than 32-bits
+  this would result in null as a pointer to the string with the reason for
+  the connection failing. On other OSes or maybe other compilers it could
+  probably result in garbage values (ie crash on deref).
   
-  Removing expired cookies needs to be a fast operation since we want to
-  be able to perform it often and speculatively. By tracking the timestamp
-  of the next known expiration we can exit early in case the timestamp is
-  in the future.
+  Before:
+  Failed to connect to localhost port 12345 after 1201 ms: (nil)
   
-  Closes: #7172
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-
-Daniel Stenberg (7 Jun 2021)
-- GHA: add several libcurl tests to the hyper job
+  After:
+  Failed to connect to localhost port 12345 after 1203 ms: Connection refused
   
-  500 to 512
-
-- test500: adjust to work with hyper mode
+  Closes https://github.com/curl/curl/pull/7449
 
-- c-hyper: support CURLINFO_STARTTRANSFER_TIME
+- winbuild: support alternate nghttp2 static lib name
   
-  Closes #7204
-
-- c-hyper: support CURLOPT_HEADER
+  - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2.
   
-  When enabled, the headers are passed to the body write callback as well.
+  nghttp2 briefly changed its static lib name to nghttp2_static, but then
+  made the _static suffix optional.
   
-  Like in test 500
+  Ref: https://github.com/nghttp2/nghttp2/pull/1394
+  Ref: https://github.com/nghttp2/nghttp2/pull/1418
+  Ref: https://github.com/nghttp2/nghttp2/issues/1466
   
-  Closes #7204
-
-- GHA: run the newly fixed tests with hyper
+  Reported-by: Pierre Yager
   
-  Closes #7205
+  Fixes https://github.com/curl/curl/issues/7446
+  Closes https://github.com/curl/curl/pull/7447
 
-- test433: adjust for hyper mode
-  
-  Closes #7205
+- [Josh Soref brought this change]
 
-- test395: hyper cannot work around > 64 bit content-lengths like built-in
+  docs/cmdline: fix grammar and typos
   
-  Closes #7205
+  Closes https://github.com/curl/curl/pull/7432
+  Closes https://github.com/curl/curl/pull/7436
+  Closes https://github.com/curl/curl/pull/7438
+  Closes https://github.com/curl/curl/pull/7440
+  Closes https://github.com/curl/curl/pull/7445
 
-- test394: hyper returns a different error
-  
-  Closes #7205
+- [Josh Soref brought this change]
 
-- test393: make Content-Length fit within 64 bit for hyper
+  delegation.d: mention what happens when used multiple times
   
-  Closes #7205
+  Closes https://github.com/curl/curl/pull/7408
 
-- test347: CRLFify to work in hyper mode
-  
-  Closes #7205
+- [Josh Soref brought this change]
 
-- test339: CRLFify better to work in hyper mode
+  create-file-mode.d: mention what happens when used multiple times
   
-  Closes #7205
+  Closes https://github.com/curl/curl/pull/7407
 
-- travis: remove the hyper build
+- [Josh Soref brought this change]
 
-- GHA: add a linux-hyper job
+  config.d: split comments and option-per line
   
-  Closes #7206
+  Closes https://github.com/curl/curl/pull/7405
 
-- test328: avoid a header-looking body to make hyper mode work
-  
-  The test still works the same, just modified two bytes in the content.
-  
-  Closes #7203
+Daniel Stenberg (19 Jul 2021)
+- misc: copyright year range updates
 
-- release-notes.pl: also spot common 'closes' typo
+- mailmap: add Tobias and Timur
 
-- metalink: remove
+Daniel Gustafsson (18 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs: spell out directories instead of dirs in create-dirs
   
-  Warning: this will make existing curl command lines that use metalink to
-  stop working.
+  Write out directories rather than using the dirs abbrevation. Also
+  use plural form consistently, even if the code in the end might just
+  create a single directory.
   
-  Reasons for removal:
+  Closes #7406
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+- [Tobias Nyholm brought this change]
+
+  docs: correct spelling errors and a broken link
   
-  1. We've found several security problems and issues involving the
-     metalink support in curl. The issues are not detailed here. When
-     working on those, it become apparent to the team that several of the
-     problems are due to the system design, metalink library API and what
-     the metalink RFC says. They are very hard to fix on the curl side
-     only.
+  Update grammar and spelling in docs and source code comments.
   
-  2. The metalink usage with curl was only very briefly documented and was
-     not following the "normal" curl usage pattern in several ways, making
-     it surprising and non-intuitive which could lead to further security
-     issues.
+  Closes: #7427
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Marc Hoersken (18 Jul 2021)
+- CI/cirrus: install impacket from PyPI instead of FreeBSD packages
   
-  3. The metalink library was last updated 6 years ago and wasn't so
-     active the years before that either. An unmaintained library means
-     there's a security problem waiting to happen. This is probably reason
-     enough.
+  Availability of impacket as FreeBSD package is too flaky.
   
-  4. Metalink requires an XML parsing library, which is complex code (even
-     the smaller alternatives) and to this day often gets security
-     updates.
+  Stick to legacy version of cryptography which still
+  supports OpenSSL version 1.0.2 due to FreeBSD 11.
   
-  5. Metalink is not a widely used curl feature. In the 2020 curl user
-     survey, only 1.4% of the responders said that they'd are using it. In
-     2021 that number was 1.2%. Searching the web also show very few
-     traces of it being used, even with other tools.
+  Reviewed-by: Daniel Stenberg
   
-  6. The torrent format and associated technology clearly won for
-     downloading large files from multiple sources in parallel.
+  Closes #7418
+
+Daniel Stenberg (18 Jul 2021)
+- [Josh Soref brought this change]
+
+  docs/cmdline: mention what happens when used multiple times
   
-  Cloes #7176
+  For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers
+  
+  Closes #7410
+  Closes #7411
+  Closes #7412
 
-- docs/INSTALL: remove mentions of configure --with-darwin-ssl
+- [Michał Antoniak brought this change]
+
+  lib: fix compiler warnings with CURL_DISABLE_NETRC
   
-  ... as it isn't supported since a while back.
+  warning C4189: 'netrc_user_changed': local variable is initialized but
+  not referenced
   
-  Make configure fail with a warning if used.
+  warning C4189: 'netrc_passwd_changed': local variable is initialized but
+  not referenced
   
-  Reported-by: Vadim Grinshpun
-  Bug: https://curl.se/mail/lib-2021-06/0008.html
-  Closes #7200
+  Closes #7423
 
-- RELEASE-NOTES: synced
+- disable-epsv.d: remove duplicate "(FTP)"
+  
+  ... since the tooling adds that to the output based on the "Protocols:"
+  tag.
 
-- [Gregor Jasny brought this change]
+- [Max Zettlmeißl brought this change]
 
-  cmake: Avoid leaking absolute paths into exported config
-  
-  The `find_libarary` command resolves the library or framework
-  into an absolute path. In case of system frameworks which are
-  located within an Xcode-provided SDK this results in the Xcode
-  path and SDK version being part of the library path.
+  docs: make the documentation for --etag-save match the program behaviour
   
-  Because those library paths end up in the exported CMake config
-  importing curl will fail once the Xcode location or SDK version
-  changes:
+  When using curl with the option `--etag-save` I expected it to save the
+  ETag without its surrounding quotes, as stated by the documentation in
+  the repository and by the generated man pages.
   
-  ```cmake
-  set_target_properties(CURL::libcurl PROPERTIES
-    INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
-    INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
-  )
-  ```
+  My first endeavour was to fix the program, but while investigating the
+  history of the relevant parts, I discovered that curl once saved the
+  ETag without the quotes.  This was undone by Daniel Stenberg in commit
+  `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in
+  this case the documentation should be adjusted to match the behaviour of
+  curl.
   
-  A work-around is to link against system-level frameworks with
-  `-framework XYZ`. In case of `SystemConfiguration` we might be able
-  to omit the lookup-check because we could assume the framework is
-  always present.
+  The changed save behaviour also made parts of the `--etag-compare`
+  documentation wrong or superfluous, so I adjusted those accordingly.
   
-  Closes #7152
+  Closes #7429
 
-- [Shikha Sharma brought this change]
+- [Josh Soref brought this change]
 
-  http2_connisdead: handle trailing GOAWAY better
-  
-  When checking the connection the input processing returns error
-  immediately, we now consider that a dead connnection.
+  write-out.d: add missing periods
   
-  Bug: https://curl.se/mail/lib-2021-06/0001.html
-  Closes #7192
+  Closes #7404
 
-- [Dmitry Karpov brought this change]
+- [Josie Huddleston brought this change]
 
-  ares: always store IPv6 addresses first
+  easy: during upkeep, attach Curl_easy to connections in the cache
   
-  Trying dual-stack on some embedded platform, I noticed that quite
-  frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
-  timeout value.  After debugging this issue, I noticed that this happens
-  if c-ares resolver response for IPv6 family comes before IPv4 (which was
-  randomly happening in my tests).
+  During the protocol-specific parts of connection upkeep, some code
+  assumes that the data->conn pointer already is set correctly.  However,
+  there's currently no guarantee of that in the code.
   
-  In such cases, because libCurl puts the last resolver response on top of
-  the address list, when IPv4 resolver response comes after IPv6 one - the
-  IPv4 family starts the connection phase instead of IPv6 family.
+  This fix temporarily attaches each connection to the Curl_easy object
+  before performing the protocol-specific connection check on it, in a
+  similar manner to the connection checking in extract_if_dead().
   
-  The solution for this issue is to always put IPv6 addresses on top of
-  the address list, regardless the order of resolver responses.
+  Fixes #7386
+  Closes #7387
+  Reported-by: Josie Huddleston
+
+- [Josh Soref brought this change]
+
+  cleanup: spell DoH with a lowercase o
   
-  Bug: https://curl.se/mail/lib-2021-06/0003.html
+  Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
   
-  Closes #7188
+  Closes #7413
 
-- Revert "Revert "socketpair: fix potential hangs""
+- [Josh Soref brought this change]
+
+  TheArtOfHttpScripting: polish
   
-  This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.
+  - add missing backticks and comma
   
-  Thus brings back the change from #7144 as was originally landed in
-  c769d1eab4de8b
+  - fix proxy description:
   
-  Closes #7144 (again)
+  * example proxy isn't local
+  * locally doesn't really make sense
+  
+  Closes #7416
 
-- [Ebe Janchivdorj brought this change]
+- [Josh Soref brought this change]
 
-  schannel: move code out of SChannel_connect_step1
+  form.d: add examples of `,`/`;` for file[name]
   
-  Reviewed-by: Marc Hoersken
-  Closes #7168
+  Fixes #7415
+  Closes #7417
 
-- tests/data/Makefile.inc: error: trailing backslash on last line
+- [Michał Antoniak brought this change]
+
+  mbedtls: Remove unnecessary include
   
-  Follow-up to d8dcb399b8009d
+  - curl_setup.h: all references to mbedtls_md4* functions and structures
+    are in the md4.c. This file already includes the <mbedtls/md4.h> file
+    along with the file existence control (defined (MBEDTLS_MD4_C))
+  
+  - curl_ntlm_core.c: unnecessary include - repeated below
+  
+  Closes #7419
 
-- TODO: Support rate-limiting for MQTT
+- RELEASE-NOTES: synced
 
-- [Dmitry Kostjuchenko brought this change]
+Jay Satiro (16 Jul 2021)
+- [User Sg brought this change]
 
-  warnless: simplify type size handling
+  multi: fix crash in curl_multi_wait / curl_multi_poll
   
-  By using sizeof(T), existing defines and relying on the compiler to
-  define the required signed/unsigned mask.
+  Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a
+  VALID_SOCK check to one of the loops through the sockets but not the
+  other.
   
-  Closes #7181
-
-Gisle Vanem (4 Jun 2021)
-- [Win32] Fix for USE_WATT32
+  Reported-by: sylgal@users.noreply.github.com
+  Authored-by: sylgal@users.noreply.github.com
   
-  My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`
+  Fixes https://github.com/curl/curl/issues/7379
+  Closes https://github.com/curl/curl/pull/7389
 
-Daniel Stenberg (4 Jun 2021)
-- [Alexis Vachette brought this change]
+- [Daniel Gustafsson brought this change]
 
-  url: bad CURLOPT_CONNECT_TO syntax now returns error
+  tool_help: remove unused define
   
-  Added test 3020 to verify
+  The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
+  cleaned out but one occurrence remained.
   
-  Closes #7183
+  Closes https://github.com/curl/curl/pull/7380
 
-- github: remove the cmake macOS gcc-8 jobs
+- [Sergey Markelov brought this change]
+
+  build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
   
-  They're too similar to the gcc-9 ones to be useful (and seems to not
-  work anymore).
+  fix compiler warnings about unused variables and parameters when
+  built with --disable-verbose.
   
-  Closes #7187
+  Closes https://github.com/curl/curl/pull/7377
 
-- test269: disable for hyper
+- [Andrea Pappacoda brought this change]
+
+  build: fix IoctlSocket FIONBIO check
   
-  --ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
-  with hyper.
+  Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked
+  for (lowercase) ioctlsocket when it should have checked for IoctlSocket.
   
-  Closes #7184
+  Closes https://github.com/curl/curl/pull/7375
 
-- runtests: enable 'hyper mode' only for HTTP tests
-  
-  The 'hyper mode' makes line-ending checks work in the test suite for
-  when hyper is used. Now it also requires that HTTP or HTTPS are
-  mentioned as keywords to be enabled so that it doesn't wrongly adjusts
-  tests for other protocols.
+- [Timur Artikov brought this change]
+
+  configure: fix nghttp2 library name for static builds
   
-  This makes test 271 (TFTP) work again in hyper enabled builds.
+  Don't hardcode the nghttp2 library name,
+  because it can vary, be "nghttp2_static" for example.
   
-  Closes #7185
+  Fixes https://github.com/curl/curl/issues/7367
+  Closes https://github.com/curl/curl/pull/7368
 
-- [Alexis Vachette brought this change]
+Gisle Vanem (16 Jul 2021)
+- [PellesC] fix _lseeki64() macro
 
-  hostip: bad CURLOPT_RESOLVE syntax now returns error
+- [SChannel] Use '_tcsncmp()' instead
   
-  Added test 3019
-  Fixes #7170
-  Closes #7174
-
-Daniel Gustafsson (3 Jun 2021)
-- cookies: fix typo and expand comment
+  Revert previous change for PellesC.
   
-  Fix a typo in the sorting comment, and while in there elaborate slightly
-  on why creationtime can be used as a tiebreaker.
+  Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`.
 
-- cookies: remove unused header
-  
-  Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
-  for the inet_pton.h headerfile, this removes the inclusion of the
-  header.
+- [PellesC] missing '_tcsnccmp'
   
-  Closes: #7182
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  PellesC compiler does not have this macro in it's `<tchar.h>`
 
-Daniel Stenberg (3 Jun 2021)
-- Revert "socketpair: fix potential hangs"
+Daniel Gustafsson (14 Jul 2021)
+- TODO: add mention of mbedTLS 3 incompatibilities
   
-  This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.
+  Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
+  and curl no longer builds with it. Document the need to fix our support
+  until so has been done.
   
-  See #7144 for details
-
-- [Paul Groke brought this change]
+  Closes #7390
+  Fixes #7385
+  Reported-by: Wyatt OʼDay
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
 
-  socketpair: fix potential hangs
-  
-  Fixes potential hang in accept by using select + non-blocking accept.
-  
-  Fixes potential hang in peer check by replacing the send/recv check with
-  a getsockname/getpeername check.
+- docs: fix inconsistencies in EGDSOCKET documentation
   
-  Adds length check for returned sockaddr data.
+  Only the OpenSSL backend actually use the EGDSOCKET, and also use
+  TLS consistently rather than mixing SSL and TLS. While there, also
+  fix a minor spelling nit.
   
-  Closes #7144
+  Closes: #7391
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
 
-- runtests: parse data/Makefile.inc instead of using make
-  
-  The warning about missing entries in that file then doesn't require that
-  the Makefile has been regenerated which was confusing.
+- [Борис Верховский brought this change]
+
+  docs: document missing arguments to commands
   
-  The scan for the test num is a little more error prone than before
-  (since now it doesn't actually verify that it is legitimate Makefile
-  syntax), but I think it is good enough.
+  This is a followup to commit f410b9e538129e77607fef1 fixing a few
+  more commands which takes arguments.
   
-  Closes #7177
-
-- [Harry Sintonen brought this change]
+  Closes #7382
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-  filecheck: quietly remove test-place/*~
-  
-  Closes #7179
+- [Randolf J brought this change]
 
-- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
+  docs: fix incorrect argument name reference
   
-  For options that pass in lists or strings that are subsequently parsed
-  and must be correct. This broadens the scope for the option previously
-  known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
-  provided as a #define for existing applications.
+  The documentation for the read callback was erroneously referencing
+  the nitems argument by nmemb.  The error was introduced in commit
+  ce0881edee3c7.
   
-  Closes #7175
+  Closes #7383
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- tests: fix Accept-Encoding strips to work with Hyper builds
-  
-  The previous strip also removed the CR which turned problematic.
-  
-  valgrind.supp: add zstd suppression using hyper
-  
-  Reported-and-analyzed-by: Kevin Burke
-  Fixes #7169
-  Closes #7171
+- [Борис Верховский brought this change]
 
-- github: timeout jobs on macOS after 90 minutes
+  tool_help: Document that --tlspassword takes a password
   
-  Assisted-by: Marc Hoersken
-  Closes #7173
-
-- [Harry Sintonen brought this change]
+  Closes #7378
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-  mqtt: detect illegal and too large file size
+- scripts: Fix typo in release-notes instructions
   
-  Add test 3017 and 3018 to verify.
-  Closes #7166
+  The command to run had a typo in the pathname which prevented copy
+  pasting it to work, which has annoyed me enough to fix this now.
 
-- [theawless brought this change]
+- RELEASE-NOTES: synced
 
-  cmake: add CURL_DISABLE_NTLM option
+Jay Satiro (10 Jul 2021)
+- write-out.d: Clarify urlnum is not unique for de-globbed URLs
   
-  Closes #7028
+  Reported-by: Коваленко Анатолий Викторович
+  
+  Fixes https://github.com/curl/curl/issues/7342
+  Closes https://github.com/curl/curl/pull/7369
 
-- [theawless brought this change]
+Daniel Gustafsson (3 Jul 2021)
+- [William Desportes brought this change]
 
-  configure: add --disable-ntlm option
+  docs: Fix typos
   
-  Closes #7028
+  Closes: #7370
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-- [theawless brought this change]
+Daniel Stenberg (8 Jul 2021)
+- [Jonathan Wernberg brought this change]
 
-  define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
+  Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
   
-  This flag will be further exposed by adding build options.
+  The reverted commit introduced a logic error in code that was
+  correct.
   
-  Reverts #6809
-  Closes #7028
-
-- RELEASE-NOTES: synced
-
-Viktor Szakats (1 Jun 2021)
-- travis: delete --enable-hsts option (it is the default now) [ci skip]
+  The client using libcurl would notice the error since FTP file
+  uploads in active transfer mode would somtimes complete with
+  success despite no transfer having been performed and the
+  "uploaded" file thus not being on the remote server afterwards.
   
-  Reviewed-by: Daniel Stenberg
-  Closes #7167
-
-Daniel Stenberg (1 Jun 2021)
-- hostip: fix 3 coverity complaints
+  The FTP server would notice the error because it receives a
+  RST on the data connection it has established with the client
+  before any data was transferred at all.
   
-  Follow-up to 1a0ebf6632f889eed
+  The logic error happens if the STOR response from the server have
+  arrived by the time ftp_multi_statemach() in the affected code path
+  is called, but the incoming data connection have not arrived yet.
+  In that case, the processing of the STOR response will cause
+  'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
+  in the code. Since 'complete' will also be set, later logic would
+  believe the transfer was done.
   
-  - Check the return code to Curl_inet_pton() in two instances, even
-    though we know the input is valid so the functions won't fail.
+  In most cases, the STOR response will not have arrived yet when
+  the affected code path is executed, or the incoming connection will
+  also have arrived, and thus the error would not express itself.
+  But if the speed difference of the device using libcurl and the
+  FTP server is exactly right, the error may happen as often as in
+  one out of hundred file transfers.
   
-  - Clear the 'struct sockaddr_in' struct before use so that the
-    'sin_zero' field isn't left uninitialized.
+  This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
   
-  Detected by Coverity.
-  Assisted-by: Harry Sintonen
-  Closes #7163
+  Bug: https://curl.se/mail/lib-2021-07/0025.html
+  Closes #7362
 
-- c-hyper: fix NTLM on closed connection tested with test159
+- msnprintf: return number of printed characters excluding null byte
   
-  Closes #7154
-
-- conncache: lowercase the hash key for better match
+  ... even when the output is "capped" by the maximum length argument.
   
-  As host names are case insensitive, the use of case sensitive hashing
-  caused unnecesary cache misses and therefore lost performance. This
-  lowercases the hash key.
+  Clarified in the docs.
   
-  Reported-by: Harry Sintonen
-  Fixes #7159
-  Closes #7161
+  Closes #7361
 
-- mbedtls: make mbedtls_strerror always work
+- infof: remove newline from format strings, always append it
   
-  If the function doesn't exist, provide a macro that just clears the
-  error message. Removes #ifdef uses from the code.
+  - the data needs to be "line-based" anyway since it's also passed to the
+    debug callback/application
   
-  Closes #7162
-
-- vtls: exit addsessionid if no cache is inited
+  - it makes infof() work like failf() and consistency is good
   
-  Follow-up to b249592d29ae0
+  - there's an assert that triggers on newlines in the format string
   
-  Avoids NULL pointer derefs.
+  - Also removes a few instances of "..."
   
-  Closes #7165
-
-- [Harry Sintonen brought this change]
-
-  Curl_ntlm_core_mk_nt_hash: fix OOM in error path
+  - Removes the code that would append "..." to the end of the data *iff*
+    it was truncated in infof()
   
-  Closes #7164
+  Closes #7357
 
-Michael Kaufmann (1 Jun 2021)
-- ssl: read pending close notify alert before closing the connection
+- examples/multi-single: fix scan-build warning
   
-  This avoids a TCP reset (RST) if the server initiates a connection
-  shutdown by sending an SSL close notify alert and then closes the TCP
-  connection.
+  warning: Value stored to 'mc' during its initialization is never read
   
-  For SSL connections, usually the server announces that it will close the
-  connection with an SSL close notify alert. curl should read this alert.
-  If curl does not read this alert and just closes the connection, some
-  operating systems close the TCP connection with an RST flag.
+  Follow-up to ae8e11ed5fd2ce
   
-  See RFC 1122, section 4.2.2.13
+  Closes #7360
+
+- wolfssl: failing to set a session id is not reason to error out
   
-  If curl reads the close notify alert, the TCP connection is closed
-  normally with a FIN flag.
+  ... as it is *probably* just timed out.
   
-  The new code is similar to existing code in the "SSL shutdown" function:
-  try to read an alert (non-blocking), and ignore any read errors.
+  Reported-by: Francisco Munoz
   
-  Closes #7095
+  Closes #7358
 
-Daniel Stenberg (1 Jun 2021)
-- [Laurent Dufresne brought this change]
+- docs/examples: use curl_multi_poll() in multi examples
+  
+  The API is soon two years old and deserves being shown as the primary
+  way to drive multi code as it makes it much easier to write code.
+  
+  multi-poll: removed
+  
+  multi-legacy: add to show how we did multi API use before
+  curl_multi_wait/poll.
+  
+  Closes #7352
 
-  setopt: fix incorrect comments
+- KNOWN_BUGS: flaky Windows CI builds
   
-  Closes #7157
+  Closes #6972
 
-- [Laurent Dufresne brought this change]
+- RELEASE-NOTES: synced
 
-  mbedtls: add support for cert and key blob options
+- test1147: hyper doesn't allow "crazy" request headers like built-in
   
-  CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
-  mbedtls backend, so the support was added.
+  ... so strip that from the test.
   
-  Closes #7157
-
-- [Gregor Jasny brought this change]
+  Closes #7349
 
-  cmake: try well-known send/recv signature for Apple
-  
-  The CMake `try_compile` command is especially slow for
-  the Xcode generator. With this patch applied it first tests
-  for the currently used (and Open Group specified) send/recv
-  signature. In case this fails testing falls-back to the
-  permutations.
+- c-hyper: bail on too long response headers
   
-  speed-up:
+  To match with built-in behaviors. Makes test 1154 work.
   
-  ```
-  time cmake .. -GNinja -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
-  before: 11.64s user 11.09s system 55% cpu 40.754 total
-  after:   7.84s user 6.57s  system 51% cpu 28.074 total
-  ```
+  Closes #7350
+
+- test1151: added missing CRLF to work with hyper
   
-  ```
-  time cmake .. -GXcode -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
-  before: 217.07s user 104.15s system 60% cpu 8:51.79 total
-  after:  108.76s user  51.80s system 58% cpu 4:32.58 total
-  ```
+  Closes #7350
+
+- c-hyper: add support for transfer-encoding in the request
   
-  Closes #7158
+  Closes #7348
 
-- http2: init recvbuf struct for pushed streams
+- [Andrea Pappacoda brought this change]
+
+  cmake: remove libssh2 feature checks
   
-  Debug builds would warn that these structs were not initialized properly
-  for pushed streams.
+  libssh2 features are detected based on version since commit
+  9dbbba997608f7c3c5de1c627c77c8cd2aa85b73
   
-  Ref: #7148
-  Closes #7153
+  Closes #7343
 
-- Curl_ssl_getsessionid: fail if no session cache exists
-  
-  This function might get called for an easy handle for which the session
-  cache hasn't been setup. It now just returns a "miss" in that case.
+- test1116: hyper doesn't pass through "surprise-trailers"
   
-  Reported-by: Christoph M. Becker
-  Fixes #7148
-  Closes #7153
+  Closes #7344
 
-- GOVERNANCE: add 'user', 'committer' and 'contributor'
+- socks4: scan for the IPv4 address in resolve results
   
-  As those are commonly used terms in the project.
+  Follow-up to 84d2839740 which changed the resolving to always resolve
+  both address families, but since SOCKS4 only supports IPv4 it should
+  scan for and use the first available IPv4 address.
   
-  Closes #7151
-
-- URL-SYNTAX.md: document the new 'localhost' treatment
+  Reported-by: shithappens2016 on github
+  Fixes #7345
+  Closes #7346
 
-- hostip: make 'localhost' return fixed values
-  
-  Resolving the case insensitive host name 'localhost' now returns the
-  addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
-  resolver.
+Jay Satiro (5 Jul 2021)
+- proto.d: fix formatting for paragraphs after margin changes
   
-  This removes the risk that users accidentally resolves 'localhost' to
-  something else. By making sure 'localhost' is always local, we can
-  assume a "secure context" for such transfers (for cookies etc).
+  Closes https://github.com/curl/curl/pull/7341
+
+- pinnedpubkey.d: fix formatting for version support lists
   
-  Closes #7039
+  Closes https://github.com/curl/curl/pull/7340
 
-Daniel Gustafsson (31 May 2021)
-- docs: fix typos
+Daniel Stenberg (2 Jul 2021)
+- TODO: "Support in-memory certs/ca certs/keys" done
+  
+  Has been suppored for a while now with the *BLOB options.
 
-Daniel Stenberg (30 May 2021)
-- hsts: ignore numberical IP address hosts
+- examples: safer and more proper read callback logic
   
-  Also, use a single function library-wide for detecting if a given hostname is
-  a numerical IP address.
+  The same callback code is used in:
   
-  Reported-by: Harry Sintonen
-  Fixes #7146
-  Closes #7149
-
-- test178: adjust for hyper
+   imap-append.c
+   smtp-authzid.c
+   smtp-mail.c
+   smtp-multi.c
+   smtp-ssl.c
+   smtp-tls.c
   
-  Hyper returns the same error for wrong HTTP version as for negative
-  content-length. Test 178 verifies that negative content-length is
-  rejected but the hyper backend will return a different error for it (and
-  without any helpful message telling why the message was bad). It will
-  also not return any headers at all for the response, not even the ones
-  that arrived before the error.
+  It should not assume that it can copy full lines into the buffer as it
+  will encourage sloppy coding practices. Instead use byte-wise logic and
+  check/acknowledge the buffer size appropriately.
   
-  Closes #7147
-
-- HYPER: remove mentions of deprecated development branch
+  Reported-by: Harry Sintonen
+  Fixes #7330
+  Closes #7331
 
-- c-hyper: handle NULL from hyper_buf_copy()
+- test1519: adjusted to work with hyper
   
-  Closes #7143
-
-- HSTS: not experimental anymore
-
-- [Douglas R. Reno brought this change]
+  Closes #7333
 
-  INSTALL: use correct extension for CURL-DISABLE.md
+- test1518: adjusted to work with hyper
   
-  In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
-  CURL-DISABLE.md. This generates a 404 on the cURL website as well as
-  when viewing the docs through Github.
+  ... by making sure the stdout output doesn't look like HTTP headers.
   
-  Closes #7142
-
-- travis: run tests 1 - 153 with hyper
+  Closes #7333
 
-- c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
+- test1514: add a CRLF to the response to make it correct
   
-  Makes test 129 work (HTTP/1.2 response).
+  Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on
+  us.
   
-  Closes #7141
+  Closes #7334
 
-- http_proxy: deal with non-200 CONNECT response with Hyper
+- formdata: avoid "Argument cannot be negative" warning
   
-  Makes test 94 and 95 work
+  ... when converting a curl_off_t to size_t, by using
+  CURL_ZERO_TERMINATED before passing the argument to the function.
   
-  Closes #7141
-
-- c-hyper: clear NTLM auth buffer when request is issued
+  Detected by Coverity CID 1486590.
   
-  To prevent previous ones to get reused on subsequent requests. Matches
-  how the built-in HTTP code works. Makes test 90 to 93 work.
+  Closes #7328
+  Assisted-by: Daniel Gustafsson
+
+- lib: more %u for port and int for %*s fixes
   
-  Add test 90 to 93 in travis.
+  Detected by Coverity
   
-  Closes #7139
+  Closes #7329
 
-- [Joel Depooter brought this change]
+- doh: (void)-prefix call to curl_easy_setopt
 
-  schannel: set ALPN length correctly for HTTP/2
+- lib: fix type of len passed to *printf's %*s
   
-  In a3268eca792f1 this code was changed to use the ALPN_H2 constant
-  instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
-  not the same. The nghttp2 constant included the length of the string,
-  like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
-  to re-add the length of the string to the ALPN buffer.
+  ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc)
   
-  Closes #7138
+  Closes #7326
 
-- travis: run tests 1-89 in the hyper build
+- lib: use %u instead of %ld for port number printf
   
-  Closes #7137
+  Follow-up to 764c6bd3bf which changed the type of some port number
+  fields. Detected by Coverity (CID 1486624) etc.
+  
+  Closes #7325
 
-- Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
+- version: turn version number functions into returning void
   
-  This reverts commit c3eefa95c31f55657f0af422e8268d738f689066.
+  ... as we never use the return codes from them.
   
-  Reported-by: Kevin Burke
-  Fixes #7122
-  Closes #7136
-
-- [Jon Rumsey brought this change]
+  Reviewed-by: Daniel Gustafsson
+  Closes #7319
 
-  ccsidcurl: fix the compile errors
+- mqtt: extend the error message for no topic
   
-  Looks like the declaration of cpp shoule be const char ** and return
-  null if convert_version_info_string fails.
+  ... and mention that it needs URL encoding.
   
-  Fixes #7134
-  Closes #7135
-
-- [Viktor Szakats brought this change]
+  Reported-by: Peter Körner
+  Fixes #7316
+  Closes #7317
 
-  docs: use --max-redirs instead of --max-redir
+- formdata: correct typecast in curl_mime_data call
   
-  For consistency.
+  Coverity pointed out it the mismatch. CID 1486590
   
-  Closes #7130
+  Closes #7327
 
-- RELEASE-NOTES: synced
+- url: (void)-prefix a curl_url_get() call
   
-  ... and bump to 7.77.1
-
-- [Michael Forney brought this change]
-
-  travis: add bearssl build
+  Coverity (CID 1486645) pointed out a use of curl_url_get() in the
+  parse_proxy function where the return code wasn't checked. A
+  (void)-prefix makes the intention obvious.
   
-  Closes #7133
-
-- [Michael Forney brought this change]
+  Closes #7320
 
-  bearssl: explicitly initialize all fields of Curl_ssl
+- glob: pass an 'int' as len when using printf's %*s
   
-  Also, add comments like the other vtls backends.
+  Detected by Coverity CID 1486629.
   
-  Closes #7133
-
-- [Michael Forney brought this change]
+  Closes #7324
 
-  bearssl: remove incorrect const on variable that is modified
+- vtls: use free() not curl_free()
   
-  hostname may be set to NULL later on in this function if it is an
-  IP address.
+  curl_free() is provided for users of the API to free returned data,
+  there's no need to use it internally.
   
-  Closes #7133
-
-Version 7.77.0 (26 May 2021)
-
-Daniel Stenberg (26 May 2021)
-- RELEASE-NOTES: synced
-
-- THANKS: added contributors from 7.77.0 cycle
-
-- copyright: update copyright year ranges to 2021
-
-- [Radek Zajic brought this change]
+  Closes #7318
 
-  hostip: fix broken macOS/CMake/GCC builds
+- zuul: use the new rustls directory name
   
-  Follow-up to 31f631a142d855f06
+  Follow-up to 6d972c8b1cbb3 which missed updating this directory name.
   
-  Fixes #7128
-  Closes #7129
-
-- TODO: netrc caching and sharing
+  Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1
   
-  URL: https://curl.se/mail/archive-2021-05/0018.html
-
-- [Orgad Shaneh brought this change]
+  Closes #7311
 
-  setopt: streamline ssl option code
+Jay Satiro (29 Jun 2021)
+- http: fix crash in rate-limited upload
   
-  Make it use the same style as the code next to it
+  - Don't set the size of the piece of data to send to the rate limit if
+    that limit is larger than the buffer size that will hold the piece.
   
-  Closes #7123
-
-- [Radek Zajic brought this change]
-
-  lib/hostip6.c: make NAT64 address synthesis on macOS work
+  Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
+  (curl tool: --limit-rate) was set then it was possible that a temporary
+  buffer used for uploading could be written to out of bounds. A likely
+  scenario for this would be a non-trivial amount of post data combined
+  with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
   
-  Closes #7121
-
-- [ejanchivdorj brought this change]
-
-  sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
+  The bug was introduced in 24e469f which is in releases since 7.76.0.
   
-  When the SecCertificateCopyCommonName function fails, it leaves
-  common_name in a invalid state so CFStringCompare uses the invalid
-  result, causing EXC_BAD_ACCESS.
+  perl -e "print '0' x 200000" > tmp
+  curl --limit-rate 128k -d @tmp httpbin.org/post
   
-  The fix is to check the return value of the function before using the
-  name.
+  Reported-by: Richard Marion
   
-  Closes #7126
+  Fixes https://github.com/curl/curl/issues/7308
+  Closes https://github.com/curl/curl/pull/7315
 
-- [Paweł Wegner brought this change]
+Daniel Stenberg (29 Jun 2021)
+- copyright: add boiler-plate headers to CI config files
+  
+  And whitelist .zuul.ignore
+  
+  Closes #7314
 
-  CMake: add CURL_ENABLE_EXPORT_TARGET option
+- CI: remove travis details
   
-  install(EXPORT ...) causes trouble when embedding curl dependencies
-  which don't provide install(EXPORT ...) targets (e.g libressl and
-  nghttp2) with cmake's add_subdirectory.
+  Rename still used leftovers to "zuul" as that's now the CI using them.
   
-  Reviewed-by: Jakub Zakrzewski
-  Closes #7060
+  Closes #7313
 
-- [Alessandro Ghedini brought this change]
+- RELEASE-NOTES: synced
 
-  quiche: update for network path aware API
+- openssl: avoid static variable for seed flag
   
-  Latest version of quiche requires the application to pass the peer
-  address of received packets, and it provides the address for outgoing
-  packets back.
+  Avoid the race condition risk by instead storing the "seeded" flag in
+  the multi handle. Modern OpenSSL versions handle the seeding itself so
+  doing the seeding once per multi-handle instead of once per process is
+  less of an issue.
   
-  Closes #7120
-
-- [Jacob Hoffman-Andrews brought this change]
+  Reported-by: Gerrit Renker
+  Fixes #7296
+  Closes #7306
 
-  rustls: switch read_tls and write_tls to callbacks
+- configure: inhibit the implicit-fallthrough warning on gcc-12
   
-  And update to 0.6.0, including a rename from session to connection for
-  many fields.
+  ... since it no longer acknowledges the comment markup we use for that
+  purpose.
   
-  Closes #7071
+  Reported-by: Younes El-karama
+  Fixes #7295
+  Closes #7307
 
-- [Koichi Shiraishi brought this change]
+Daniel Gustafsson (28 Jun 2021)
+- [Andrei Rybak brought this change]
 
-  sectransp: fix 7f4a9a9b2a49 commit about missing comma
+  misc: fix typos in comments which repeat a word
   
-  Follow-up to 7f4a9a9b2a495
+  Fix typos in code comments which repeat various words.  In trivial
+  cases, just delete the repeated word.  Reword the affected sentence in
+  "lib/url.c" for it to make sense.
   
-  Closes #7119
-
-- [Harry Sintonen brought this change]
+  Closes #7303
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-  openssl: associate/detach the transfer from connection
+Daniel Stenberg (27 Jun 2021)
+- lib677: make it survive torture testing
   
-  CVE-2021-22901
+  Follow-up to a5ab72d5edd7
   
-  Bug: https://curl.se/docs/CVE-2021-22901.html
+  Closes #7300
 
-- [Harry Sintonen brought this change]
+- [Tommy Chiang brought this change]
 
-  telnet: check sscanf() for correct number of matches
+  docs/BINDINGS: fix outdated links
   
-  CVE-2021-22898
+  * luacurl page is now not accessible, fix it with wayback machine page
+  * Scheme one seems not providing https now, change it back to http one
   
-  Bug: https://curl.se/docs/CVE-2021-22898.html
+  Closes #7301
 
-- schannel: don't use static to store selected ciphers
+- [Jacob Hoffman-Andrews brought this change]
+
+  curstls: bump crustls version and use new URL
   
-  CVE-2021-22897
+  crustls moved to https://github.com/rustls/rustls-ffi. This also bumps
+  the expected version to 0.7.0.
   
-  Bug: https://curl.se/docs/CVE-2021-22897.html
-
-- docs/tests: remove freenode references
+  Closes #7297
 
 - RELEASE-NOTES: synced
 
-- [Sergey Markelov brought this change]
-
-  NSS: make colons, commas and spaces valid separators in cipher list
-  
-  Fixes #7110
-  Closes #7115
-
-- curl: include libmetalink version in --version output
+- examples: length-limit two sscanf() uses of %s
   
-  Closes #7112
+  Reported-by: Jishan Shaikh
+  Fixes #7293
+  Closes #7294
 
-Jay Satiro (21 May 2021)
-- [Matias N. Goldberg brought this change]
+- [Richard Whitehouse brought this change]
 
-  cmake: Use multithreaded compilation on VS 2008+
+  multi: alter transfer timeout ordering
   
-  Multithreaded compilation has been supported since at least VS 2005 and
-  been robustly stable since at least VS 2008
+  - Check whether a connection has succeded before checking whether it's
+    timed out.
   
-  Closes https://github.com/curl/curl/pull/7109
-
-Daniel Stenberg (21 May 2021)
-- [Matias N. Goldberg brought this change]
-
-  cmake: fix two invokes result in different curl_config.h
+    This means if we've connected quickly, but subsequently been
+    descheduled, we allow the connection to succeed. Note, if we timeout,
+    but between checking the timeout, and connecting to the server the
+    connection succeeds, we will allow it to go ahead. This is viewed as
+    an acceptable trade off.
   
-  Fixes #7100
-  Closes #7101
+  - Add additional failf logging around failed connection attempts to
+    propogate the cause up to the caller.
   
-  Reviewed-by: Jakub Zakrzewski
-  Signed-off-by: Matias N. Goldberg <dark_sylinc@yahoo.com.ar>
-
-- [Peng-Yu Chen brought this change]
+  Co-Authored-by: Martin Howarth
+  Closes #7178
 
-  cmake: detect CURL_SA_FAMILY_T
+- test677: IMAP CONNECT_ONLY, custom command and then exit
   
-  Fixes #7049
-  Closes #7065
-
-- [Lucas Clemente Vella brought this change]
+  Adjusted ftpserver.pl to add support for the IMAP IDLE command
+  
+  Adjusted test 660 to sync with the fix
 
-  CURLOPT_IPRESOLVE: preventing wrong IP version from being used
+- multi: do not switch off connect_only flag when closing
   
-  In some situations, it was possible that a transfer was setup to
-  use an specific IP version, but due do DNS caching or connection
-  reuse, it ended up using a different IP version from requested.
+  ... as it made protocol specific disconnect commands wrongly get used.
   
-  This commit changes the effect of CURLOPT_IPRESOLVE from simply
-  restricting address resolution to preventing the wrong connection
-  type being used, when choosing a connection from the pool, and
-  to restricting what addresses could be used when establishing
-  a new connection.
+  Bug: https://curl.se/mail/lib-2021-06/0024.html
+  Reported-by: Aleksander Mazur
+  Closes #7288
+
+- http: make the haproxy support work with unix domain sockets
   
-  It is important that all addresses versions are resolved, even if
-  not used in that transfer in particular, because the result is
-  cached, and could be useful for a different transfer with a
-  different CURLOPT_IPRESOLVE setting.
+  ... it should then pass on "PROXY UNKNOWN" since it doesn't know the
+  involved IP addresses.
   
-  Closes #6853
+  Reported-by: Valentín Gutiérrez
+  Fixes #7290
+  Closes #7291
 
-- [Oliver Urbann brought this change]
+- [Xiang Xiao brought this change]
 
-  AmigaOS: add functions definitions for SHA256
+  curl.h: include sys/select.h for NuttX RTOS
   
-  AmiSSL replaces many functions with macros. Curl requires pointer
-  to some of these functions. Thus, we have to encapsulate these macros:
-  SHA256_Init, SHA256_Update, SHA256_Final, X509_INFO_free.
+  Closes #7287
+
+- [Bin Meng brought this change]
+
+  curl.h: remove the execution bit
   
-  Bug: https://github.com/jens-maus/amissl/issues/15
-  Co-authored-by: Daniel Stenberg <daniel@haxx.se>
+  The execution bit of curl.h file was wrongly added:
   
-  Closes #7099
-
-- test2100: make it run with and require IPv6
+    commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
   
-  Closes #7083
-
-- tests/getpart: generate output URL encoded for better diffs
+  and should be removed.
   
-  Closes #7083
+  Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7")
+  Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+  Closes #7286
 
-- [Ryan Beck-Buysse brought this change]
+- [Bin Lan brought this change]
 
-  docs/TheArtOfHttpScripting: fix markdown links
-  
-  extra parens cause the links to be incorrectly formatted
-  and inconsistent with the rest of the document.
+  curl.h: <sys/select.h> is supported by VxWorks7
   
-  Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
-  Closes #7097
-
-- RELEASE-NOTES: synced
+  Closes #7285
 
-- [Emil Engler brought this change]
+- [Bachue Zhou brought this change]
 
-  docs: replace dots with dashes in markdown enums
+  quiche: use send() instead of sendto() to avoid macOS issue
   
-  We use dashes instead of dots nearly everywhere except for those few
-  cases. This commit addresses this issues and brings more coherency into
-  it.
+  sendto() always returns "Socket is already connected" error on macos
   
-  Closes #7093
+  Closes #7260
 
-- [Emil Engler brought this change]
+- [Li Xinwei brought this change]
 
-  docs: improve INTERNALS.md regarding getsock cb
+  cmake: fix support for UnixSockets feature on Win32
   
-  This adds the I/O prefix to indicate that those "actions" are kind-of
-  related to those found in select(2) or poll(2) (reading/writing).
+  Move the definition of sockaddr_un struct from config-win32.h to
+  curl_setup.h, so that it could be shared by all build systems.
   
-  It also adds a note where the prototypes of those functions can be found
-  in the source code.
+  Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use
+  unix sockets.
   
-  Closes #7092
+  Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS
+  is defined.
+  
+  Closes #7034
 
-- [Emil Engler brought this change]
+- [Gregory Muchka brought this change]
 
-  docs: document attach in INTERNALS.md
+  hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
   
-  The new field in the Curl_handler struct still lacks documentation. This
-  adds it it from the information extracted from lib/urldata.h:797
+  From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
+  dictionary of key-value pairs that represent the current internet proxy
+  settings, or NULL if no proxy settings have been defined or if an error
+  occurred. You must release the returned value."
   
-  Closes #7091
-
-- [Marc Aldorasi brought this change]
-
-  config: remove now-unused macros
+  Failure to release the returned value of SCDynamicStoreCopyProxies can
+  result in a memory leak.
   
-  Closes #7094
+  Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies
+  
+  Closes #7265
 
-- [Marc Aldorasi brought this change]
+- RELEASE-NOTES: synced
 
-  hostip.h: remove declaration of unimplemented function
+Jay Satiro (21 Jun 2021)
+- vtls: fix warning due to function prototype mismatch
   
-  Closes #7094
+  b09c8ee changed the function prototype. Caught by Visual Studio.
 
-- h3: add 'attach' callback to protocol handlers
-  
-  Follow-up to 0c55fbab45be
+- curl_multibyte: Remove local encoding fallbacks
   
-  Reviewed-by: Emil Engler
-  Closes #7090
-
-- wolfssl: remove SSLv3 support leftovers
+  - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
+    no longer fall back to assuming the string is in a local encoding.
   
-  Closes #7088
-
-- curl-wolfssl.m4: without custom include path, assume /usr/include
+  Background:
   
-  ... so that we can point out the root of the OpenSSL emulation headers.
-  Previously this used the '$includedir' variable which is wrong since
-  that defaults to the dir where the current configure invoke will install
-  the built libcurl headers: /usr/local by default.
+  Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
+  pass to the Windows CRT API wide-character functions since in Windows
+  UTF-8 is not a valid locale (or at least 99% of the time right now).
   
-  Fixes #7085
-  Reported-by: Joel Jakobsson
-  Closes #7087
-
-- [Joel Depooter brought this change]
-
-  data_pending: check only SECONDARY socket for FTP(S) transfers
+  Prior to this change if the Unicode encoding conversion failed then
+  libcurl would assume, for backwards compatibility with applications that
+  may have written their code for non-Unicode builds, attempt to convert
+  the string from local encoding to UTF-16.
   
-  Check the FIRST for all other protocols.
+  That type of "best effort" could theoretically cause some type of
+  security or other problem if a string that was locally encoded was also
+  valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
+  could occur.
   
-  This fixes a timeout in an ftps download. The server sends a TLS
-  close_notify message in the same packet as the file data. The
-  close_notify seems to not be handled in the schannel_recv function, so
-  libcurl is not aware that the server has closed the connection. Thus
-  libcurl ends up waiting for action on the socket until a timeout is
-  reached. With the secondary socket check added to the data_pending
-  function, the close_notify is properly handled, and the ftps transfer
-  terminates as expected.
+  Ref: https://github.com/curl/curl/pull/7246
   
-  Fixes #7068
-  Closes #7069
+  Closes https://github.com/curl/curl/pull/7257
 
-- github: inhibit deprecated declarations for clang on macOS
+Daniel Stenberg (20 Jun 2021)
+- curl_endian: remove the unused Curl_write64_le function
   
-  ... as they otherwise cause ldap build errors in the CI.
+  The last usage was removed in cca455a36
   
-  Fixes #7081
-  Closes #7082
+  Closes #7280
 
-- conn: add 'attach' to protocol handler, make libssh2 use it
+- vtls: only store TIMER_APPCONNECT for non-proxy connect
   
-  The libssh2 backend has SSH session associated with the connection but
-  the callback context is the easy handle, so when a connection gets
-  attached to a transfer, the protocol handler now allows for a custom
-  function to get used to set things up correctly.
+  Introducing a 'isproxy' argument to the connect function so that it
+  knows wether to store the time stamp or not.
   
-  Reported-by: Michael O'Farrell
-  Fixes #6898
-  Closes #7078
+  Reported-by: Yongkang Huang
+  Fixes #7274
+  Closes #7274
 
-- http2: make sure pause is done on HTTP
+- gnutls: set the preferred TLS versions in correct order
   
-  Since the function is called for any protocol, we can't assume that the
-  HTTP struct is there without first making sure it is HTTP.
+  Regression since 781864bedbc57 (curl 7.77.0)
   
-  Reported-by: Denis Goleshchikhin
-  Fixes #7079
-  Closes #7080
+  Reported-by: civodul on github
+  Assisted-by: Nikos Mavrogiannopoulos
+  Fixes #7277
+  Closes #7278
 
-- docs: cookies from HTTP headers need domain set
-  
-  ... or the cookies won't get sent. Push users to using the "Netscape"
-  format instead, which curl uses when saving a cookie "jar".
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r
   
-  Reported-by: Martin Dorey
-  Reviewed-by: Daniel Gustafsson
-  Fixes #6723
-  Closes #7077
+  Closes #7276
 
-- RELEASE-NOTES: synced
+- [Gergely Nagy brought this change]
 
-- github: add a workflow with libssh2 on macOS using cmake
+  configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r
   
-  Closes #7047
+  Closes #7276
 
-- sws: allow HTTP requests up to 2MB in size
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove unused define HAVE_PERROR
   
-  To allow tests with slightly larger payloads. Like #7071 ...
+  Closes #7276
+
+- [Gergely Nagy brought this change]
+
+  configure: remove unused check for gai_strerror
   
-  Closes #7075
+  Closes #7276
 
-Marc Hoersken (16 May 2021)
-- CI/azure: increase verbosity and fix outdated task names
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove unused define HAVE_FREEIFADDRS
   
-  Closes #7063
+  Closes #7276
 
-- CI/cirrus: add shared and static Windows release builds
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove unused define HAVE_FORK
   
-  Azure Pipelines is currently being used for debug builds,
-  let's also run some non-debug (release) Windows builds and
-  make use of previously underutilized Cirrus CI for that.
+  Closes #7276
+
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove unused define HAVE_FDOPEN
   
-  Reviewed-by: Marcel Raad
+  Closes #7276
+
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove checks for unused sgtty.h
   
-  Closes #6991
+  Closes #7276
 
-Daniel Stenberg (16 May 2021)
-- CURLOPT_CAPATH.3: defaults to a path, not NULL
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove remaining checks for rsa.h
   
-  Reported-by: Andrew Barnert
+  Closes #7276
+
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove remaining checks for err.h
   
-  Closes #7062
+  Closes #7276
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Gergely Nagy brought this change]
 
-  c-hyper: handle body on HYPER_TASK_EMPTY
+  configure/cmake: remove remaining checks for crypto.h
   
-  Some of the time, we get a HYPER_TASK_EMPTY response before the status
-  line, headers, and body have been read. Previously, that would cause us
-  to poll again, leading to a 1 second timeout.
+  Closes #7276
+
+- [Gergely Nagy brought this change]
+
+  configure/cmake: remove checks for unused getservbyport_r
   
-  The HYPER_TASK_EMPTY docs say:
+  Closes #7276
+
+- --socks4[a]: clarify where the host name is resolved
   
-     The value of this task is null (does not imply an error).
+  Closes #7273
+
+- libcurl-security.3: mention file descriptors and forks
   
-  So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
-  response.
+  ... and move the security report section last.
   
-  Reported-by: Kevin Burke
-  Fixes #7064
-  Closes #7070
+  Reported-by: Harry Sintonen
+  Closes #7270
 
-- [Ikko Ashimine brought this change]
+- [Alex Xu (Hello71) brought this change]
 
-  tool_getparam: fix comment typo in tool_getparam.c
+  configure.ac: make non-executable
   
-  enfore -> enforce
+  it needs to be processed by autoconf or autoreconf, and doesn't have a
+  suitable shebang to be directly executed. other projects normally set
+  configure.ac -x.
   
-  Closes #7074
+  Closes #7272
 
-- mem-include-scan.pl: require a non-word letter before memory funcs
+- configure: do not strip out debug flags
   
-  ... so that ldap_memfree() for example doesn't match the scan for free.
+  To allow users to set them when invoking configure without using
+  --with-debug.
   
-  Closes #7061
+  Reported-by: Alex Xu
+  Fixes #7216
+  Closes #7267
 
-- version: free the openldap info correctly
-  
-  ... to avoid memory leaks.
+- libssh2: limit time a disconnect can take to 1 second
   
-  Follow-up to: bf0feae7768d9
-  Closes #7061
+  Closes #7271
 
-- dupset: remove totally off comment
+- TLS: prevent shutdown loops to get stuck
   
-  Closes #7067
-
-- configure: if asked for, fail if ldap is not found
+  ... by making sure the loops are only allowed to read the shutdown
+  traffic a limited number of times.
   
-  Reported-by: Jakub Zakrzewski
-  Fixes #7053
-  Closes #7055
+  Reported-by: Harry Sintonen
+  Closes #7271
 
-- version: add OpenLDAP version in the output
+- hyper: propagate errors back up from read callbacks
   
-  Assisted-by: Howard Chu
-  Closes #7054
-
-Jay Satiro (13 May 2021)
-- [Joel Depooter brought this change]
-
-  schannel: Ensure the security context request flags are always set
+  Makes test 513 work with hyper
   
-  As of commit 54e7475, these flags would only be set when using a new
-  credential handle. When re-using an existing credential handle, the
-  flags would not be set.
+  Closes #7266
+
+- KNOWN_BUGS: Negotiate on Windows fails
   
-  Closes https://github.com/curl/curl/pull/7051
+  Closes #5881
 
-Dan Fandrich (12 May 2021)
-- tests: Fix some tag matching issues in a number of tests
+- KNOWN_BUGS: renames instead of locking for atomic operations
+  
+  Closes #6882
+  Closes #6884
 
-Daniel Stenberg (12 May 2021)
-- sasl: use 'unsigned short' to store mechanism
+- zuul: add two missing CI jobs
   
-  ... saves a few bytes of struct size in memory and it only uses
-  10 bits anyway.
+  ... that were configured, just not run
   
-  Closes #7045
+  Closes #7261
 
-- hostip: remove the debug code for LocalHost
-  
-  The Curl_resolv() had special code (when built in debug mode) for when
-  resolving the host name "LocalHost" (using that exact casing). It would
-  then get the host name from the --interface option instead.
+Viktor Szakats (15 Jun 2021)
+- idn: fix libidn2 with windows unicode builds
   
-  This development-only feature was not used by anything (anymore) and we
-  have the --resolve feature if we want to play similar tricks properly
-  going forward.
+  Unicode Windows builds use UTF-8 strings internally in libcurl,
+  so make sure to call the UTF-8 flavour of the libidn2 API. Also
+  document that Windows builds with libidn2 and UNICODE do expect
+  CURLOPT_URL as an UTF-8 string.
   
-  Closes #7044
+  Reported-by: dEajL3kA on github
+  Assisted-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Closes #7246
+  Fixes #7228
 
-- progress: reset limit_size variables at transfer start
+Daniel Stenberg (15 Jun 2021)
+- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
   
-  Otherwise the old value would linger from a previous use and would mess
-  up the network speed cap logic.
+  They were never officially allowed and slipped in only due to sloppy
+  parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
+  being part of a URL.
   
-  Reported-by: Ymir1711 on github
+  The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
+  allow spaces.
   
-  Fixes #7042
-  Closes #7043
+  Updated test 1560 to verify.
+  
+  Closes #7073
 
 - RELEASE-NOTES: synced
+  
+  ... and bump to version 7.78.0 for the next planned release.
 
-- [Daniel Gustafsson brought this change]
-
-  cookies: use CURLcode for cookie_output reporting
+Jay Satiro (15 Jun 2021)
+- docs: Remove outdated curl tool limitation
   
-  Writing the cookie file has multiple error conditions, and was using an
-  int with magic numbers to report the different error (which in turn were
-  disregarded anyways). This moves reporting to use a CURLcode value.
+  - Document that HTTP/2 multiplexing is supported by the curl tool when
+    parallel transfers are used.
   
-  Lightly-touched-by: Daniel Stenberg
+  Supported since 7.66.0 via --parallel, but the doc wasn't updated.
   
-  Closes #7037
-  Closes #6749
-
-- [Daniel Gustafsson brought this change]
+  Closes https://github.com/curl/curl/pull/7259
 
-  cookies: make use of string duplication function
+- http2: Clarify 'Using HTTP2' verbose message
   
-  strstore() is defined as a strdup which ensures to free the target
-  pointer before duping the source char * into it. Make use of it in
-  two more cases where it can simplify the code.
-
-- [Daniel Gustafsson brought this change]
-
-  cookies: refactor comments
+  - Change phrasing from multi-use to multiplexing since the former may
+    not be as well understood.
   
-  Comments in the cookie code were a bit all over the place in terms of
-  style and wording. This takes a stab at cleaning them up by keeping to
-  a single style and overall shape. Some comments are moved a little and
-  some removed alltogether due to being redundant. No functional changes
-  have been made,
-
-- [Peng-Yu Chen brought this change]
-
-  http2: skip immediate parsing of payload following protocol switch
+  Before: * Using HTTP2, server supports multi-use
   
-  This is considered not harmful as a following http2_recv shall be
-  called very soon.
+  After: * Using HTTP2, server supports multiplexing
   
-  This is considered helpful in the specific situation where some
-  servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
-  following the return of HTTP status 101, other than waiting for
-  the client-side connection preface to arrive.
+  Bug: https://github.com/curl/curl/discussions/7255
+  Reported-by: David Hu
   
-  Fixes #7036
-  Closes #7040
-
-- [Peng-Yu Chen brought this change]
+  Closes https://github.com/curl/curl/pull/7258
 
-  http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
-  
-  Following the upstream deprecation of nghttp2_session_upgrade.
-  
-  Also provides further checks for requests with the HEAD method.
+Daniel Stenberg (14 Jun 2021)
+- winbuild/README: VC should be set to 6 'or larger'
   
-  Closes #7041
-
-- progress/trspeed: use a local convenient pointer to beautify code
+  Previously it listed all versions up to 15 (missing 16) but this new
+  phrasing is more open ended.
   
-  The function becomes easier to read and understand with less repetition.
+  Reported-by: Hugh Macdonald
+  Fixes #7253
+  Closes #7254
 
-- trspeed: use long double for transfer speed calculation
+- [Jacob Hoffman-Andrews brought this change]
 
-- progress: move transfer speed calc into function
+  rustls: remove native_roots fallback
   
-  This silences two scan-build-11 warnings: "The result of the '/'
-  expression is undefined"
+  For the commandline tool, we expect to be passed
+  SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
+  trusted roots (like in other TLS backends).
   
-  Bug: https://curl.se/mail/lib-2021-05/0022.html
-  Closes #7035
+  This also removes a dependency on Security.framework when building on
+  macOS.
+  
+  Closes #7250
 
-- [Cameron Cawley brought this change]
+- [Albin Vass brought this change]
 
-  openssl: remove unneeded cast for CertOpenSystemStore()
+  travis: remove jobs that have migrated to zuul
   
-  Closes #7025
+  Closes #7245
 
-- travis: disable the libssh build
+- [Mohammed Naser brought this change]
+
+  CI: add jobs using Zuul
   
-  It can't run on focal and causes warnings on bionic. Since the focal
-  failure started rather suddenly a while ago, we can suspect it might be
-  temporary.
+  It also includes a few changes to get the builds going:
+  - Added autoconf to common dependencies
+  - Added automake to common dependencies
+  - Added libtool to common dependencies
+  - Added libssl-dev to common dependencies
   
-  Added "bring back the build" to the TODO document.
+  Co-authored-by: Albin Vass
   
-  Fixes #7011
-  Closes #7012
-
-- [Peng-Yu Chen brought this change]
+  Closes #7245
 
-  http: use calculated offsets inst of integer literals for header parsing
-  
-  Assumed to be a minor coding style improvement with no behavior change.
+- netrc: skip 'macdef' definitions
   
-  A modern compiler is expected to have the calculation optimized during
-  compilation. It may be deemed okay even if that's not the case, since
-  the added overhead is considered very low.
+  Add test 494 to verify
   
-  Closes #7032
-
-- [Peng-Yu Chen brought this change]
+  Reported-by: Harry Sintonen
+  Fixes #7238
+  Closes #7244
 
-  GIT-INFO: suggest using autoreconf instead of buildconf
+- multi: add scan-build-6 work-around in curl_multi_fdset
   
-  Follow-up to 85868537d
+  scan-build-6 otherwise warns, saying: warning: The left operand of '>='
+  is a garbage value otherwise, which is false.
   
-  Closes #7033
+  Later scan-builds don't claim this on the same code.
+  
+  Closes #7248
 
-- http: deal with partial CONNECT sends
+- asyn-ares: remove check for 'data' in Curl_resolver_cancel
   
-  Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
-  which helped verifying this even more.
+  It implied it would survive a NULL in there which it won't. Instead do
+  an assert.
   
-  Add test 363 to verify.
+  Pointed out by scan-build.
   
-  Reported-by: ustcqidi on github
-  Fixes #6950
-  Closes #7024
+  Closes #7248
 
-- HTTP3: make the ngtcp2 build use the quictls fork
+- url.c: remove two variable assigns that are never read
   
-  ... as ngtcp2 itself documents the build this way.
+  Pointed out by scan-build
   
-  Closes #7031
+  Closes #7248
 
-- http: limit the initial send amount to used upload buffer size
+- [Gealber Morales brought this change]
+
+  mqtt: add support for username and password
   
-  Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
-  but for the situations where a larger upload buffer has been set, this
-  function can benefit from sending more bytes. With default size used,
-  this does the same as before.
+  Minor-edits-by: Daniel Stenberg
+  Added test 2200 to 2205
   
-  Also changed the storage of the size to an 'unsigned int' as it is not
-  allowed to be set larger than 2M.
+  Closes #7243
+
+- travis: remove the arm job
   
-  Also added cautions to the man pages about changing buffer sizes in
-  run-time.
+  We do it on circle CI instead
+
+- CI: add .circleci/config.yml
   
-  Closes #7022
+  Assisted-by: Gabriel Simmer
+  
+  Closes #7239
 
 - RELEASE-NOTES: synced
 
-- ngtcp2: fix the cb_acked_stream_data_offset proto
-  
-  The 'datalen' value should be 64 bit, not size_t!
-  
-  Reported-by: Dmitry Karpov
-  Bug: https://curl.se/mail/lib-2021-05/0019.html
-  Closes #7027
+- runtests: init $VERSION to avoid warnings when using -l
 
-- progress: when possible, calculate transfer speeds with microseconds
+- openssl: don't remove session id entry in disassociate
   
-  ... this improves precision, especially for transfers in the few or even
-  sub millisecond range.
+  When a connection is disassociated from a transfer, the Session ID entry
+  should remain.
   
-  Reported-by: J. Bromley
-  Fixes #7017
-  Closes #7020
+  Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
+  Reported-by: Gergely Nagy
+  Reported-by: Paul Groke
+  
+  Fixes #7222
+  Closes #7230
 
-- http: reset the header buffer when sending the request
+- single_transfer: ignore blank --output-dir
   
-  A reused transfer handle could otherwise reuse the previous leftover
-  buffer and havoc would ensue.
+  ... as otherwise it creates a rather unexpected target directory with a
+  leading slash.
   
-  Reported-by: sergio-nsk on github
-  Fixes #7018
-  Closes #7021
+  Reported-by: Harry Sintonen
+  Fixes #7218
+  Closes #7233
 
-- curl_mprintf.3: add description
+- tests: update README about servers and port numbers
   
-  These functions have existed in the API since the dawn of time. It is
-  about time we describe how they work, even if we discourage users from
-  using them.
+  Closes #7242
+
+- conn_shutdown: if closed during CONNECT cleanup properly
   
-  Closes #7010
+  Reported-by: Alex Xu
+  Reported-by: Phil E. Taylor
+  
+  Fixes #7236
+  Closes #7237
 
-- [Timothy Gu brought this change]
+- [Christian Weisgerber brought this change]
 
-  URL-SYNTAX: update IDNA section for WHATWG spec changes
+  sws: malloc request struct instead of using stack
   
-  WHATWG URL has dictated the use of Nontransitional Processing (IDNA
-  2008) for several years now. Chrome (and derivatives) still use
-  Transitional Processing, but Firefox and Safari have both switched.
+  ... 2MB requests is otherwise just too big for some systems.
   
-  Also document the fact that winidn functions differently from libidn2
-  here.
+  (The allocations are not freed properly.)
   
-  Closes #7026
+  Bug: https://curl.se/mail/lib-2021-06/0018.html
+  
+  Closes #7235
 
-- [Calvin Buckley brought this change]
+- [Mark Swaanenburg brought this change]
 
-  INSTALL: add IBM i specific quirks
+  lib: don't compare fd to FD_SETSIZE when using poll
   
-  Fixes #6830
-  Closes #7013
-
-- libcurl.3: mention the URL API
+  FD_SETSIZE is irrelevant when using poll. So ensuring that the file
+  descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
+  multi_wait to ignore perfectly valid file descriptors and simply wait
+  for 1s to avoid hammering the CPU in a busy loop.
   
-  To make it easier to find. Also a minor polish of libcurl-url.3
+  Fixes #7240
+  Closes #7241
+
+- [zhangxiuhua brought this change]
+
+  doh: fix wrong DEBUGASSERT for doh private_data
   
-  Closes #7009
+  Closes #7227
 
-- GnuTLS: don't allow TLS 1.3 for versions that don't support it
+- [yb999 brought this change]
+
+  tests: update README.md with a missing single quote
   
-  Follow-up to 781864bedbc5
+  Closes #7231
+
+- GHA: run all tests for hyper too
   
-  ... as they don't understand it and will return error at us!
+  As it lists disabled ones in DISABLED now
   
-  Closes #7014
+  Closes #7209
 
-Kamil Dudka (6 May 2021)
-- tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
+- tests/data/DISABLED: add tests not working with hyper
   
-  Reported by GCC analyzer:
+  The goal is to remove them all from here over time.
   
-  Error: GCC_ANALYZER_WARNING (CWE-476):
-  src/tool_getparam.c: scope_hint: In function 'parse_args'
-  src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
-  lib/curlx.h:56: included_from: Included from here.
-  src/tool_getparam.c:28: included_from: Included from here.
-  lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
-  src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
+  Closes #7209
+
+- runtests: also find the last test in Makefile.inc
   
-  Reviewed-by: Marcel Raad
-  Reviewed-by: Daniel Stenberg
-  Closes #7023
+  Closes #7209
 
-Daniel Stenberg (6 May 2021)
-- scripts/delta: also show total number of days
+- test3010: work with hyper mode
+  
+  Closes #7209
 
-Marc Hoersken (5 May 2021)
-- sockfilt: fix invalid increment of handles index variable nfd
+- configure: disable RTSP when hyper is selected
   
-  Only increment the array index if we actually stored a handle.
+  Makes test 1013 work
   
-  Follow up to e917492048f4b85a0fd58a033d10072fc7666c3b
-  Closes #6992
+  Closes #7209
 
-- sockfilt: avoid getting stuck waiting for writable socket
-  
-  Reset FD_WRITE event using the same approach as in multi.c
+- test1594/1595/1596: fix to work in hyper mode
   
-  Follow up to b36442b24305f3cda7c13cc64b46838995a4985b
-  Closes #6992
+  Closes #7209
 
-Jay Satiro (5 May 2021)
-- test678: Fix for Windows multibyte builds
+- test1438/1457: add HTTP keyword to make hyper mode work
   
-  Follow-up to 77fc385 from yesterday.
+  Closes #7209
+
+- test1340/1341: adjusted for hyper mode
   
-  Bug: https://github.com/curl/curl/pull/6662#issuecomment-832966557
-  Reported-by: Marc Hörsken
+  Closes #7209
 
-- [Dmitry Kostjuchenko brought this change]
+- test1218: adjusted for hyper mode
+  
+  Closes #7209
 
-  build: fix compilation for Windows UWP platform
+- test1216: adjusted for hyper mode
   
-  - Include afunix.h which is necessary for sockaddr_un when
-    USE_UNIX_SOCKETS is defined on Windows.
+  Closes #7209
+
+- test1230: adjust to work in hyper mode
   
-  Closes https://github.com/curl/curl/pull/7006
+  Closes #7209
 
-Daniel Stenberg (5 May 2021)
-- gnutls: make setting only the MAX TLS allowed version work
+- c-hyper: abort CONNECT response reading early on non 2xx responses
   
-  Previously, settting only the max allowed TLS version, leaving the
-  minimum one at default, didn't actually set it and left it to default
-  (TLS 1.3) too!
+  Fixes test 493
   
-  As a bonus, this change also removes the dead code handling of SSLv3
-  since that version can't be set anymore (since eff614fb0242cb).
+  Closes #7209
+
+- test434: add HTTP keyword
   
-  Reported-by: Daniel Carpenter
-  Fixes #6998
-  Closes #7000
+  Closes #7209
 
-- openldap: replace ldap_ prefix on private functions
+- test599: adjusted to work in hyper mode
   
-  Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
-  least) there's a symbol collision because of that.
+  Closes #7209
+
+- c-hyper: fix the uploaded field in progress callbacks
   
-  The private functions now use the 'oldap_' prefix where it previously
-  used 'ldap_'.
+  Makes test 578 work
   
-  Reported-by: 3eka on github
-  Fixes #7004
-  Closes #7005
+  Closes #7209
 
-Jay Satiro (5 May 2021)
-- http2: fix potentially uninitialized variable
+- test566: adjust to work with hyper mode
   
-  introduced several days ago in 3193170. caught by visual studio linker.
+  Closes #7209
 
-- [Gilles Vollant brought this change]
+- [Fawad Mirza brought this change]
 
-  SSL: support in-memory CA certs for some backends
-  
-  - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
-    specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
-    and Secure Transport (Apple) SSL backends.
-  
-  Prior to this change PEM certificates could only be imported from a file
-  and not from memory.
-  
-  Co-authored-by: moparisthebest@users.noreply.github.com
+  CURLOPT_WRITEFUNCTION.3: minor update of the example
   
-  Ref: https://github.com/curl/curl/pull/4679
-  Ref: https://github.com/curl/curl/pull/5677
-  Ref: https://github.com/curl/curl/pull/6109
+  Safely avoid chunk.size garbage value if declared non globally.
   
-  Closes https://github.com/curl/curl/pull/6662
+  Closes #7219
 
-Daniel Stenberg (4 May 2021)
-- [David Cook brought this change]
+- [Bastian Krause brought this change]
 
-  tests: ignore case of chunked hex numbers in tests
+  configure: rename get-easy-option configure option to get-easy-options
   
-  When hyper is used, it emits uppercase hexadecimal numbers for chunked
-  encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
-  This change adds preprocessor statements to tests where this is an
-  issue, and adapts the fixtures to match.
+  "get-easy-options" is the configure option advertised by the help text
+  anyway, so use that.
   
-  Closes #6987
-
-- cmake: check for getppid and utimes
+  Fixes #7211
+  Closes #7213
   
-  ... as they're checked for in the configure script and are used by
-  source code.
+  Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
+  Suggested-by: Daniel Stenberg <daniel@haxx.se>
+  Signed-off-by: Bastian Krause <bst@pengutronix.de>
+
+- runtests: skip disabled tests unless -f is used
   
-  Removed checks for perror, setvbuf and strlcat since those defines are
-  not checked for in source code.
+  To make it easier to write ranges like '115 to 229' without that
+  explicitly enabling tests that are listed in DISABLED, this makes
+  runtests always skip disabled tests unless the -f command line option is
+  used.
   
-  Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
-  symbol is not used in source code.
+  Previously the code attempted to not run such tests, but didn't do it
+  correctly.
   
-  Closes #6997
+  Closes #7212
 
-- libtest: remove lib530.c
+- [Jun-ya Kato brought this change]
+
+  ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
   
-  Follow up from e50a877df when test 530 was removed. Since then this
-  source file has not been used/needed.
+  The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
+  mode for middle box but it is enabled by default, which is unnecessary
+  for QUIC.
   
-  Closes #6999
+  Fixes #6896
+  Closes #7202
 
-- FILEFORMAT: mention sectransp as a feature
-  
-  Been supported since at least 40259ca65
+- test644: remove as duplicate of test 587
   
-  Closes #7001
+  Closes #7208
 
+Daniel Gustafsson (8 Jun 2021)
 - RELEASE-NOTES: synced
 
-- libssh2: ignore timeout during disconnect
+- cookies: track expiration in jar to optimize removals
   
-  ... to avoid memory leaks!
+  Removing expired cookies needs to be a fast operation since we want to
+  be able to perform it often and speculatively. By tracking the timestamp
+  of the next known expiration we can exit early in case the timestamp is
+  in the future.
   
-  libssh2 is tricky as we have to deal with the non-blockiness even in
-  close and shutdown cases. In the cases when we shutdown after a timeout
-  already expired, it is crucial that curl doen't let the timeout abort
-  the shutdown process as that then leaks memory!
+  Closes: #7172
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (7 Jun 2021)
+- GHA: add several libcurl tests to the hyper job
   
-  Reported-by: Benjamin Riefenstahl
-  Fixes #6990
+  500 to 512
 
-- KNOWN_BUGS: add two HTTP/2 bugs
+- test500: adjust to work with hyper mode
 
-- KNOWN_BUGS: add three HTTP/3 issues
-  
-  ... and moved the HTTP/2 issues to its own section
+- c-hyper: support CURLINFO_STARTTRANSFER_TIME
   
-  Closes #6606
-  Closes #6510
-  Closes #6494
-
-- [ejanchivdorj brought this change]
+  Closes #7204
 
-  CURLcode: add CURLE_SSL_CLIENTCERT
+- c-hyper: support CURLOPT_HEADER
   
-  When a TLS server requests a client certificate during handshake and
-  none can be provided, libcurl now returns this new error code
-  CURLE_SSL_CLIENTCERT
+  When enabled, the headers are passed to the body write callback as well.
   
-  Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
+  Like in test 500
   
-  Closes #6721
-
-- [Tobias Gabriel brought this change]
+  Closes #7204
 
-  .github/FUNDING: add link to GitHub sponsors
+- GHA: run the newly fixed tests with hyper
   
-  Closes #6985
+  Closes #7205
 
-- [Harry Sintonen brought this change]
+- test433: adjust for hyper mode
+  
+  Closes #7205
 
-  krb5/name_to_level: replace checkprefix with curl_strequal
+- test395: hyper cannot work around > 64 bit content-lengths like built-in
   
-  Closes #6993
+  Closes #7205
 
-- [Harry Sintonen brought this change]
+- test394: hyper returns a different error
+  
+  Closes #7205
 
-  Curl_input_digest: require space after Digest
+- test393: make Content-Length fit within 64 bit for hyper
   
-  Closes #6993
+  Closes #7205
 
-- [Harry Sintonen brought this change]
+- test347: CRLFify to work in hyper mode
+  
+  Closes #7205
 
-  Curl_http_header: check for colon when matching Persistent-Auth
+- test339: CRLFify better to work in hyper mode
   
-  Closes #6993
+  Closes #7205
 
-- [Harry Sintonen brought this change]
+- travis: remove the hyper build
 
-  Curl_http_input_auth: require valid separator after negotiation type
+- GHA: add a linux-hyper job
   
-  Closes #6993
+  Closes #7206
 
-- http: fix the check for 'Authorization' with Bearer
+- test328: avoid a header-looking body to make hyper mode work
   
-  The code would wrongly check for it using an additional colon.
+  The test still works the same, just modified two bytes in the content.
   
-  Reported-by: Blake Burkhart
-  Closes #6988
+  Closes #7203
 
-- [Kamil Dudka brought this change]
+- release-notes.pl: also spot common 'closes' typo
 
-  http2: fix a resource leak in push_promise()
+- metalink: remove
   
-  ... detected by Coverity:
+  Warning: this will make existing curl command lines that use metalink to
+  stop working.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
-  lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
-  lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
-  lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
+  Reasons for removal:
   
-  Closes #6986
-
-- [Kamil Dudka brought this change]
-
-  http2: fix resource leaks in set_transfer_url()
+  1. We've found several security problems and issues involving the
+     metalink support in curl. The issues are not detailed here. When
+     working on those, it become apparent to the team that several of the
+     problems are due to the system design, metalink library API and what
+     the metalink RFC says. They are very hard to fix on the curl side
+     only.
   
-  ... detected by Coverity:
+  2. The metalink usage with curl was only very briefly documented and was
+     not following the "normal" curl usage pattern in several ways, making
+     it surprising and non-intuitive which could lead to further security
+     issues.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  3. The metalink library was last updated 6 years ago and wasn't so
+     active the years before that either. An unmaintained library means
+     there's a security problem waiting to happen. This is probably reason
+     enough.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  4. Metalink requires an XML parsing library, which is complex code (even
+     the smaller alternatives) and to this day often gets security
+     updates.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  5. Metalink is not a widely used curl feature. In the 2020 curl user
+     survey, only 1.4% of the responders said that they'd are using it. In
+     2021 that number was 1.2%. Searching the web also show very few
+     traces of it being used, even with other tools.
   
-  Error: RESOURCE_LEAK (CWE-772):
-  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
-  lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
-  lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
+  6. The torrent format and associated technology clearly won for
+     downloading large files from multiple sources in parallel.
   
-  Closes #6986
-
-- [Jacob Hoffman-Andrews brought this change]
+  Cloes #7176
 
-  rustls: use ALPN
+- docs/INSTALL: remove mentions of configure --with-darwin-ssl
   
-  Update required rustls to 0.5.0
+  ... as it isn't supported since a while back.
   
-  Closes #6960
+  Make configure fail with a warning if used.
+  
+  Reported-by: Vadim Grinshpun
+  Bug: https://curl.se/mail/lib-2021-06/0008.html
+  Closes #7200
 
-- [MAntoniak brought this change]
+- RELEASE-NOTES: synced
 
-  gskit: fix CURL_DISABLE_PROXY build
+- [Gregor Jasny brought this change]
+
+  cmake: Avoid leaking absolute paths into exported config
   
-  Removed localfd and remotefd from ssl_backend_data (ued only with proxy
-  connection). Function pipe_ssloverssl return always 0, when proxy is not
-  used.
+  The `find_libarary` command resolves the library or framework
+  into an absolute path. In case of system frameworks which are
+  located within an Xcode-provided SDK this results in the Xcode
+  path and SDK version being part of the library path.
   
-  Closes #6981
+  Because those library paths end up in the exported CMake config
+  importing curl will fail once the Xcode location or SDK version
+  changes:
+  
+  ```cmake
+  set_target_properties(CURL::libcurl PROPERTIES
+    INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
+    INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
+  )
+  ```
+  
+  A work-around is to link against system-level frameworks with
+  `-framework XYZ`. In case of `SystemConfiguration` we might be able
+  to omit the lookup-check because we could assume the framework is
+  always present.
+  
+  Closes #7152
 
-- [MAntoniak brought this change]
+- [Shikha Sharma brought this change]
 
-  gskit: fix undefined reference to 'conn'
+  http2_connisdead: handle trailing GOAWAY better
   
-  Closes #6980
+  When checking the connection the input processing returns error
+  immediately, we now consider that a dead connnection.
+  
+  Bug: https://curl.se/mail/lib-2021-06/0001.html
+  Closes #7192
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Dmitry Karpov brought this change]
 
-  tls: add USE_HTTP2 define
+  ares: always store IPv6 addresses first
   
-  This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
+  Trying dual-stack on some embedded platform, I noticed that quite
+  frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
+  timeout value.  After debugging this issue, I noticed that this happens
+  if c-ares resolver response for IPv6 family comes before IPv4 (which was
+  randomly happening in my tests).
   
-  Add our own define for the "h2" ALPN protocol, so TLS backends can use
-  it without depending on a specific HTTP backend.
+  In such cases, because libCurl puts the last resolver response on top of
+  the address list, when IPv4 resolver response comes after IPv6 one - the
+  IPv4 family starts the connection phase instead of IPv6 family.
   
-  Closes #6959
-
-- [Jacob Hoffman-Andrews brought this change]
-
-  lib: fix 0-length Curl_client_write calls
+  The solution for this issue is to always put IPv6 addresses on top of
+  the address list, regardless the order of resolver responses.
   
-  Closes #6954
-
-- [Jacob Hoffman-Andrews brought this change]
+  Bug: https://curl.se/mail/lib-2021-06/0003.html
+  
+  Closes #7188
 
-  lib: remove strlen call from Curl_client_write
+- Revert "Revert "socketpair: fix potential hangs""
   
-  At all call sites with an explicit 0 len, pass an appropriate nonzero
-  len.
+  This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.
   
-  Closes #6954
-
-- [Ayushman Singh Chauhan brought this change]
-
-  docs: camelcase it like GitHub everywhere
+  Thus brings back the change from #7144 as was originally landed in
+  c769d1eab4de8b
   
-  Closes #6979
+  Closes #7144 (again)
 
-Jay Satiro (27 Apr 2021)
-- [Lucas Servén Marín brought this change]
+- [Ebe Janchivdorj brought this change]
 
-  docs: fix typo in fail-with-body doc
-  
-  This commit fixes a small typo in the documentation for the
-  --fail-with-body flag.
+  schannel: move code out of SChannel_connect_step1
   
-  Closes https://github.com/curl/curl/pull/6977
+  Reviewed-by: Marc Hoersken
+  Closes #7168
 
-- lib: fix some misuse of curlx_convert_UTF8_to_tchar
+- tests/data/Makefile.inc: error: trailing backslash on last line
   
-  curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
-  prior to this change some uses mistakenly called free.
-  
-  I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
-  curlx_convert_tchar_to_UTF8.
-  
-  Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
-  Reported-by: sergio-nsk@users.noreply.github.com
-  
-  Closes https://github.com/curl/curl/pull/6938
+  Follow-up to d8dcb399b8009d
 
-Daniel Stenberg (27 Apr 2021)
-- ntlm: precaution against super huge type2 offsets
+- TODO: Support rate-limiting for MQTT
+
+- [Dmitry Kostjuchenko brought this change]
+
+  warnless: simplify type size handling
   
-  ... which otherwise caused an integer overflow and circumvented the if()
-  conditional size check.
+  By using sizeof(T), existing defines and relying on the compiler to
+  define the required signed/unsigned mask.
   
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
-  Assisted-by: Max Dymond
-  Closes #6975
-
-- c-hyper: fix unused variable ‘wrote’
+  Closes #7181
 
-- libcurl-security.3: be careful of setuid
+Gisle Vanem (4 Jun 2021)
+- [Win32] Fix for USE_WATT32
   
-  Reported-by: Harry Sintonen
-  Closes #6970
+  My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`
 
-- [Kevin Burke brought this change]
+Daniel Stenberg (4 Jun 2021)
+- [Alexis Vachette brought this change]
 
-  c-hyper: don't write to set.writeheader if null
-  
-  Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
-  CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
-  the data->set.writeheader header buffer, even though it is null.  This
-  led to NPE segfaults attempting to use libcurl+Hyper with Git, for
-  example.
+  url: bad CURLOPT_CONNECT_TO syntax now returns error
   
-  Instead, process the client write for the status line using the same
-  logic we use to process the client write for the later HTTP headers,
-  which contains the appropriate guard logic. As a side benefit,
-  data->set.writeheader is now only read in one file instead of two.
+  Added test 3020 to verify
   
-  Fixes #6619
-  Fixes abetterinternet/crustls#49
-  Fixes hyperium/hyper#2438
-  Closes #6971
+  Closes #7183
 
-- wolfssl: handle SSL_write() returns 0 for error
+- github: remove the cmake macOS gcc-8 jobs
   
-  Reported-by: Timo Lange
+  They're too similar to the gcc-9 ones to be useful (and seems to not
+  work anymore).
   
-  Closes #6967
+  Closes #7187
 
-- easy: ignore sigpipe in curl_easy_send
+- test269: disable for hyper
   
-  Closes #6965
-
-- sigpipe: ignore SIGPIPE when using wolfSSL as well
+  --ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
+  with hyper.
   
-  Closes #6966
+  Closes #7184
 
-- libcurl-security.3: don't try to filter IPv4 hosts based on the URL
+- runtests: enable 'hyper mode' only for HTTP tests
   
-  Closes #6942
+  The 'hyper mode' makes line-ending checks work in the test suite for
+  when hyper is used. Now it also requires that HTTP or HTTPS are
+  mentioned as keywords to be enabled so that it doesn't wrongly adjusts
+  tests for other protocols.
+  
+  This makes test 271 (TFTP) work again in hyper enabled builds.
+  
+  Closes #7185
 
-- [Harry Sintonen brought this change]
+- [Alexis Vachette brought this change]
 
-  nss_set_blocking: avoid static for sock_opt
+  hostip: bad CURLOPT_RESOLVE syntax now returns error
   
-  Reviewed-by: Kamil Dudka
-  Closes #6945
-
-- RELEASE-NOTES: synced
+  Added test 3019
+  Fixes #7170
+  Closes #7174
 
-- [Yusuke Nakamura brought this change]
+Daniel Gustafsson (3 Jun 2021)
+- cookies: fix typo and expand comment
+  
+  Fix a typo in the sorting comment, and while in there elaborate slightly
+  on why creationtime can be used as a tiebreaker.
 
-  docs/HTTP3.md: fix nghttp2's HTTP/3 server port
+- cookies: remove unused header
   
-  Port 8443 does not work now.
-  Correct origin is in the quicwg's wiki.
-  https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
+  Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
+  for the inet_pton.h headerfile, this removes the inclusion of the
+  header.
   
-  Closes #6964
+  Closes: #7182
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- krb5: don't use 'static' to store PBSZ size response
+Daniel Stenberg (3 Jun 2021)
+- Revert "socketpair: fix potential hangs"
   
-  ... because it makes the knowledge and usage cross-transfer in funny and
-  unexpected ways.
+  This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.
   
-  Reported-by: Harry Sintonen
-  Closes #6963
+  See #7144 for details
 
-- [Kevin Burke brought this change]
+- [Paul Groke brought this change]
 
-  m4: add security frameworks on Mac when compiling rustls
-  
-  Previously compiling rustls on Mac would only complete if you also
-  compiled the SecureTransport TLS backend, which curl would prefer to
-  the Rust backend.
+  socketpair: fix potential hangs
   
-  Appending these flags to LDFLAGS makes it possible to compile the
-  Rustls backend on Mac without the SecureTransport backend, which means
-  this patch will make it possible for Mac users to use the Rustls
-  backend for TLS.
+  Fixes potential hang in accept by using select + non-blocking accept.
   
-  Reviewed-by: Jacob Hoffman-Andrews
+  Fixes potential hang in peer check by replacing the send/recv check with
+  a getsockname/getpeername check.
   
-  Fixes #6955
-  Cloes #6956
-
-- krb5: remove the unused 'overhead' function
+  Adds length check for returned sockaddr data.
   
-  Closes #6947
-
-- [Johann150 brought this change]
+  Closes #7144
 
-  curl_url_set.3: add memory management information
+- runtests: parse data/Makefile.inc instead of using make
   
-  wording taken from man page for CURLOPT_URL.3
+  The warning about missing entries in that file then doesn't require that
+  the Makefile has been regenerated which was confusing.
   
-  As far as I can see, the URL part is either malloc'ed before due to
-  encoding or it is strdup'ed.
+  The scan for the test num is a little more error prone than before
+  (since now it doesn't actually verify that it is legitimate Makefile
+  syntax), but I think it is good enough.
   
-  Closes #6953
+  Closes #7177
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Harry Sintonen brought this change]
 
-  c-hpyer: fix handling of zero-byte chunk from hyper
+  filecheck: quietly remove test-place/*~
   
-  Closes #6951
+  Closes #7179
 
-- CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
+- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
   
-  Ref: https://curl.se/mail/lib-2021-04/0085.html
-  Closes #6943
-
-- [Ralph Langendam brought this change]
-
-  cmake: make libcurl output filename configurable
+  For options that pass in lists or strings that are subsequently parsed
+  and must be correct. This broadens the scope for the option previously
+  known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
+  provided as a #define for existing applications.
   
-  Reviewed-by: Jakub Zakrzewski
-  Closes #6933
-
-- [Patrick Monnerat brought this change]
+  Closes #7175
 
-  vtls: reset ssl use flag upon negotiation failure
+- tests: fix Accept-Encoding strips to work with Hyper builds
   
-  Fixes the segfault in ldaps disconnect.
+  The previous strip also removed the CR which turned problematic.
   
-  Reported-by: Illarion Taev
-  Fixes #6934
-  Closes #6937
-
-- configure: fix typo in TLS error message
+  valgrind.supp: add zstd suppression using hyper
   
-  Reported-by: Pontus Lundkvist
+  Reported-and-analyzed-by: Kevin Burke
+  Fixes #7169
+  Closes #7171
 
-- README: link to the commercial support option
+- github: timeout jobs on macOS after 90 minutes
+  
+  Assisted-by: Marc Hoersken
+  Closes #7173
 
-Jay Satiro (22 Apr 2021)
-- [Martin Halle brought this change]
+- [Harry Sintonen brought this change]
 
-  version: add gsasl_version to curl_version_info_data
-  
-  - Add gsasl_version string and bump to CURLVERSION_TENTH.
-  
-  Ref: https://curl.se/mail/lib-2021-04/0003.html
+  mqtt: detect illegal and too large file size
   
-  Closes https://github.com/curl/curl/pull/6843
+  Add test 3017 and 3018 to verify.
+  Closes #7166
 
-- [Morten Minde Neergaard brought this change]
+- [theawless brought this change]
 
-  schannel: Support strong crypto option
+  cmake: add CURL_DISABLE_NTLM option
   
-  - Support enabling strong crypto via optional user cipher list when
-    USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
+  Closes #7028
+
+- [theawless brought this change]
+
+  configure: add --disable-ntlm option
   
-  MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
-  weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
-  versions that may be otherwise enabled for better interoperability."
+  Closes #7028
+
+- [theawless brought this change]
+
+  define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
   
-  Ref: https://curl.se/mail/lib-2021-02/0066.html
-  Ref: https://curl.se/docs/manpage.html#--ciphers
-  Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
-  Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
+  This flag will be further exposed by adding build options.
   
-  Closes https://github.com/curl/curl/pull/6734
+  Reverts #6809
+  Closes #7028
 
-Daniel Stenberg (22 Apr 2021)
 - RELEASE-NOTES: synced
 
-- ci: adapt to configure requiring an explicit TLS choice
-
-- configure: split out each TLS library detector into its own function
+Viktor Szakats (1 Jun 2021)
+- travis: delete --enable-hsts option (it is the default now) [ci skip]
   
-  ... and put those functions in separate m4 files per TLS library.
+  Reviewed-by: Daniel Stenberg
+  Closes #7167
 
-- configure: make the TLS library choice(s) explicit
+Daniel Stenberg (1 Jun 2021)
+- hostip: fix 3 coverity complaints
   
-  configure no longer tries to find a TLS library by default, but all
-  libraries are now equal: the user needs to explicitly ask what TLS
-  library or libraries to use.
+  Follow-up to 1a0ebf6632f889eed
   
-  If no TLS library is selected, configure will error out unless
-  --without-ssl is explicitly used to request a built without TLS (as that
-  is very rare these days).
+  - Check the return code to Curl_inet_pton() in two instances, even
+    though we know the input is valid so the functions won't fail.
   
-  Removes: --with-winssl, --with-darwinssl and all --without-* options for
-  TLS libraries.
+  - Clear the 'struct sockaddr_in' struct before use so that the
+    'sin_zero' field isn't left uninitialized.
   
-  Closes #6897
+  Detected by Coverity.
+  Assisted-by: Harry Sintonen
+  Closes #7163
 
-- tests/disable-scan.pl: also scan all m4 files
+- c-hyper: fix NTLM on closed connection tested with test159
   
-  Fixes test 1165 when functions are moved from configure.ac to files in
-  m4/
+  Closes #7154
 
-Jay Satiro (22 Apr 2021)
-- schannel: Disable auto credentials; add an option to enable it
+- conncache: lowercase the hash key for better match
   
-  - Disable auto credentials by default. This is a breaking change
-    for clients that are using it, wittingly or not.
+  As host names are case insensitive, the use of case sensitive hashing
+  caused unnecesary cache misses and therefore lost performance. This
+  lowercases the hash key.
   
-  - New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
-    to automatically locate and use a client certificate for
-    authentication, when requested by the server.
+  Reported-by: Harry Sintonen
+  Fixes #7159
+  Closes #7161
+
+- mbedtls: make mbedtls_strerror always work
   
-  - New curl tool options --ssl-auto-client-cert and
-    --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
+  If the function doesn't exist, provide a macro that just clears the
+  error message. Removes #ifdef uses from the code.
   
-  This option is only supported for Schannel (the native Windows SSL
-  library). Prior to this change Schannel would, with no notification to
-  the client, attempt to locate a client certificate and send it to the
-  server, when requested by the server. Since the server can request any
-  certificate that supports client authentication in the OS certificate
-  store it could be a privacy violation and unexpected.
+  Closes #7162
+
+- vtls: exit addsessionid if no cache is inited
   
-  Fixes https://github.com/curl/curl/issues/2262
-  Reported-by: Jeroen Ooms
-  Assisted-by: Wes Hinsley
-  Assisted-by: Rich FitzJohn
+  Follow-up to b249592d29ae0
   
-  Ref: https://curl.se/mail/lib-2021-02/0066.html
-  Reported-by: Morten Minde Neergaard
+  Avoids NULL pointer derefs.
   
-  Closes https://github.com/curl/curl/pull/6673
+  Closes #7165
 
-Daniel Stenberg (22 Apr 2021)
-- [Michał Antoniak brought this change]
+- [Harry Sintonen brought this change]
 
-  vtls: deduplicate some DISABLE_PROXY ifdefs
+  Curl_ntlm_core_mk_nt_hash: fix OOM in error path
   
-  continue from #5735
+  Closes #7164
+
+Michael Kaufmann (1 Jun 2021)
+- ssl: read pending close notify alert before closing the connection
   
-  - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
-    tls backend
+  This avoids a TCP reset (RST) if the server initiates a connection
+  shutdown by sending an SSL close notify alert and then closes the TCP
+  connection.
   
-  - create SSL_HOST_PORT
+  For SSL connections, usually the server announces that it will close the
+  connection with an SSL close notify alert. curl should read this alert.
+  If curl does not read this alert and just closes the connection, some
+  operating systems close the TCP connection with an RST flag.
   
-  Closes #6660
+  See RFC 1122, section 4.2.2.13
+  
+  If curl reads the close notify alert, the TCP connection is closed
+  normally with a FIN flag.
+  
+  The new code is similar to existing code in the "SSL shutdown" function:
+  try to read an alert (non-blocking), and ignore any read errors.
+  
+  Closes #7095
 
-Jay Satiro (22 Apr 2021)
-- OS400: fix typo
+Daniel Stenberg (1 Jun 2021)
+- [Laurent Dufresne brought this change]
+
+  setopt: fix incorrect comments
   
-  CURLVERSION_HEIGHTH -> CURLVERSION_EIGHTH
+  Closes #7157
 
-Daniel Stenberg (22 Apr 2021)
-- checksrc: complain on == NULL or != 0 checks in conditions
+- [Laurent Dufresne brought this change]
+
+  mbedtls: add support for cert and key blob options
   
-  ... to make them all consistenly use if(!var) and if(var)
+  CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
+  mbedtls backend, so the support was added.
   
-  Also added a few missing warnings to the documentation.
+  Closes #7157
+
+- [Gregor Jasny brought this change]
+
+  cmake: try well-known send/recv signature for Apple
   
-  Closes #6912
+  The CMake `try_compile` command is especially slow for
+  the Xcode generator. With this patch applied it first tests
+  for the currently used (and Open Group specified) send/recv
+  signature. In case this fails testing falls-back to the
+  permutations.
+  
+  speed-up:
+  
+  ```
+  time cmake .. -GNinja -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
+  before: 11.64s user 11.09s system 55% cpu 40.754 total
+  after:   7.84s user 6.57s  system 51% cpu 28.074 total
+  ```
+  
+  ```
+  time cmake .. -GXcode -DCMAKE_USE_SECTRANSP=ON -DHTTP_ONLY=ON -DCMAKE_USE_LIBSSH2=OFF
+  before: 217.07s user 104.15s system 60% cpu 8:51.79 total
+  after:  108.76s user  51.80s system 58% cpu 4:32.58 total
+  ```
+  
+  Closes #7158
 
-- tidy-up: make conditional checks more consistent
+- http2: init recvbuf struct for pushed streams
   
-  ... remove '== NULL' and '!= 0'
+  Debug builds would warn that these structs were not initialized properly
+  for pushed streams.
   
-  Closes #6912
+  Ref: #7148
+  Closes #7153
 
-- [Patrick Monnerat brought this change]
+- Curl_ssl_getsessionid: fail if no session cache exists
+  
+  This function might get called for an easy handle for which the session
+  cache hasn't been setup. It now just returns a "miss" in that case.
+  
+  Reported-by: Christoph M. Becker
+  Fixes #7148
+  Closes #7153
 
-  vauth: factor base64 conversions out of authentication procedures
+- GOVERNANCE: add 'user', 'committer' and 'contributor'
   
-  Input challenges and returned messages are now in binary.
-  Conversions from/to base64 are performed by callers (currently curl_sasl.c
-  and http_ntlm.c).
+  As those are commonly used terms in the project.
   
-  Closes #6654
+  Closes #7151
 
-- [Patrick Monnerat brought this change]
+- URL-SYNTAX.md: document the new 'localhost' treatment
 
-  bufref: buffer reference support
+- hostip: make 'localhost' return fixed values
   
-  A struct bufref holds a buffer pointer, a data size and a destructor.
-  When freed or its contents are changed, the previous buffer is implicitly
-  released by the associated destructor. The data size, although not used
-  internally, allows binary data support.
+  Resolving the case insensitive host name 'localhost' now returns the
+  addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
+  resolver.
   
-  A unit test checks its handling methods: test 1661
+  This removes the risk that users accidentally resolves 'localhost' to
+  something else. By making sure 'localhost' is always local, we can
+  assume a "secure context" for such transfers (for cookies etc).
   
-  Closes #6654
+  Closes #7039
 
-- [Patrick Monnerat brought this change]
+Daniel Gustafsson (31 May 2021)
+- docs: fix typos
 
-  os400: additional support for options metadata
+Daniel Stenberg (30 May 2021)
+- hsts: ignore numberical IP address hosts
   
-  New functions curl_easy_option_by_name_ccsid() and
-  curl_easy_option_get_name_ccsid() allows accessing metadata in alternate
-  character encoding.
+  Also, use a single function library-wide for detecting if a given hostname is
+  a numerical IP address.
   
-  This commit also updates curl_version_info_ccsid() to handle info version 9
-  and adds recent definitions to the ILE/RPG include file.
+  Reported-by: Harry Sintonen
+  Fixes #7146
+  Closes #7149
+
+- test178: adjust for hyper
   
-  Documentation updated accordingly.
+  Hyper returns the same error for wrong HTTP version as for negative
+  content-length. Test 178 verifies that negative content-length is
+  rejected but the hyper backend will return a different error for it (and
+  without any helpful message telling why the message was bad). It will
+  also not return any headers at all for the response, not even the ones
+  that arrived before the error.
   
-  Reviewed-by: Jon Rumsey
-  Closes #6574
+  Closes #7147
 
-- [Patrick Monnerat brought this change]
+- HYPER: remove mentions of deprecated development branch
 
-  test server: take care of siginterrupt() deprecation
+- c-hyper: handle NULL from hyper_buf_copy()
   
-  Closes #6529
+  Closes #7143
 
-Marc Hoersken (21 Apr 2021)
-- lib1564.c: enable last wakeup test part on Windows
+- HSTS: not experimental anymore
+
+- [Douglas R. Reno brought this change]
+
+  INSTALL: use correct extension for CURL-DISABLE.md
   
-  Suggested-by: Gergely Nagy
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
+  CURL-DISABLE.md. This generates a 404 on the cURL website as well as
+  when viewing the docs through Github.
   
-  Closes #6245
+  Closes #7142
 
-- multi: fix slow write/upload performance on Windows
+- travis: run tests 1 - 153 with hyper
+
+- c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
   
-  Reset FD_WRITE by sending zero bytes which is permissible
-  and will be treated by implementations as successful send.
+  Makes test 129 work (HTTP/1.2 response).
   
-  Without this we won't be notified in case a socket is still
-  writable if we already received such a notification and did
-  not send any data afterwards on the socket. This would lead
-  to waiting forever on a writable socket being writable again.
+  Closes #7141
+
+- http_proxy: deal with non-200 CONNECT response with Hyper
   
-  Assisted-by: Tommy Odom
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
-  Tested-by: tmkk on github
+  Makes test 94 and 95 work
   
-  Bug: #6146
-  Closes #6245
+  Closes #7141
 
-- multi: reduce Win32 API calls to improve performance
+- c-hyper: clear NTLM auth buffer when request is issued
   
-  1. Consolidate pre-checks into a single Curl_poll call:
+  To prevent previous ones to get reused on subsequent requests. Matches
+  how the built-in HTTP code works. Makes test 90 to 93 work.
   
-  This is an attempt to restructure the code in Curl_multi_wait
-  in such a way that less syscalls are made by removing individual
-  calls to Curl_socket_check via SOCKET_READABLE/SOCKET_WRITABLE.
+  Add test 90 to 93 in travis.
   
-  2. Avoid resetting the WinSock event multiple times:
+  Closes #7139
+
+- [Joel Depooter brought this change]
+
+  schannel: set ALPN length correctly for HTTP/2
   
-  We finally call WSAResetEvent anyway, so specifying it as
-  an optional parameter to WSAEnumNetworkEvents is redundant.
+  In a3268eca792f1 this code was changed to use the ALPN_H2 constant
+  instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
+  not the same. The nghttp2 constant included the length of the string,
+  like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
+  to re-add the length of the string to the ALPN buffer.
   
-  3. Wakeup directly in case no sockets are being monitoring:
+  Closes #7138
+
+- travis: run tests 1-89 in the hyper build
   
-  Fix the WinSock based implementation to skip extra waiting by
-  not sleeping in case no sockets are to be waited on and just
-  the WinSock event is being monitored for wakeup functionality.
+  Closes #7137
+
+- Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
   
-  Assisted-by: Tommy Odom
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  This reverts commit c3eefa95c31f55657f0af422e8268d738f689066.
   
-  Bug: #6146
-  Closes #6245
+  Reported-by: Kevin Burke
+  Fixes #7122
+  Closes #7136
 
-- Revert "Revert 'multi: implement wait using winsock events'"
-  
-  This reverts commit 2260e0ebe6d45529495231b3e37a0c58fb92a6a2,
-  also restoring previous follow up changes which were reverted.
+- [Jon Rumsey brought this change]
+
+  ccsidcurl: fix the compile errors
   
-  Authored-by: rcombs on github
-  Authored-by: Marc Hörsken
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Marcel Raad
+  Looks like the declaration of cpp shoule be const char ** and return
+  null if convert_version_info_string fails.
   
-  Restores #5634
-  Reverts #6281
-  Part of #6245
+  Fixes #7134
+  Closes #7135
 
-Daniel Stenberg (21 Apr 2021)
-- Revert "cmake: make libcurl library output name configurable"
+- [Viktor Szakats brought this change]
+
+  docs: use --max-redirs instead of --max-redir
   
-  This reverts commit 1cba36d2166c396f987eea587cf92671b27acb92.
+  For consistency.
   
-  CMake provides properties that can be set on a target to rename the
-  output artifact without changing the name of a target.
+  Closes #7130
+
+- RELEASE-NOTES: synced
   
-  Ref: #6899
+  ... and bump to 7.77.1
 
-- [Michael Kolechkin brought this change]
+- [Michael Forney brought this change]
 
-  sectransp: allow cipher name to be specified
+  travis: add bearssl build
   
-  Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
-  back-end. Similar to NSS and GSKit back-ends, new code parses string
-  value and configures ST library to use those ciphers for communication.
-  Create cipher spec data structure and initialize the array of specs with
-  cipher number, name, alias, and 'weak' flag.
+  Closes #7133
+
+- [Michael Forney brought this change]
+
+  bearssl: explicitly initialize all fields of Curl_ssl
   
-  Mark triple-DES ciphers as 'weak', and exclude them from the default
-  ciphers list.
+  Also, add comments like the other vtls backends.
   
-  Closes #6464
+  Closes #7133
 
-- [Michael Kolechkin brought this change]
+- [Michael Forney brought this change]
 
-  NSS: add ciphers to map
+  bearssl: remove incorrect const on variable that is modified
   
-  Add cipher names to the `cipherlist` map, based on the list of ciphers
-  implemented by the NSS in the source code file
-  https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c
+  hostname may be set to NULL later on in this function if it is an
+  IP address.
   
-  Closes #6670
+  Closes #7133
 
-- http2: remove DEBUG_HTTP2
-  
-  Accidentally committed in 605e84235
+Version 7.77.0 (26 May 2021)
 
-- [Ralph Langendam brought this change]
+Daniel Stenberg (26 May 2021)
+- RELEASE-NOTES: synced
 
-  cmake: make libcurl library output name configurable
-  
-  Closes #6899
+- THANKS: added contributors from 7.77.0 cycle
 
-- sws: #ifdef S_IFSOCK use
+- copyright: update copyright year ranges to 2021
+
+- [Radek Zajic brought this change]
+
+  hostip: fix broken macOS/CMake/GCC builds
   
-  SCO OpenServer 5.0.7 does not define S_IFSOCK.
+  Follow-up to 31f631a142d855f06
   
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0074.html
-  Closes #6926
+  Fixes #7128
+  Closes #7129
 
-- curl_setup: provide the shutdown flags wider
-  
-  By using #ifdef on the symbol names to work on anything that don't
-  provide them. SCO OpenServer 5.0.7, sys/socket.h does not define either
-  SHUT_RDWR, SHUT_RD, and SHUT_WR.
+- TODO: netrc caching and sharing
   
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0073.html
-  Closes #6925
+  URL: https://curl.se/mail/archive-2021-05/0018.html
 
-- connect: use CURL_SA_FAMILY_T for portability
+- [Orgad Shaneh brought this change]
+
+  setopt: streamline ssl option code
   
-  Reported-by: Kevin R. Bulgrien
-  Bug: https://curl.se/mail/lib-2021-04/0071.html
+  Make it use the same style as the code next to it
   
-  Closes #6918
+  Closes #7123
 
-- urlapi: make sure no +/- signs are accepted in IPv4 numericals
-  
-  Follow-up to 56a037cc0ad1b2. Extends test 1560 to verify.
+- [Radek Zajic brought this change]
+
+  lib/hostip6.c: make NAT64 address synthesis on macOS work
   
-  Reported-by: Tuomas Siipola
-  Fixes #6916
-  Closes #6917
+  Closes #7121
 
-- ConnectionExists: respect requests for h1 connections better
+- [ejanchivdorj brought this change]
+
+  sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
   
-  ... for situations when multiplexing isn't enabled on the h2 connection
-  and h1 is explicitly requested for the transfer.
+  When the SecCertificateCopyCommonName function fails, it leaves
+  common_name in a invalid state so CFStringCompare uses the invalid
+  result, causing EXC_BAD_ACCESS.
   
-  Assisted-by: Gergely Nagy
-
-- multi: don't close connection HTTP_1_1_REQUIRED
+  The fix is to check the return value of the function before using the
+  name.
   
-  The ConnectionExists() function will note that the new transfer wants
-  less then h2 and that it can't multiplex it and therefor opt to open a
-  new connection instead.
+  Closes #7126
 
-- http2: move the stream error field to the per-transfer storage
+- [Paweł Wegner brought this change]
+
+  CMake: add CURL_ENABLE_EXPORT_TARGET option
   
-  Storing a stream error in the per-connection struct was an error that lead to
-  race conditions as subsequent stream handling could overwrite the error code
-  before it was used for the stream with the actual problem.
+  install(EXPORT ...) causes trouble when embedding curl dependencies
+  which don't provide install(EXPORT ...) targets (e.g libressl and
+  nghttp2) with cmake's add_subdirectory.
   
-  Closes #6910
+  Reviewed-by: Jakub Zakrzewski
+  Closes #7060
 
-- http2: call the handle-closed function correctly on closed stream
+- [Alessandro Ghedini brought this change]
+
+  quiche: update for network path aware API
   
-  This was this one condition where the stream could be closed due to an
-  error and the function would still wrongly just return 0 for it.
+  Latest version of quiche requires the application to pass the peer
+  address of received packets, and it provides the address for outgoing
+  packets back.
   
-  Reported-by: Gergely Nagy
-  Fixes #6862
-  Closes #6910
+  Closes #7120
 
-- test1660: check the created HSTS file as text mode
+- [Jacob Hoffman-Andrews brought this change]
+
+  rustls: switch read_tls and write_tls to callbacks
   
-  Closes #6922
+  And update to 0.6.0, including a rename from session to connection for
+  many fields.
+  
+  Closes #7071
 
-- RELEASE-NOTES: synced
+- [Koichi Shiraishi brought this change]
 
-- test 493: require https in curl to run
+  sectransp: fix 7f4a9a9b2a49 commit about missing comma
   
-  Closes #6927
-
-Jay Satiro (20 Apr 2021)
-- tool_operate: don't discard failed parallel transfer result
+  Follow-up to 7f4a9a9b2a495
   
-  - Save a parallel transfer's result code only when it fails and the
-    transfer is not being retried.
+  Closes #7119
+
+- [Harry Sintonen brought this change]
+
+  openssl: associate/detach the transfer from connection
   
-  Prior to this change the result code was always set which meant that a
-  failed result could be erroneously discarded if a different transfer
-  later had a successful result (CURLE_OK).
+  CVE-2021-22901
   
-  Before:
+  Bug: https://curl.se/docs/CVE-2021-22901.html
+
+- [Harry Sintonen brought this change]
+
+  telnet: check sscanf() for correct number of matches
   
-  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
-  > echo %ERRORLEVEL%
-  0
+  CVE-2021-22898
   
-  After:
+  Bug: https://curl.se/docs/CVE-2021-22898.html
+
+- schannel: don't use static to store selected ciphers
   
-  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
-  > echo %ERRORLEVEL%
-  22
+  CVE-2021-22897
   
-  Closes #xxxx
+  Bug: https://curl.se/docs/CVE-2021-22897.html
 
-- [Georeth Zhou brought this change]
+- docs/tests: remove freenode references
 
-  openssl: fix build error with OpenSSL < 1.0.2
-  
-  Closes https://github.com/curl/curl/pull/6920
+- RELEASE-NOTES: synced
 
-Viktor Szakats (19 Apr 2021)
-- README.md: delete Codacy UTM parameters & follow permanent redirect [ci skip]
-  
-  UTM parameters leak referrer and various marketing/tracking information
-  even if these would normally be stripped by website or client policy.
-  This link also works fine without them. Also took the opportunity to
-  update the URL to the one pointed to by the previous one via permanent
-  redirect.
-  
-  Reviewed-by: Daniel Stenberg
-  Closes #6919
+- [Sergey Markelov brought this change]
 
-Daniel Stenberg (19 Apr 2021)
-- urlapi: "normalize" numerical IPv4 host names
+  NSS: make colons, commas and spaces valid separators in cipher list
   
-  When the host name in a URL is given as an IPv4 numerical address, the
-  address can be specified with dotted numericals in four different ways:
-  a32, a.b24, a.b.c16 or a.b.c.d and each part can be specified in
-  decimal, octal (0-prefixed) or hexadecimal (0x-prefixed).
-  
-  Instead of passing on the name as-is and leaving the handling to the
-  underlying name functions, which made them not work with c-ares but work
-  with getaddrinfo, this change now makes the curl URL API itself detect
-  and "normalize" host names specified as IPv4 numericals.
-  
-  The WHATWG URL Spec says this is an okay way to specify a host name in a
-  URL. RFC 3896 does not allow them, but curl didn't prevent them before
-  and it seems other RFC 3896-using tools have not either. Host names used
-  like this are widely supported by other tools as well due to the
-  handling being done by getaddrinfo and friends.
-  
-  I decided to add the functionality into the URL API itself so that all
-  users of these functions get the benefits, when for example wanting to
-  compare two URLs. Also, it makes curl built to use c-ares now support
-  them as well and make curl builds more consistent.
-  
-  The normalization makes HTTPS and virtual hosted HTTP work fine even
-  when curl gets the address specified using one of the "obscure" formats.
-  
-  Test 1560 is extended to verify.
-  
-  Fixes #6863
-  Closes #6871
+  Fixes #7110
+  Closes #7115
 
-- libssh: fix "empty expression statement has no effect" warnings
-  
-  ... by fixing macros to do-while constructs and moving out the calls to
-  "break" outside of the actual macro. It also fixes the problem where the
-  macro was used witin a loop and the break didn't do right.
+- curl: include libmetalink version in --version output
   
-  Reported-by: Emil Engler
-  Fixes #6847
-  Closes #6909
+  Closes #7112
 
-- hsts: enable by default
+Jay Satiro (21 May 2021)
+- [Matias N. Goldberg brought this change]
+
+  cmake: Use multithreaded compilation on VS 2008+
   
-  No longer considered experimental.
+  Multithreaded compilation has been supported since at least VS 2005 and
+  been robustly stable since at least VS 2008
   
-  Closes #6700
+  Closes https://github.com/curl/curl/pull/7109
 
-- vtls: refuse setting any SSL version
+Daniel Stenberg (21 May 2021)
+- [Matias N. Goldberg brought this change]
+
+  cmake: fix two invokes result in different curl_config.h
   
-  ... previously they were supported if a TLS library would (unexpectedly)
-  still support them, but from this change they will be refused already in
-  curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
-  many years now.
+  Fixes #7100
+  Closes #7101
   
-  Closes #6773
+  Reviewed-by: Jakub Zakrzewski
+  Signed-off-by: Matias N. Goldberg <dark_sylinc@yahoo.com.ar>
 
-- curl: ignore options asking for SSLv2 or SSLv3
-  
-  Instead output a warning about it and continue with the defaults.
+- [Peng-Yu Chen brought this change]
+
+  cmake: detect CURL_SA_FAMILY_T
   
-  These SSL versions are typically not supported by the TLS libraries since a
-  long time back already since they are inherently insecure and broken. Asking
-  for them to be used will just cause an error to be returned slightly later.
+  Fixes #7049
+  Closes #7065
+
+- [Lucas Clemente Vella brought this change]
+
+  CURLOPT_IPRESOLVE: preventing wrong IP version from being used
   
-  In the unlikely event that a user's TLS library actually still supports these
-  protocol versions, this change might make the request a little less insecure.
+  In some situations, it was possible that a transfer was setup to
+  use an specific IP version, but due do DNS caching or connection
+  reuse, it ended up using a different IP version from requested.
   
-  Closes #6772
-
-- test972: verify the json output with jsonlint
+  This commit changes the effect of CURLOPT_IPRESOLVE from simply
+  restricting address resolution to preventing the wrong connection
+  type being used, when choosing a connection from the pool, and
+  to restricting what addresses could be used when establishing
+  a new connection.
   
-  Make sure one of the azure jobs has jsonlint installed so that the test
-  runs there.
+  It is important that all addresses versions are resolved, even if
+  not used in that transfer in particular, because the result is
+  cached, and could be useful for a different transfer with a
+  different CURLOPT_IPRESOLVE setting.
   
-  Ref: #6905
+  Closes #6853
 
-- [Jay Satiro brought this change]
+- [Oliver Urbann brought this change]
 
-  tool_writeout: fix the HTTP_CODE json output
+  AmigaOS: add functions definitions for SHA256
   
-  Update test 970 accordingly.
+  AmiSSL replaces many functions with macros. Curl requires pointer
+  to some of these functions. Thus, we have to encapsulate these macros:
+  SHA256_Init, SHA256_Update, SHA256_Final, X509_INFO_free.
   
-  Reported-by: Michal Rus
-  Fixes #6905
-  Closes #6906
-
-- openldap: protect SSL-specific code with proper #ifdef
+  Bug: https://github.com/jens-maus/amissl/issues/15
+  Co-authored-by: Daniel Stenberg <daniel@haxx.se>
   
-  Closes #6901
+  Closes #7099
 
-- libssh2: fix Value stored to 'sshp' is never read
-  
-  Pointed out by scan-build
+- test2100: make it run with and require IPv6
   
-  Closes #6900
-
-- [Victor Vieux brought this change]
+  Closes #7083
 
-  tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
-  
-  Signed-off-by: Victor Vieux <victorvieux@gmail.com>
+- tests/getpart: generate output URL encoded for better diffs
   
-  Closes #6895
+  Closes #7083
 
-- configure: provide --with-openssl, deprecate --with-ssl
+- [Ryan Beck-Buysse brought this change]
+
+  docs/TheArtOfHttpScripting: fix markdown links
   
-  Makes the option more explicit.
+  extra parens cause the links to be incorrectly formatted
+  and inconsistent with the rest of the document.
   
-  Closes #6887
+  Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
+  Closes #7097
 
 - RELEASE-NOTES: synced
-  
-  and bumped curlver to 7.77.0
 
-- [Javier Blazquez brought this change]
+- [Emil Engler brought this change]
 
-  rustls: only return CURLE_AGAIN when TLS session is fully drained
-  
-  The code in cr_recv was returning prematurely as soon as the socket
-  reported no more data to read. However, this could be leaving some
-  unread plaintext data in the rustls session from a previous call,
-  causing causing the transfer to hang if the socket never receives
-  further data.
+  docs: replace dots with dashes in markdown enums
   
-  We need to ensure that the session is fully drained of plaintext data
-  before returning CURLE_AGAIN to the caller.
+  We use dashes instead of dots nearly everywhere except for those few
+  cases. This commit addresses this issues and brings more coherency into
+  it.
   
-  Reviewed-by: Jacob Hoffman-Andrews
-  Closes #6894
+  Closes #7093
 
-- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
+- [Emil Engler brought this change]
+
+  docs: improve INTERNALS.md regarding getsock cb
   
-  Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
-  the cookiejar from memory.
+  This adds the I/O prefix to indicate that those "actions" are kind-of
+  related to those found in select(2) or poll(2) (reading/writing).
   
-  Reported-by: Stefan Karpinski
-  Fixes #6889
-  Closes #6891
+  It also adds a note where the prototypes of those functions can be found
+  in the source code.
+  
+  Closes #7092
 
-Version 7.76.1 (14 Apr 2021)
+- [Emil Engler brought this change]
 
-Daniel Stenberg (14 Apr 2021)
-- RELEASE-NOTES: synced
+  docs: document attach in INTERNALS.md
   
-  curl 7.76.1 release
+  The new field in the Curl_handler struct still lacks documentation. This
+  adds it it from the information extracted from lib/urldata.h:797
+  
+  Closes #7091
 
-- THANKS: add names from 7.76.1
+- [Marc Aldorasi brought this change]
 
-- misc: update copyright year ranges to match latest updates
+  config: remove now-unused macros
+  
+  Closes #7094
 
-- [Tatsuhiro Tsujikawa brought this change]
+- [Marc Aldorasi brought this change]
 
-  ngtcp2: Use ALPN h3-29 for now
+  hostip.h: remove declaration of unimplemented function
   
-  Fixes #6864
-  Cloes #6886
+  Closes #7094
 
-Jay Satiro (11 Apr 2021)
-- TODO: remove 18.22 --fail-with-body
+- h3: add 'attach' callback to protocol handlers
   
-  --fail-with-body was added in 8a964cb (precedes curl-7_76_0).
-
-Daniel Stenberg (10 Apr 2021)
-- [Jürgen Gmach brought this change]
+  Follow-up to 0c55fbab45be
+  
+  Reviewed-by: Emil Engler
+  Closes #7090
 
-  src/tool_vms.c: remove duplicated word in comment
+- wolfssl: remove SSLv3 support leftovers
   
-  Closes #6881
+  Closes #7088
 
-- configure: fix CURL_DARWIN_CFLAGS use
+- curl-wolfssl.m4: without custom include path, assume /usr/include
   
-  The macro name change was not completely done.
+  ... so that we can point out the root of the OpenSSL emulation headers.
+  Previously this used the '$includedir' variable which is wrong since
+  that defaults to the dir where the current configure invoke will install
+  the built libcurl headers: /usr/local by default.
   
-  Follow-up to 5d2c384452543c
-  Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
-  Reported-by: Marcel Raad
-  Closes #6878
+  Fixes #7085
+  Reported-by: Joel Jakobsson
+  Closes #7087
 
-- [Anthony Shaw brought this change]
+- [Joel Depooter brought this change]
 
-  github/workflow: add "security-extended" to codeql-analysis.yml
+  data_pending: check only SECONDARY socket for FTP(S) transfers
   
-  Extends the CodeQL code scan.
+  Check the FIRST for all other protocols.
   
-  Closes #6815
-
-- [Jochem Broekhoff brought this change]
+  This fixes a timeout in an ftps download. The server sends a TLS
+  close_notify message in the same packet as the file data. The
+  close_notify seems to not be handled in the schannel_recv function, so
+  libcurl is not aware that the server has closed the connection. Thus
+  libcurl ends up waiting for action on the socket until a timeout is
+  reached. With the secondary socket check added to the data_pending
+  function, the close_notify is properly handled, and the ftps transfer
+  terminates as expected.
+  
+  Fixes #7068
+  Closes #7069
 
-  examples/hiperfifo.c: check event_initialized before delete
+- github: inhibit deprecated declarations for clang on macOS
   
-  If event_del is called with the event struct (still) zeroed out, a
-  segmentation fault may occur.  event_initialized checks whether the
-  event struct is nonzero.
+  ... as they otherwise cause ldap build errors in the CI.
   
-  Closes #6876
+  Fixes #7081
+  Closes #7082
 
-- [Patrick Monnerat brought this change]
+- conn: add 'attach' to protocol handler, make libssh2 use it
+  
+  The libssh2 backend has SSH session associated with the connection but
+  the callback context is the easy handle, so when a connection gets
+  attached to a transfer, the protocol handler now allows for a custom
+  function to get used to set things up correctly.
+  
+  Reported-by: Michael O'Farrell
+  Fixes #6898
+  Closes #7078
 
-  ntlm: fix negotiated flags usage
+- http2: make sure pause is done on HTTP
   
-  According to Microsoft document MS-NLMP, current flags usage is not
-  accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
-  extended security in an NTLM authentication message and NTLM version 2
-  cannot be negotiated within the protocol.
+  Since the function is called for any protocol, we can't assume that the
+  HTTP struct is there without first making sure it is HTTP.
   
-  The solution implemented here is: if the extended security flag is set,
-  prefer using NTLM version 2 (as a server featuring extended security
-  should also support version 2). If version 2 has been disabled at
-  compile time, use extended security.
+  Reported-by: Denis Goleshchikhin
+  Fixes #7079
+  Closes #7080
+
+- docs: cookies from HTTP headers need domain set
   
-  Tests involving NTLM are adjusted to this new behavior.
+  ... or the cookies won't get sent. Push users to using the "Netscape"
+  format instead, which curl uses when saving a cookie "jar".
   
-  Fixes #6813
-  Closes #6849
+  Reported-by: Martin Dorey
+  Reviewed-by: Daniel Gustafsson
+  Fixes #6723
+  Closes #7077
 
-- [Patrick Monnerat brought this change]
+- RELEASE-NOTES: synced
 
-  ntlm: support version 2 on 32-bit platforms
+- github: add a workflow with libssh2 on macOS using cmake
   
-  Closes #6849
-
-- [Patrick Monnerat brought this change]
+  Closes #7047
 
-  curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
+- sws: allow HTTP requests up to 2MB in size
   
-  ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
-  whole NTLM.
+  To allow tests with slightly larger payloads. Like #7071 ...
   
-  Closes #6849
+  Closes #7075
 
-- lib: remove unused HAVE_INET_NTOA_R* defines
+Marc Hoersken (16 May 2021)
+- CI/azure: increase verbosity and fix outdated task names
   
-  Closes #6867
-
-- [Michael Forney brought this change]
+  Closes #7063
 
-  configure: include <time.h> unconditionally
-  
-  In 2682e5f5, several instances of AC_HEADER_TIME were removed since
-  it is a deprecated autoconf macro. However, this was the macro that
-  defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
-  can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
-  used in the configure test body and since it is no longer defined,
-  <time.h> is *not* included on systems that have <sys/time.h>.
+- CI/cirrus: add shared and static Windows release builds
   
-  In particular, at least on musl libc and glibc, <sys/time.h> does
-  not implicitly include <time.h> and does not declare clock_gettime,
-  gmtime_r, or localtime_r. This causes configure to fail to detect
-  those functions.
+  Azure Pipelines is currently being used for debug builds,
+  let's also run some non-debug (release) Windows builds and
+  make use of previously underutilized Cirrus CI for that.
   
-  The AC_HEADER_TIME macro deprecation text says
+  Reviewed-by: Marcel Raad
   
-  > All current systems provide time.h; it need not be checked for.
-  > Not all systems provide sys/time.h, but those that do, all allow
-  > you to include it and time.h simultaneously.
+  Closes #6991
+
+Daniel Stenberg (16 May 2021)
+- CURLOPT_CAPATH.3: defaults to a path, not NULL
   
-  So, to fix this issue, simply include <time.h> unconditionally when
-  testing for time-related functions and in libcurl, and don't bother
-  checking for it.
+  Reported-by: Andrew Barnert
   
-  Closes #6859
+  Closes #7062
 
-- [Michael Forney brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  configure: remove use of RETSIGTYPE
-  
-  This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
-  which was removed in 2682e5f5. The deprecation text says
+  c-hyper: handle body on HYPER_TASK_EMPTY
   
-  > Your code may safely assume C89 semantics that RETSIGTYPE is void.
+  Some of the time, we get a HYPER_TASK_EMPTY response before the status
+  line, headers, and body have been read. Previously, that would cause us
+  to poll again, leading to a 1 second timeout.
   
-  So, remove it and just use void instead.
+  The HYPER_TASK_EMPTY docs say:
   
-  Closes #6861
-
-- [Muhammed Yavuz Nuzumlalı brought this change]
-
-  install: add instructions for Apple Darwin platforms
+     The value of this task is null (does not imply an error).
   
-  Closes #6860
-
-- [Muhammed Yavuz Nuzumlalı brought this change]
-
-  configure: disable min version set for Darwin
+  So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
+  response.
   
-  Fixes #6838
-  Closes #6860
+  Reported-by: Kevin Burke
+  Fixes #7064
+  Closes #7070
 
-- [David Hu brought this change]
+- [Ikko Ashimine brought this change]
 
-  docs/HTTP3.md: update the build instruction using gnutls
+  tool_getparam: fix comment typo in tool_getparam.c
   
-  In ngtcp2 the `with-gnutls` option is disabled by default, which will
-  cause `curl` unable to be `make` because of lacking the libraries
-  needed.
+  enfore -> enforce
   
-  Closes #6857
-
-- RELEASE-NOTES: synced
+  Closes #7074
 
-- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
+- mem-include-scan.pl: require a non-word letter before memory funcs
   
-  ... and not values.
+  ... so that ldap_memfree() for example doesn't match the scan for free.
   
-  Reported-by: locpyl-tidnyd on github
-  Fixes #6818
-  Closes #6819
+  Closes #7061
 
-- ngtcp2+gnutls: clear credentials when freed
+- version: free the openldap info correctly
   
-  ... to avoid double-free.
+  ... to avoid memory leaks.
   
-  Reported-by: Kenneth Davidson
-  Fixes #6824
-  Closes #6856
+  Follow-up to: bf0feae7768d9
+  Closes #7061
 
-Jay Satiro (5 Apr 2021)
-- [Cherish98 brought this change]
+- dupset: remove totally off comment
+  
+  Closes #7067
 
-  tool_progress: Fix progress meter in parallel mode
+- configure: if asked for, fail if ldap is not found
   
-  Make sure the total amount of DL/UL bytes are counted before the
-  transfer finalizes. Otherwise if a transfer finishes too quick, its
-  total numbers are not added, and results in a DL%/UL% that goes above
-  100%.
+  Reported-by: Jakub Zakrzewski
+  Fixes #7053
+  Closes #7055
+
+- version: add OpenLDAP version in the output
   
-  Detail:
+  Assisted-by: Howard Chu
+  Closes #7054
+
+Jay Satiro (13 May 2021)
+- [Joel Depooter brought this change]
+
+  schannel: Ensure the security context request flags are always set
   
-  progress_meter() is called periodically, and it may not catch a
-  transfer's total bytes if the value was unknown during the last call,
-  and the transfer is finished and deleted (i.e., lost) during the next
-  call.
+  As of commit 54e7475, these flags would only be set when using a new
+  credential handle. When re-using an existing credential handle, the
+  flags would not be set.
   
-  Closes https://github.com/curl/curl/pull/6840
+  Closes https://github.com/curl/curl/pull/7051
 
-- [Emil Engler brought this change]
+Dan Fandrich (12 May 2021)
+- tests: Fix some tag matching issues in a number of tests
 
-  libssh: get rid of PATH_MAX
+Daniel Stenberg (12 May 2021)
+- sasl: use 'unsigned short' to store mechanism
   
-  This removes the last occurrence of PATH_MAX inside our libssh
-  implementation by calculating the path length from the string length of
-  the two components.
+  ... saves a few bytes of struct size in memory and it only uses
+  10 bits anyway.
   
-  Closes #6829
+  Closes #7045
 
-Daniel Stenberg (5 Apr 2021)
-- http_proxy: only loop on 407 + close if we have credentials
+- hostip: remove the debug code for LocalHost
   
-  ... to fix the retry-loop.
+  The Curl_resolv() had special code (when built in debug mode) for when
+  resolving the host name "LocalHost" (using that exact casing). It would
+  then get the host name from the --interface option instead.
   
-  Add test 718 to verify.
+  This development-only feature was not used by anything (anymore) and we
+  have the --resolve feature if we want to play similar tricks properly
+  going forward.
   
-  Reported-by: Daniel Kurečka
-  Fixes #6828
-  Closes #6850
+  Closes #7044
 
-- h2: allow 100 streams by default
+- progress: reset limit_size variables at transfer start
   
-  instead of 13, before the server has told how many streams it
-  accepts. The server can always reject new streams anyway if we go above
-  what it accepts.
+  Otherwise the old value would linger from a previous use and would mess
+  up the network speed cap logic.
   
-  Ref: #6826
-  Closes #6852
+  Reported-by: Ymir1711 on github
+  
+  Fixes #7042
+  Closes #7043
 
-- [Luke Granger-Brown brought this change]
+- RELEASE-NOTES: synced
 
-  file: support GETing directories again
+- [Daniel Gustafsson brought this change]
+
+  cookies: use CURLcode for cookie_output reporting
   
-  After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
-  expected_size for directories. This has the upshot that when we compare
-  even an empty Range with the available size, we fail.
+  Writing the cookie file has multiple error conditions, and was using an
+  int with magic numbers to report the different error (which in turn were
+  disregarded anyways). This moves reporting to use a CURLcode value.
   
-  This brings back the previous behaviour, which was to succeed, but with
-  empty content. This also removes the "Accept-ranges: bytes" header,
-  which is nonsensical on directories.
+  Lightly-touched-by: Daniel Stenberg
   
-  Adds test 3016
-  Fixes #6845
-  Closes #6846
+  Closes #7037
+  Closes #6749
 
-- RELEASE-NOTES: synced
-  
-  and bumped to 7.76.1
+- [Daniel Gustafsson brought this change]
 
-- TLS: fix HTTP/2 selection
-  
-  for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
-  wolfSSL...
+  cookies: make use of string duplication function
   
-  Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
-  Reported-by: Kenneth Davidson
-  Reported-by: romamik om github
-  Fixes #6825
-  Closes #6827
+  strstore() is defined as a strdup which ensures to free the target
+  pointer before duping the source char * into it. Make use of it in
+  two more cases where it can simplify the code.
 
-Jay Satiro (2 Apr 2021)
-- hostip: Fix for builds that disable all asynchronous DNS
+- [Daniel Gustafsson brought this change]
+
+  cookies: refactor comments
   
-  - Define Curl_resolver_error function only when USE_CURL_ASYNC.
+  Comments in the cookie code were a bit all over the place in terms of
+  style and wording. This takes a stab at cleaning them up by keeping to
+  a single style and overall shape. Some comments are moved a little and
+  some removed alltogether due to being redundant. No functional changes
+  have been made,
+
+- [Peng-Yu Chen brought this change]
+
+  http2: skip immediate parsing of payload following protocol switch
   
-  Prior to this change building curl without an asynchronous resolver
-  backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
-  also asynchronous but independent of resolver backend) would cause a
-  build error since Curl_resolver_error is called by and evaluates
-  variables only available in asynchronous builds.
+  This is considered not harmful as a following http2_recv shall be
+  called very soon.
   
-  Reported-by: Benbuck Nason
+  This is considered helpful in the specific situation where some
+  servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
+  following the return of HTTP status 101, other than waiting for
+  the client-side connection preface to arrive.
   
-  Fixes https://github.com/curl/curl/issues/6831
-  Closes https://github.com/curl/curl/pull/6832
+  Fixes #7036
+  Closes #7040
 
-Daniel Stenberg (31 Mar 2021)
-- [Gilles Vollant brought this change]
+- [Peng-Yu Chen brought this change]
 
-  openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
+  http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
   
-  Reported-by: Christian Schmitz
-  Fixes #6816
-  Closes #6820
-
-Version 7.76.0 (31 Mar 2021)
-
-Daniel Stenberg (31 Mar 2021)
-- RELEASE-NOTES: synced
+  Following the upstream deprecation of nghttp2_session_upgrade.
   
-  curl 7.76.0 release
-
-- THANKS: added names from 7.76.0
-
-- CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
+  Also provides further checks for requests with the HEAD method.
   
-  ... some users may not want that!
+  Closes #7041
 
-- define: remove CURL_DISABLE_NTLM ifdefs
-  
-  It was never defined anywhere. Fixed disable-scan (test 1165) to also
-  scan headers, which found this issue.
+- progress/trspeed: use a local convenient pointer to beautify code
   
-  Closes #6809
+  The function becomes easier to read and understand with less repetition.
 
-- vtls: fix addsessionid for non-proxy builds
+- trspeed: use long double for transfer speed calculation
+
+- progress: move transfer speed calc into function
   
-  Follow-up to b09c8ee15771c61
-  Fixes #6812
-  Closes #6811
+  This silences two scan-build-11 warnings: "The result of the '/'
+  expression is undefined"
+  
+  Bug: https://curl.se/mail/lib-2021-05/0022.html
+  Closes #7035
 
-- [Li Xinwei brought this change]
+- [Cameron Cawley brought this change]
 
-  cmake: support WinIDN
+  openssl: remove unneeded cast for CertOpenSystemStore()
   
-  Closes #6807
+  Closes #7025
 
-- transfer: clear 'referer' in declaration
+- travis: disable the libssh build
   
-  To silence (false positive) compiler warnings about it.
+  It can't run on focal and causes warnings on bionic. Since the focal
+  failure started rather suddenly a while ago, we can suspect it might be
+  temporary.
   
-  Follow-up to 7214288898f5625
+  Added "bring back the build" to the TODO document.
   
-  Reviewed-by: Marcel Raad
-  Closes #6810
+  Fixes #7011
+  Closes #7012
 
-- [Marc Hoersken brought this change]
+- [Peng-Yu Chen brought this change]
 
-  config: fix SSPI enabling NTLM if crypto auth is disabled
+  http: use calculated offsets inst of integer literals for header parsing
   
-  Avoid enabling NTLM feature based upon Windows SSPI
-  being enabled in case that crypto auth is disabled.
+  Assumed to be a minor coding style improvement with no behavior change.
   
-  Reported-by: Marcel Raad
+  A modern compiler is expected to have the calculation optimized during
+  compilation. It may be deemed okay even if that's not the case, since
+  the added overhead is considered very low.
   
-  Follow-up to #6277
-  Fixes #6803
-  Closes #6808
+  Closes #7032
 
-- HISTORY: add two 2021 events
+- [Peng-Yu Chen brought this change]
 
-- vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
-  
-  To make sure we set and extract the correct session.
+  GIT-INFO: suggest using autoreconf instead of buildconf
   
-  Reported-by: Mingtao Yang
-  Bug: https://curl.se/docs/CVE-2021-22890.html
+  Follow-up to 85868537d
   
-  CVE-2021-22890
-
-- [Viktor Szakats brought this change]
+  Closes #7033
 
-  transfer: strip credentials from the auto-referer header field
+- http: deal with partial CONNECT sends
   
-  Added test 2081 to verify.
+  Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
+  which helped verifying this even more.
   
-  CVE-2021-22876
+  Add test 363 to verify.
   
-  Bug: https://curl.se/docs/CVE-2021-22876.html
+  Reported-by: ustcqidi on github
+  Fixes #6950
+  Closes #7024
 
-- curl_sasl: fix compiler error with --disable-crypto-auth
-  
-  ... if libgsasl was found.
+- HTTP3: make the ngtcp2 build use the quictls fork
   
-  Closes #6806
-
-- [Patrick Monnerat brought this change]
-
-  ldap: only set the callback ptr for TLS context when TLS is used
+  ... as ngtcp2 itself documents the build this way.
   
-  Follow-up to a5eee22e594c2460f
-  Fixes #6804
-  Closes #6805
+  Closes #7031
 
-- copyright: update copyright year ranges to 2021
+- http: limit the initial send amount to used upload buffer size
   
-  Reviewed-by: Emil Engler
-  Closes #6802
-
-- send_speed: simplify the checks for if a speed limit is set
+  Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
+  but for the situations where a larger upload buffer has been set, this
+  function can benefit from sending more bytes. With default size used,
+  this does the same as before.
   
-  ... as we know the value cannot be set to negative: enforced by
-  setopt()
-
-- http: cap body data amount during send speed limiting
+  Also changed the storage of the size to an 'unsigned int' as it is not
+  allowed to be set larger than 2M.
   
-  By making sure never to send off more than the allowed number of bytes
-  per second the speed limit logic is given more room to actually work.
+  Also added cautions to the man pages about changing buffer sizes in
+  run-time.
   
-  Reported-by: Fabian Keil
-  Bug: https://curl.se/mail/lib-2021-03/0042.html
-  Closes #6797
+  Closes #7022
 
-- urldata: merge "struct DynamicStatic" into "struct UrlState"
+- RELEASE-NOTES: synced
+
+- ngtcp2: fix the cb_acked_stream_data_offset proto
   
-  Both were used for the same purposes and there was no logical separation
-  between them. Combined, this also saves 16 bytes in less holes in my
-  test build.
+  The 'datalen' value should be 64 bit, not size_t!
   
-  Closes #6798
+  Reported-by: Dmitry Karpov
+  Bug: https://curl.se/mail/lib-2021-05/0019.html
+  Closes #7027
 
-- tests/README.md: mentioned that en_US.UTF-8 is required
+- progress: when possible, calculate transfer speeds with microseconds
   
-  Reported-by: Oumph on github
-  Fixes #6768
-
-- HISTORY: fixed the Mac OS X 10.1 release date
+  ... this improves precision, especially for transfers in the few or even
+  sub millisecond range.
   
-  Based on what Wikipedia says
+  Reported-by: J. Bromley
+  Fixes #7017
+  Closes #7020
 
-Jay Satiro (26 Mar 2021)
-- examples: Remove threaded-shared-conn.c due to bug
-  
-  Known bug 11.11 is the shared object's connection cache is not thread
-  safe, so we should not have an example for it.
+- http: reset the header buffer when sending the request
   
-  Ref: https://github.com/curl/curl/issues/4915
-  Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not
+  A reused transfer handle could otherwise reuse the previous leftover
+  buffer and havoc would ensue.
   
-  Closes https://github.com/curl/curl/pull/6795
+  Reported-by: sergio-nsk on github
+  Fixes #7018
+  Closes #7021
 
-- KNOWN_BUGS: Update 11.9 - DoH option inheritance
+- curl_mprintf.3: add description
   
-  - Add description: Explain that some options aren't inherited because
-    they are not relevant for the DoH SSL connections or may result in
-    unexpected behavior.
+  These functions have existed in the API since the dawn of time. It is
+  about time we describe how they work, even if we discourage users from
+  using them.
   
-  - Remove the reference to #4578 (SSL verify options not inherited) since
-    that was fixed by #6597 (separate DoH-specific options for verify).
+  Closes #7010
+
+- [Timothy Gu brought this change]
+
+  URL-SYNTAX: update IDNA section for WHATWG spec changes
   
-  - Explain that DoH-specific options (those created by #6597) are
-    available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
-    CURLOPT_DOH_SSL_VERIFYSTATUS.
+  WHATWG URL has dictated the use of Nontransitional Processing (IDNA
+  2008) for several years now. Chrome (and derivatives) still use
+  Transitional Processing, but Firefox and Safari have both switched.
   
-  - Add a reference to #6605 and explain that the user's debug function is
-    not inherited because it would be unexpected to pass internal handles
-    (ie DoH handles) to the user's callback.
+  Also document the fact that winidn functions differently from libidn2
+  here.
   
-  Closes https://github.com/curl/curl/issues/6605
-
-Daniel Stenberg (26 Mar 2021)
-- curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
+  Closes #7026
 
-- [Jean-Philippe Menil brought this change]
+- [Calvin Buckley brought this change]
 
-  openssl: ensure to check SSL_CTX_set_alpn_protos return values
+  INSTALL: add IBM i specific quirks
   
-  SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure
+  Fixes #6830
+  Closes #7013
+
+- libcurl.3: mention the URL API
   
-  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+  To make it easier to find. Also a minor polish of libcurl-url.3
   
-  Closes #6794
+  Closes #7009
 
-- multi: close the connection when h2=>h1 downgrading
+- GnuTLS: don't allow TLS 1.3 for versions that don't support it
   
-  Otherwise libcurl is likely to reuse the connection again in the next
-  attempt since the connection reuse logic doesn't take downgrades into
-  account.
+  Follow-up to 781864bedbc5
   
-  Reported-by: Anthony Ramine
-  Fixes #6788
-  Closes #6793
+  ... as they don't understand it and will return error at us!
+  
+  Closes #7014
 
-- openssl: set the transfer pointer for logging early
+Kamil Dudka (6 May 2021)
+- tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
   
-  Otherwise, the transfer will be NULL in the trace function when the
-  early handshake details arrive and then curl won't show them.
+  Reported by GCC analyzer:
   
-  Regresssion in 7.75.0
+  Error: GCC_ANALYZER_WARNING (CWE-476):
+  src/tool_getparam.c: scope_hint: In function 'parse_args'
+  src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
+  lib/curlx.h:56: included_from: Included from here.
+  src/tool_getparam.c:28: included_from: Included from here.
+  lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
+  src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
   
-  Reported-by: David Hu
-  Fixes #6783
-  Closes #6792
+  Reviewed-by: Marcel Raad
+  Reviewed-by: Daniel Stenberg
+  Closes #7023
 
-- RELEASE-NOTES: synced
+Daniel Stenberg (6 May 2021)
+- scripts/delta: also show total number of days
 
-- TODO: Custom progress meter update interval
+Marc Hoersken (5 May 2021)
+- sockfilt: fix invalid increment of handles index variable nfd
   
-  Ref: https://stackoverflow.com/q/66789977/93747
+  Only increment the array index if we actually stored a handle.
+  
+  Follow up to e917492048f4b85a0fd58a033d10072fc7666c3b
+  Closes #6992
 
-- docs/ABI: tighten up the language
+- sockfilt: avoid getting stuck waiting for writable socket
   
-  Make the promises more firm
+  Reset FD_WRITE event using the same approach as in multi.c
   
-  Closes #6786
+  Follow up to b36442b24305f3cda7c13cc64b46838995a4985b
+  Closes #6992
 
-- openldap: disconnect better
+Jay Satiro (5 May 2021)
+- test678: Fix for Windows multibyte builds
   
-  Instead of clearing the callback argument in disconnect, set it to the
-  (new) transfer to make sure the correct data is passed to the callbacks.
+  Follow-up to 77fc385 from yesterday.
   
-  Follow-up to e467ea3bd937f38
-  Assisted-by: Patrick Monnerat
-  Closes #6787
+  Bug: https://github.com/curl/curl/pull/6662#issuecomment-832966557
+  Reported-by: Marc Hörsken
 
-- libssh2: kdb_callback: get the right struct pointer
-  
-  After the recent conn/data refactor in this source file, this function
-  was mistakenly still getting the old struct pointer which would lead to
-  crash on servers with keyboard-interactive auth enabled.
+- [Dmitry Kostjuchenko brought this change]
+
+  build: fix compilation for Windows UWP platform
   
-  Follow-up to a304051620b92e12b (shipped in 7.75.0)
+  - Include afunix.h which is necessary for sockaddr_un when
+    USE_UNIX_SOCKETS is defined on Windows.
   
-  Reported-by: Christian Schmitz
-  Fixes #6691
-  Closes #6782
+  Closes https://github.com/curl/curl/pull/7006
 
-- tftp: remove unused struct fields
+Daniel Stenberg (5 May 2021)
+- gnutls: make setting only the MAX TLS allowed version work
   
-  Follow-up to d3d90ad9c00530d
+  Previously, settting only the max allowed TLS version, leaving the
+  minimum one at default, didn't actually set it and left it to default
+  (TLS 1.3) too!
   
-  Closes #6781
-
-- openldap: avoid NULL pointer dereferences
+  As a bonus, this change also removes the dead code handling of SSLv3
+  since that version can't be set anymore (since eff614fb0242cb).
   
-  Follow-up to a59c33ceffb8f78
-  Reported-by: Patrick Monnerat
-  Fixes #6676
-  Closes #6780
+  Reported-by: Daniel Carpenter
+  Fixes #6998
+  Closes #7000
 
-- http: strip default port from URL sent to proxy
+- openldap: replace ldap_ prefix on private functions
   
-  To make sure the Host: header and the URL provide the same authority
-  portion when sent to the proxy, strip the default port number from the
-  URL if one was provided.
+  Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
+  least) there's a symbol collision because of that.
   
-  Reported-by: Michael Brown
-  Fixes #6769
-  Closes #6778
-
-- azure: disable test 433 on azure-ubuntu
+  The private functions now use the 'oldap_' prefix where it previously
+  used 'ldap_'.
   
-  Something in that environment sets XDG_CONFIG_HOME for us in a way that
-  breaks the test.
+  Reported-by: 3eka on github
+  Fixes #7004
+  Closes #7005
+
+Jay Satiro (5 May 2021)
+- http2: fix potentially uninitialized variable
   
-  Reported-by: Marc Hörsken
-  Fixes #6739
-  Closes #6777
+  introduced several days ago in 3193170. caught by visual studio linker.
 
-- tftp: remove the 3600 second default timeout
+- [Gilles Vollant brought this change]
+
+  SSL: support in-memory CA certs for some backends
   
-  ... it was never meant to be there.
+  - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
+    specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
+    and Secure Transport (Apple) SSL backends.
   
-  Reported-by: Tomas Berger
-  Fixes #6774
-  Closes #6776
-
-- docs: make gen.pl support *italic* and **bold**
+  Prior to this change PEM certificates could only be imported from a file
+  and not from memory.
   
-  Remove some nroffisms from the cmdline doc files to simplify editing,
-  and instead support this markdown style.
+  Co-authored-by: moparisthebest@users.noreply.github.com
   
-  Closes #6771
-
-- ngtcp2: sync with recent API updates
+  Ref: https://github.com/curl/curl/pull/4679
+  Ref: https://github.com/curl/curl/pull/5677
+  Ref: https://github.com/curl/curl/pull/6109
   
-  Closes #6770
+  Closes https://github.com/curl/curl/pull/6662
 
-- RELEASE-NOTES: synced
+Daniel Stenberg (4 May 2021)
+- [David Cook brought this change]
 
-- libssh2:ssh_connect: clear session pointer after free
+  tests: ignore case of chunked hex numbers in tests
   
-  If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
-  ssh session was freed but the pointer wasn't cleared which made libcurl
-  later call libssh2 to cleanup using the stale pointer.
+  When hyper is used, it emits uppercase hexadecimal numbers for chunked
+  encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
+  This change adds preprocessor statements to tests where this is an
+  issue, and adapts the fixtures to match.
   
-  Fixes #6764
-  Closes #6766
-
-- [Jacob Hoffman-Andrews brought this change]
+  Closes #6987
 
-  docs: document version of crustls dependency
+- cmake: check for getppid and utimes
   
-  This also pins a specific release in the Travis test so future
-  API-breaking changins in crustls won't break curl builds.
+  ... as they're checked for in the configure script and are used by
+  source code.
   
-  Add RUSTLS documentation to release tarball.
+  Removed checks for perror, setvbuf and strlcat since those defines are
+  not checked for in source code.
   
-  Enable running tests for rustls, minus FTP tests (require
-  connect_blocking, which rustls doesn't implement) and 313 (requires CRL
-  handling).
+  Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
+  symbol is not used in source code.
   
-  Closes #6763
-
-- [Jacob Hoffman-Andrews brought this change]
+  Closes #6997
 
-  rustls: Handle close_notify.
-  
-  If we get a close_notify, treat that as EOF. If we get an EOF from the
-  TCP stream, treat that as an error (because we should have ended the
-  connection earlier, when we got a close_notify).
+- libtest: remove lib530.c
   
-  Closes #6763
-
-- docs: clarify timeouts for queued transfers in multi API
+  Follow up from e50a877df when test 530 was removed. Since then this
+  source file has not been used/needed.
   
-  Closes #6758
+  Closes #6999
 
-- ftpserver: only load the preprocessed test file
+- FILEFORMAT: mention sectransp as a feature
   
-  We always preprocess and tests are no longer sensible to load "raw"
+  Been supported since at least 40259ca65
   
-  Closes #6738
+  Closes #7001
 
-- tests: use %TESTNUMBER instead of fixed number
+- RELEASE-NOTES: synced
+
+- libssh2: ignore timeout during disconnect
   
-  This makes the tests easier to copy and relocate to other test numbers
-  without having to update content.
+  ... to avoid memory leaks!
   
-  Closes #6738
-
-- KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
+  libssh2 is tricky as we have to deal with the non-blockiness even in
+  close and shutdown cases. In the cases when we shutdown after a timeout
+  already expired, it is crucial that curl doen't let the timeout abort
+  the shutdown process as that then leaks memory!
   
-  Closes #5747
+  Reported-by: Benjamin Riefenstahl
+  Fixes #6990
 
-- TODO: provide timing info for each redirect
-  
-  Closes #6743
+- KNOWN_BUGS: add two HTTP/2 bugs
 
-Jay Satiro (17 Mar 2021)
-- docs: Add SSL backend names to CURL_SSL_BACKEND
-  
-  - Document the names that can be used with CURL_SSL_BACKEND:
-    bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
-    schannel, secure-transport, wolfssl
+- KNOWN_BUGS: add three HTTP/3 issues
   
-  Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
-  Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201
+  ... and moved the HTTP/2 issues to its own section
   
-  Closes https://github.com/curl/curl/pull/6755
+  Closes #6606
+  Closes #6510
+  Closes #6494
 
-- docs: Explain DOH transfers inherit some SSL settings
+- [ejanchivdorj brought this change]
+
+  CURLcode: add CURLE_SSL_CLIENTCERT
   
-  - Document in DOH that some SSL settings are inherited but DOH hostname
-    and peer verification are not and are controlled separately.
+  When a TLS server requests a client certificate during handshake and
+  none can be provided, libcurl now returns this new error code
+  CURLE_SSL_CLIENTCERT
   
-  - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
-    we're considering changing behavior to no longer inherit it. Request
-    feedback.
+  Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
   
-  Closes https://github.com/curl/curl/pull/6688
+  Closes #6721
 
-Daniel Stenberg (17 Mar 2021)
-- http: make 416 not fail with resume + CURLOPT_FAILONERRROR
+- [Tobias Gabriel brought this change]
+
+  .github/FUNDING: add link to GitHub sponsors
   
-  When asked to resume a download, libcurl will convert that to HTTP logic
-  and if then the entire file is already transferred it will result in a
-  416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
-  scenario, it should *not* lead to an error return.
-  
-  Updated test 1156, added test 1273
-  
-  Reported-by: Jonathan Watt
-  Fixes #6740
-  Closes #6753
-
-- Curl_timeleft: check both timeouts during connect
-  
-  The duration of a connect and the total transfer are calculated from two
-  different time-stamps. It can end up with the total timeout triggering
-  before the connect timeout expires and we should make sure to
-  acknowledge whichever timeout that is reached first.
-  
-  This is especially notable when a transfer first sits in PENDING, as
-  that time is counted in the total time but the connect timeout is based
-  on the time since the handle changed to the CONNECT state.
-  
-  The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
-  operation.
-  
-  Fixes #6744
-  Closes #6745
-  Reported-by: Andrei Bica
-  Assisted-by: Jay Satiro
-
-- configure: remove use of deprecated macros
-  
-  AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL
+  Closes #6985
 
-- configure: make AC_TRY_* into AC_*_IFELSE
-  
-  ... as the former versions are deprecated.
+- [Harry Sintonen brought this change]
 
-- configure: s/AC_HELP_STRING/AS_HELP_STRING
-  
-  AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
-  already since 2.59 so bump the minimum required version to that.
+  krb5/name_to_level: replace checkprefix with curl_strequal
   
-  Reported-by: Emil Engler
-  Fixes #6647
-  Closes #6748
+  Closes #6993
 
-- RELEASE-NOTES: synced
+- [Harry Sintonen brought this change]
 
-- travis: use ubuntu nghttp2 package instead of build our own
+  Curl_input_digest: require space after Digest
   
-  Closes #6751
+  Closes #6993
 
-- travis: bump wolfssl to 4.7.0
+- [Harry Sintonen brought this change]
 
-- travis: only build wolfssl when needed
+  Curl_http_header: check for colon when matching Persistent-Auth
   
-  Closes #6751
+  Closes #6993
 
-- [Jacob Hoffman-Andrews brought this change]
+- [Harry Sintonen brought this change]
 
-  rustls: allocate a buffer for TLS data.
-  
-  Previously, rustls was using an on-stack array for TLS data. However,
-  crustls has an (unusual) requirement that buffers it deals with are
-  initialized before writing to them. By using calloc, we can ensure the
-  buffer is initialized once and then reuse it across calls.
+  Curl_http_input_auth: require valid separator after negotiation type
   
-  Closes #6742
+  Closes #6993
 
-- travis: add a rustls build
+- http: fix the check for 'Authorization' with Bearer
   
-  ... that doesn't run any tests (yet)
+  The code would wrongly check for it using an additional colon.
   
-  Closes #6750
-
-- HTTP2: remove the outdated remark about multiplexing for the tool
+  Reported-by: Blake Burkhart
+  Closes #6988
 
-- [Robert Ronto brought this change]
+- [Kamil Dudka brought this change]
 
-  http2: don't set KEEP_SEND when there's no more data to be sent
+  http2: fix a resource leak in push_promise()
   
-  this should fix an issue where curl sometimes doesn't send out a request
-  with authorization info after a 401 is received over http2
+  ... detected by Coverity:
   
-  Closes #6747
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
+  lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
+  lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
+  lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
+  
+  Closes #6986
 
-Marc Hoersken (15 Mar 2021)
-- config: fix building SMB with configure using Win32 Crypto
+- [Kamil Dudka brought this change]
+
+  http2: fix resource leaks in set_transfer_url()
   
-  Align conditions for NTLM features between CMake and configure
-  builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
-  just like curl_setup.h does internally to detect support of:
+  ... detected by Coverity:
   
-  - USE_NTLM: required for NTLM crypto authentication feature
-  - USE_CURL_NTLM_CORE: required for SMB protocol
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
-  in wincrypt.h which are not available in the Windows App environment.
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
-  Fix condition of Schannel SSL backend in CMake build accordingly.
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Reviewed-by: Marcel Raad
+  Error: RESOURCE_LEAK (CWE-772):
+  lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
+  lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
   
-  Closes #6277
+  Closes #6986
 
-- config: fix detection of restricted Windows App environment
-  
-  Move the detection of the restricted Windows App environment
-  in curl_setup.h before the definition of USE_WIN32_CRYPTO
-  via included config-win32.h in case no build system is used.
+- [Jacob Hoffman-Andrews brought this change]
+
+  rustls: use ALPN
   
-  Reviewed-by: Marcel Raad
+  Update required rustls to 0.5.0
   
-  Part of #6277
-
-Daniel Stenberg (15 Mar 2021)
-- HISTORY: curl 7.7.2 was the first version used in Mac OS X 10.1
+  Closes #6960
 
-- gen.pl: quote "bare" minuses in the nroff curl.1
-  
-  Reported-by: Alejandro Colomar
-  Fixes #6698
-  Closes #6722
+- [Michał Antoniak brought this change]
 
-Daniel Gustafsson (14 Mar 2021)
-- hsts: remove unused defines
+  gskit: fix CURL_DISABLE_PROXY build
   
-  MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
-  and mostly likely leftovers from early development.  Remove as they're not
-  used for anything.
+  Removed localfd and remotefd from ssl_backend_data (ued only with proxy
+  connection). Function pipe_ssloverssl return always 0, when proxy is not
+  used.
   
-  Closes #6741
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6981
 
-Daniel Stenberg (12 Mar 2021)
-- github: add torture-ftp for FTP-only torture testing
-  
-  and at 20% to try to keep the run-time reasonable
-  
-  Closes #6728
+- [Michał Antoniak brought this change]
 
-- travis: split "torture" into a separate "events" build as well
-  
-  Run torture without FTP and reducing coverage to 20%
-  
-  For some reason the torture tests now run a lot slower on travis and run
-  into the 50 minute limit all the time.
+  gskit: fix undefined reference to 'conn'
   
-  Closes #6728
+  Closes #6980
 
-- ftp: fix memory leak in ftp_done
+- [Jacob Hoffman-Andrews brought this change]
+
+  tls: add USE_HTTP2 define
   
-  If after a transfer is complete Curl_GetFTPResponse() returns an error,
-  curl would not free the ftp->pathalloc block.
+  This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
   
-  Found by torture-testing test 576
+  Add our own define for the "h2" ALPN protocol, so TLS backends can use
+  it without depending on a specific HTTP backend.
   
-  Closes #6737
+  Closes #6959
 
-- [oxalica brought this change]
+- [Jacob Hoffman-Andrews brought this change]
 
-  http2: fail if connection terminated without END_STREAM
+  lib: fix 0-length Curl_client_write calls
   
-  Closes #6736
-
-- RELEASE-NOTES: synced
+  Closes #6954
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  rustls: support CURLOPT_SSL_VERIFYPEER
-  
-  This requires the latest main branch of crustls, which provides
-  rustls_client_config_builder_dangerous_set_certificate_verifier and
-  rustls_client_config_builder_set_enable_sni.
+  lib: remove strlen call from Curl_client_write
   
-  This refactors the session setup into its own function, and adds a new
-  function cr_hostname_is_ip. Because crustls doesn't support verification
-  of IP addresses, special handling is needed: We disable SNI and set a
-  placeholder hostname (which never actually gets sent on the wire).
+  At all call sites with an explicit 0 len, pass an appropriate nonzero
+  len.
   
-  Closes #6719
+  Closes #6954
 
-Daniel Gustafsson (12 Mar 2021)
-- cookies: Fix potential NULL pointer deref with PSL
-  
-  Curl_cookie_init can be called with data being NULL, and this can in turn
-  be passed to Curl_cookie_add, meaning that both functions must be careful
-  to only use data where it's checked for being a NULL pointer.  The libpsl
-  support code does however dereference data without checking, so if we are
-  indeed having an unset data pointer we cannot PSL check the cookiedomain.
-  
-  This is currently not a reachable dereference, as the only caller with a
-  NULL data isn't passing a file to initialize cookies from, but since the
-  API has this contract let's ensure we hold it.
+- [Ayushman Singh Chauhan brought this change]
+
+  docs: camelcase it like GitHub everywhere
   
-  Closes #6731
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6979
 
-Daniel Stenberg (12 Mar 2021)
-- [Michael Hordijk brought this change]
+Jay Satiro (27 Apr 2021)
+- [Lucas Servén Marín brought this change]
 
-  configure: only add OpenSSL paths if they are defined
+  docs: fix typo in fail-with-body doc
   
-  Add paths for OpenSSL compiling and linking only if they have been
-  defined.  If they haven't been defined, we'll assume that the paths are
-  already available to the toolchain.
+  This commit fixes a small typo in the documentation for the
+  --fail-with-body flag.
   
-  Closes #6730
+  Closes https://github.com/curl/curl/pull/6977
 
-Jay Satiro (12 Mar 2021)
-- retry.d: Clarify transient 5xx HTTP response codes
+- lib: fix some misuse of curlx_convert_UTF8_to_tchar
   
-  - Clarify the only 5xx response codes that are treated as transient are
-    500, 502, 503 and 504.
+  curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
+  prior to this change some uses mistakenly called free.
   
-  Prior to this change it said it treated all 5xx as transient, but the
-  code says otherwise.
+  I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
+  curlx_convert_tchar_to_UTF8.
   
-  Ref: https://github.com/curl/curl/blob/curl-7_75_0/src/tool_operate.c#L462-L495
+  Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
+  Reported-by: sergio-nsk@users.noreply.github.com
   
-  Closes https://github.com/curl/curl/pull/6724
+  Closes https://github.com/curl/curl/pull/6938
 
-- retry-all-errors.d: Explain curl errors versus HTTP response errors
+Daniel Stenberg (27 Apr 2021)
+- ntlm: precaution against super huge type2 offsets
   
-  - Add a paragraph explaining that curl does not consider HTTP response
-    errors as curl errors, and how that behavior can be modified by using
-    --retry and --fail.
+  ... which otherwise caused an integer overflow and circumvented the if()
+  conditional size check.
   
-  The --retry-all-errors doc says "Retry on any error" which some users
-  may find misleading without the added explanation.
+  Detected by OSS-Fuzz
+  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
+  Assisted-by: Max Dymond
+  Closes #6975
+
+- c-hyper: fix unused variable ‘wrote’
+
+- libcurl-security.3: be careful of setuid
   
-  Ref: https://curl.se/docs/faq.html#Why_do_I_get_downloaded_data_eve
-  Ref: https://curl.se/docs/faq.html#curl_doesn_t_return_error_for_HT
+  Reported-by: Harry Sintonen
+  Closes #6970
+
+- [Kevin Burke brought this change]
+
+  c-hyper: don't write to set.writeheader if null
   
-  Reported-by: Lawrence Gripper
+  Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
+  CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
+  the data->set.writeheader header buffer, even though it is null.  This
+  led to NPE segfaults attempting to use libcurl+Hyper with Git, for
+  example.
   
-  Fixes https://github.com/curl/curl/issues/6712
-  Closes https://github.com/curl/curl/pull/6720
+  Instead, process the client write for the status line using the same
+  logic we use to process the client write for the later HTTP headers,
+  which contains the appropriate guard logic. As a side benefit,
+  data->set.writeheader is now only read in one file instead of two.
+  
+  Fixes #6619
+  Fixes abetterinternet/crustls#49
+  Fixes hyperium/hyper#2438
+  Closes #6971
 
-Daniel Stenberg (11 Mar 2021)
-- travis: switch ngtcp2 build over to quictls
+- wolfssl: handle SSL_write() returns 0 for error
   
-  The ngtcp2 project switched over to using the quictls OpenSSL fork
-  instead of their own patched OpenSSL. We follow suit.
+  Reported-by: Timo Lange
   
-  Closes #6729
-
-- test220/314: adjust to run with Hyper
+  Closes #6967
 
-- c-hyper: support automatic content-encoding
+- easy: ignore sigpipe in curl_easy_send
   
-  Closes #6727
+  Closes #6965
 
-- http: remove superfluous NULL assign
+- sigpipe: ignore SIGPIPE when using wolfSSL as well
   
-  Closes #6727
+  Closes #6966
 
-- tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
+- libcurl-security.3: don't try to filter IPv4 hosts based on the URL
   
-  Closes #6727
+  Closes #6942
 
-- setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
-  
-  Not supported.
-  
-  Closes #6727
+- [Harry Sintonen brought this change]
 
-- test306: make it not run with Hyper
+  nss_set_blocking: avoid static for sock_opt
   
-  ... as it tests HTTP/0.9 which Hyper doesn't support.
+  Reviewed-by: Kamil Dudka
+  Closes #6945
 
-- test304: header CRLF cleanup to work with Hyper
+- RELEASE-NOTES: synced
 
-- FTP: allow SIZE to fail when doing (resumed) upload
-  
-  Added test 362 to verify.
-  
-  Reported-by: Jordan Brown
-  Regression since 7ea2e1d0c5a7f (7.73.0)
-  Fixes #6715
-  Closes #6725
+- [Yusuke Nakamura brought this change]
 
-- configure: provide Largefile feature for curl-config
+  docs/HTTP3.md: fix nghttp2's HTTP/3 server port
   
-  ... as cmake now does it correctly, and make test1014 check for it
+  Port 8443 does not work now.
+  Correct origin is in the quicwg's wiki.
+  https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
   
-  Closes #6702
+  Closes #6964
 
-- config: remove CURL_SIZEOF_CURL_OFF_T use only SIZEOF_CURL_OFF_T
+- krb5: don't use 'static' to store PBSZ size response
   
-  Make the code consistently use a single name for the size of the
-  "curl_off_t" type.
+  ... because it makes the knowledge and usage cross-transfer in funny and
+  unexpected ways.
   
-  Closes #6702
+  Reported-by: Harry Sintonen
+  Closes #6963
 
-Jay Satiro (10 Mar 2021)
-- [Jun-ya Kato brought this change]
+- [Kevin Burke brought this change]
 
-  ngtcp2: Fix build error due to change in ngtcp2_addr_init
+  m4: add security frameworks on Mac when compiling rustls
   
-  ngtcp2/ngtcp2@b8d90a9 changed the function prototype.
+  Previously compiling rustls on Mac would only complete if you also
+  compiled the SecureTransport TLS backend, which curl would prefer to
+  the Rust backend.
   
-  Closes https://github.com/curl/curl/pull/6716
-
-Daniel Stenberg (10 Mar 2021)
-- [ejanchivdorj brought this change]
-
-  multi: update pending list when removing handle
+  Appending these flags to LDFLAGS makes it possible to compile the
+  Rustls backend on Mac without the SecureTransport backend, which means
+  this patch will make it possible for Mac users to use the Rustls
+  backend for TLS.
   
-  when removing a handle, most of the lists are updated but pending list
-  is not updated. Updating now.
+  Reviewed-by: Jacob Hoffman-Andrews
   
-  Closes #6713
-
-- [kokke brought this change]
+  Fixes #6955
+  Cloes #6956
 
-  lib1536: check ptr against NULL before dereferencing it
+- krb5: remove the unused 'overhead' function
   
-  Closes #6710
-
-- [kokke brought this change]
+  Closes #6947
 
-  lib1537: check ptr against NULL before dereferencing it
-  
-  Fixes #6707
-  Closes #6708
+- [Johann150 brought this change]
 
-- travis: make torture tests skip TLS-SRP tests
+  curl_url_set.3: add memory management information
   
-  ... as it seems to often hang.
+  wording taken from man page for CURLOPT_URL.3
   
-  Also: skip the "normal" tests as they're already run by many other
-  builds.
+  As far as I can see, the URL part is either malloc'ed before due to
+  encoding or it is strdup'ed.
   
-  Closes #6705
+  Closes #6953
 
-- openssl: adapt to v3's new const for a few API calls
-  
-  Closes #6703
+- [Jacob Hoffman-Andrews brought this change]
 
-- quiche: fix crash when failing to connect
+  c-hpyer: fix handling of zero-byte chunk from hyper
   
-  Reported-by: ウさん
-  Fixes #6664
-  Closes #6701
+  Closes #6951
 
-- RELEASE-NOTES: synced
+- CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
   
-  Fixed the release counter and added a missing contributor
+  Ref: https://curl.se/mail/lib-2021-04/0085.html
+  Closes #6943
 
-- RELEASE-NOTES: synced
+- [Ralph Langendam brought this change]
 
-- dynbuf: bump the max HTTP request to 1MB
-  
-  Raised from 128KB to allow longer request headers.
+  cmake: make libcurl output filename configurable
   
-  Reported-by: Carl Zogheib
-  Fixes #6681
-  Closes #6685
+  Reviewed-by: Jakub Zakrzewski
+  Closes #6933
 
-Jay Satiro (6 Mar 2021)
-- schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
-  
-  - Change use of those options from CURLOPT_SSL_OPTIONS that are not
-    already evaluated via SSL_SET_OPTION in schannel and secure transport
-    to use that instead of data->set.ssl.optname.
-  
-  Example:
-  
-  Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
+- [Patrick Monnerat brought this change]
+
+  vtls: reset ssl use flag upon negotiation failure
   
-  This change is because options set via CURLOPT_SSL_OPTIONS
-  (data->set.ssl.optname) are separate from those set for HTTPS proxy via
-  CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
-  SSL_SET_OPTION macro determines whether the connection is for HTTPS
-  proxy and based on that which option to evaluate.
+  Fixes the segfault in ldaps disconnect.
   
-  Since neither Schannel nor Secure Transport backends currently support
-  HTTPS proxy in libcurl, this change is for posterity and has no other
-  effect.
+  Reported-by: Illarion Taev
+  Fixes #6934
+  Closes #6937
+
+- configure: fix typo in TLS error message
   
-  Closes https://github.com/curl/curl/pull/6690
+  Reported-by: Pontus Lundkvist
 
-- [kokke brought this change]
+- README: link to the commercial support option
 
-  c-hyper: Remove superfluous pointer check
+Jay Satiro (22 Apr 2021)
+- [Martin Halle brought this change]
+
+  version: add gsasl_version to curl_version_info_data
   
-  `n` pointer is never NULL once set. Found by static analysis.
+  - Add gsasl_version string and bump to CURLVERSION_TENTH.
   
-  Ref: https://github.com/curl/curl/issues/6696
+  Ref: https://curl.se/mail/lib-2021-04/0003.html
   
-  Closes https://github.com/curl/curl/pull/6697
+  Closes https://github.com/curl/curl/pull/6843
 
-- version.d: Add missing features to the features list
+- [Morten Minde Neergaard brought this change]
+
+  schannel: Support strong crypto option
   
-  - Add missing entries for gsasl, Kerberos, NTLM_WB, TrackMemory,
-    Unicode and zstd.
+  - Support enabling strong crypto via optional user cipher list when
+    USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
   
-  - Remove krb4 since it's no longer a feature.
+  MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
+  weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
+  versions that may be otherwise enabled for better interoperability."
   
-  Reported-by: Ádler Jonas Gross
+  Ref: https://curl.se/mail/lib-2021-02/0066.html
+  Ref: https://curl.se/docs/manpage.html#--ciphers
+  Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
+  Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
   
-  Fixes https://github.com/curl/curl/issues/6677
-  Closes https://github.com/curl/curl/pull/6687
+  Closes https://github.com/curl/curl/pull/6734
 
-- [Vladimir Varlamov brought this change]
+Daniel Stenberg (22 Apr 2021)
+- RELEASE-NOTES: synced
 
-  docs: add missing Arg tag to --stderr
+- ci: adapt to configure requiring an explicit TLS choice
+
+- configure: split out each TLS library detector into its own function
   
-  Prior to this change the required argument was not shown.
+  ... and put those functions in separate m4 files per TLS library.
+
+- configure: make the TLS library choice(s) explicit
   
-  curl.1 before: --stderr
-  curl.1 after: --stderr <file>
+  configure no longer tries to find a TLS library by default, but all
+  libraries are now equal: the user needs to explicitly ask what TLS
+  library or libraries to use.
   
-  curl --help before:
-       --stderr        Where to redirect stderr
+  If no TLS library is selected, configure will error out unless
+  --without-ssl is explicitly used to request a built without TLS (as that
+  is very rare these days).
   
-  curl --help after:
-       --stderr <file>  Where to redirect stderr
+  Removes: --with-winssl, --with-darwinssl and all --without-* options for
+  TLS libraries.
   
-  Closes https://github.com/curl/curl/pull/6692
+  Closes #6897
 
-- projects: Update VS projects for OpenSSL 1.1.x
+- tests/disable-scan.pl: also scan all m4 files
   
-  - Update VS project templates to use the OpenSSL lib names and include
-    directories for OpenSSL 1.1.x.
+  Fixes test 1165 when functions are moved from configure.ac to files in
+  m4/
+
+Jay Satiro (22 Apr 2021)
+- schannel: Disable auto credentials; add an option to enable it
   
-  This change means the VS project files will now build only with OpenSSL
-  1.1.x when an OpenSSL configuration is chosen. Prior to this change the
-  project files built only with OpenSSL 1.0.x (end-of-life) when an
-  OpenSSL configuration was chosen.
+  - Disable auto credentials by default. This is a breaking change
+    for clients that are using it, wittingly or not.
   
-  The template changes in this commit were made by script:
+  - New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
+    to automatically locate and use a client certificate for
+    authentication, when requested by the server.
   
-  libeay32.lib => libcrypto.lib
-  ssleay32.lib => libssl.lib
-  ..\..\..\..\..\openssl\inc32 => ..\..\..\..\..\openssl\include
+  - New curl tool options --ssl-auto-client-cert and
+    --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
   
-  And since the output directory now contains the includes it's prepended:
-  ..\..\..\..\..\openssl\build\Win{32,64}\VC{6..15}\{DLL,LIB}
-  {Debug,Release}\include
+  This option is only supported for Schannel (the native Windows SSL
+  library). Prior to this change Schannel would, with no notification to
+  the client, attempt to locate a client certificate and send it to the
+  server, when requested by the server. Since the server can request any
+  certificate that supports client authentication in the OS certificate
+  store it could be a privacy violation and unexpected.
   
-  - Change build-openssl.bat to copy the build's include directory to the
-    output directory (as seen above).
+  Fixes https://github.com/curl/curl/issues/2262
+  Reported-by: Jeroen Ooms
+  Assisted-by: Wes Hinsley
+  Assisted-by: Rich FitzJohn
   
-  Each build has its own opensslconf.h which is different so we can't just
-  include the source include directory any longer.
+  Ref: https://curl.se/mail/lib-2021-02/0066.html
+  Reported-by: Morten Minde Neergaard
   
-  Note the include directory in the output directory is a full copy from
-  the build so technically we don't need to include the OpenSSL source
-  include directory in the template. However, I left it last in case the
-  user made a custom OpenSSL build using the old method which would put
-  opensslconf in the OpenSSL source include directory.
+  Closes https://github.com/curl/curl/pull/6673
+
+Daniel Stenberg (22 Apr 2021)
+- [Michał Antoniak brought this change]
+
+  vtls: deduplicate some DISABLE_PROXY ifdefs
   
-  - Change build-openssl.bat to use a temporary install directory that is
-    different from the temporary build directory.
+  continue from #5735
   
-  For OpenSSL 1.1.x the temporary paths must be separate not a descendant
-  of the other, otherwise pdb files will be lost between builds.
+  - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
+    tls backend
   
-  Ref: https://curl.se/mail/lib-2018-10/0049.html
-  Ref: https://gist.github.com/jay/125191c35bbeb894444eff827651f755
-  Ref; https://github.com/openssl/openssl/issues/10005
+  - create SSL_HOST_PORT
   
-  Fixes https://github.com/curl/curl/issues/984
-  Closes https://github.com/curl/curl/pull/6675
+  Closes #6660
 
-- doh: Inherit CURLOPT_STDERR from user's easy handle
+Jay Satiro (22 Apr 2021)
+- OS400: fix typo
   
-  Prior to this change if the user set their easy handle's error stream
-  to something other than stderr it was not inherited by the doh handles,
-  which meant that they would still write to the default standard error
-  stream (stderr) for verbose output.
+  CURLVERSION_HEIGHTH -> CURLVERSION_EIGHTH
+
+Daniel Stenberg (22 Apr 2021)
+- checksrc: complain on == NULL or != 0 checks in conditions
   
-  Bug: https://github.com/curl/curl/issues/6605
-  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
+  ... to make them all consistenly use if(!var) and if(var)
   
-  Closes https://github.com/curl/curl/pull/6661
+  Also added a few missing warnings to the documentation.
+  
+  Closes #6912
 
-Marc Hoersken (1 Mar 2021)
-- CI/azure: replace python-impacket with python3-impacket
+- tidy-up: make conditional checks more consistent
   
-  As of this month Azure DevOps uses Ubuntu 20.04 LTS which
-  no longer supports Python 2 and instead ships Python 3.
+  ... remove '== NULL' and '!= 0'
   
-  Closes #6678
+  Closes #6912
 
-- runtests.pl: kill processes locking test log files
+- [Patrick Monnerat brought this change]
+
+  vauth: factor base64 conversions out of authentication procedures
+  
+  Input challenges and returned messages are now in binary.
+  Conversions from/to base64 are performed by callers (currently curl_sasl.c
+  and http_ntlm.c).
+  
+  Closes #6654
+
+- [Patrick Monnerat brought this change]
+
+  bufref: buffer reference support
+  
+  A struct bufref holds a buffer pointer, a data size and a destructor.
+  When freed or its contents are changed, the previous buffer is implicitly
+  released by the associated destructor. The data size, although not used
+  internally, allows binary data support.
+  
+  A unit test checks its handling methods: test 1661
+  
+  Closes #6654
+
+- [Patrick Monnerat brought this change]
+
+  os400: additional support for options metadata
+  
+  New functions curl_easy_option_by_name_ccsid() and
+  curl_easy_option_get_name_ccsid() allows accessing metadata in alternate
+  character encoding.
+  
+  This commit also updates curl_version_info_ccsid() to handle info version 9
+  and adds recent definitions to the ILE/RPG include file.
+  
+  Documentation updated accordingly.
+  
+  Reviewed-by: Jon Rumsey
+  Closes #6574
+
+- [Patrick Monnerat brought this change]
+
+  test server: take care of siginterrupt() deprecation
+  
+  Closes #6529
+
+Marc Hoersken (21 Apr 2021)
+- lib1564.c: enable last wakeup test part on Windows
+  
+  Suggested-by: Gergely Nagy
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Closes #6245
+
+- multi: fix slow write/upload performance on Windows
+  
+  Reset FD_WRITE by sending zero bytes which is permissible
+  and will be treated by implementations as successful send.
+  
+  Without this we won't be notified in case a socket is still
+  writable if we already received such a notification and did
+  not send any data afterwards on the socket. This would lead
+  to waiting forever on a writable socket being writable again.
+  
+  Assisted-by: Tommy Odom
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  Tested-by: tmkk on github
+  
+  Bug: #6146
+  Closes #6245
+
+- multi: reduce Win32 API calls to improve performance
+  
+  1. Consolidate pre-checks into a single Curl_poll call:
+  
+  This is an attempt to restructure the code in Curl_multi_wait
+  in such a way that less syscalls are made by removing individual
+  calls to Curl_socket_check via SOCKET_READABLE/SOCKET_WRITABLE.
+  
+  2. Avoid resetting the WinSock event multiple times:
+  
+  We finally call WSAResetEvent anyway, so specifying it as
+  an optional parameter to WSAEnumNetworkEvents is redundant.
+  
+  3. Wakeup directly in case no sockets are being monitoring:
+  
+  Fix the WinSock based implementation to skip extra waiting by
+  not sleeping in case no sockets are to be waited on and just
+  the WinSock event is being monitored for wakeup functionality.
+  
+  Assisted-by: Tommy Odom
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Bug: #6146
+  Closes #6245
+
+- Revert "Revert 'multi: implement wait using winsock events'"
+  
+  This reverts commit 2260e0ebe6d45529495231b3e37a0c58fb92a6a2,
+  also restoring previous follow up changes which were reverted.
+  
+  Authored-by: rcombs on github
+  Authored-by: Marc Hörsken
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Marcel Raad
+  
+  Restores #5634
+  Reverts #6281
+  Part of #6245
+
+Daniel Stenberg (21 Apr 2021)
+- Revert "cmake: make libcurl library output name configurable"
+  
+  This reverts commit 1cba36d2166c396f987eea587cf92671b27acb92.
+  
+  CMake provides properties that can be set on a target to rename the
+  output artifact without changing the name of a target.
+  
+  Ref: #6899
+
+- [Michael Kolechkin brought this change]
+
+  sectransp: allow cipher name to be specified
+  
+  Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
+  back-end. Similar to NSS and GSKit back-ends, new code parses string
+  value and configures ST library to use those ciphers for communication.
+  Create cipher spec data structure and initialize the array of specs with
+  cipher number, name, alias, and 'weak' flag.
+  
+  Mark triple-DES ciphers as 'weak', and exclude them from the default
+  ciphers list.
+  
+  Closes #6464
+
+- [Michael Kolechkin brought this change]
+
+  NSS: add ciphers to map
+  
+  Add cipher names to the `cipherlist` map, based on the list of ciphers
+  implemented by the NSS in the source code file
+  https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c
+  
+  Closes #6670
+
+- http2: remove DEBUG_HTTP2
+  
+  Accidentally committed in 605e84235
+
+- [Ralph Langendam brought this change]
+
+  cmake: make libcurl library output name configurable
+  
+  Closes #6899
+
+- sws: #ifdef S_IFSOCK use
+  
+  SCO OpenServer 5.0.7 does not define S_IFSOCK.
+  
+  Reported-by: Kevin R. Bulgrien
+  Bug: https://curl.se/mail/lib-2021-04/0074.html
+  Closes #6926
+
+- curl_setup: provide the shutdown flags wider
+  
+  By using #ifdef on the symbol names to work on anything that don't
+  provide them. SCO OpenServer 5.0.7, sys/socket.h does not define either
+  SHUT_RDWR, SHUT_RD, and SHUT_WR.
+  
+  Reported-by: Kevin R. Bulgrien
+  Bug: https://curl.se/mail/lib-2021-04/0073.html
+  Closes #6925
+
+- connect: use CURL_SA_FAMILY_T for portability
+  
+  Reported-by: Kevin R. Bulgrien
+  Bug: https://curl.se/mail/lib-2021-04/0071.html
+  
+  Closes #6918
+
+- urlapi: make sure no +/- signs are accepted in IPv4 numericals
+  
+  Follow-up to 56a037cc0ad1b2. Extends test 1560 to verify.
+  
+  Reported-by: Tuomas Siipola
+  Fixes #6916
+  Closes #6917
+
+- ConnectionExists: respect requests for h1 connections better
+  
+  ... for situations when multiplexing isn't enabled on the h2 connection
+  and h1 is explicitly requested for the transfer.
+  
+  Assisted-by: Gergely Nagy
+
+- multi: don't close connection HTTP_1_1_REQUIRED
+  
+  The ConnectionExists() function will note that the new transfer wants
+  less then h2 and that it can't multiplex it and therefor opt to open a
+  new connection instead.
+
+- http2: move the stream error field to the per-transfer storage
+  
+  Storing a stream error in the per-connection struct was an error that lead to
+  race conditions as subsequent stream handling could overwrite the error code
+  before it was used for the stream with the actual problem.
+  
+  Closes #6910
+
+- http2: call the handle-closed function correctly on closed stream
+  
+  This was this one condition where the stream could be closed due to an
+  error and the function would still wrongly just return 0 for it.
+  
+  Reported-by: Gergely Nagy
+  Fixes #6862
+  Closes #6910
+
+- test1660: check the created HSTS file as text mode
+  
+  Closes #6922
+
+- RELEASE-NOTES: synced
+
+- test 493: require https in curl to run
+  
+  Closes #6927
+
+Jay Satiro (20 Apr 2021)
+- tool_operate: don't discard failed parallel transfer result
+  
+  - Save a parallel transfer's result code only when it fails and the
+    transfer is not being retried.
+  
+  Prior to this change the result code was always set which meant that a
+  failed result could be erroneously discarded if a different transfer
+  later had a successful result (CURLE_OK).
+  
+  Before:
+  
+  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
+  > echo %ERRORLEVEL%
+  0
+  
+  After:
+  
+  > curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
+  > echo %ERRORLEVEL%
+  22
+  
+  Closes #xxxx
+
+- [Georeth Zhou brought this change]
+
+  openssl: fix build error with OpenSSL < 1.0.2
+  
+  Closes https://github.com/curl/curl/pull/6920
+
+Viktor Szakats (19 Apr 2021)
+- README.md: delete Codacy UTM parameters & follow permanent redirect [ci skip]
+  
+  UTM parameters leak referrer and various marketing/tracking information
+  even if these would normally be stripped by website or client policy.
+  This link also works fine without them. Also took the opportunity to
+  update the URL to the one pointed to by the previous one via permanent
+  redirect.
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #6919
+
+Daniel Stenberg (19 Apr 2021)
+- urlapi: "normalize" numerical IPv4 host names
+  
+  When the host name in a URL is given as an IPv4 numerical address, the
+  address can be specified with dotted numericals in four different ways:
+  a32, a.b24, a.b.c16 or a.b.c.d and each part can be specified in
+  decimal, octal (0-prefixed) or hexadecimal (0x-prefixed).
+  
+  Instead of passing on the name as-is and leaving the handling to the
+  underlying name functions, which made them not work with c-ares but work
+  with getaddrinfo, this change now makes the curl URL API itself detect
+  and "normalize" host names specified as IPv4 numericals.
+  
+  The WHATWG URL Spec says this is an okay way to specify a host name in a
+  URL. RFC 3896 does not allow them, but curl didn't prevent them before
+  and it seems other RFC 3896-using tools have not either. Host names used
+  like this are widely supported by other tools as well due to the
+  handling being done by getaddrinfo and friends.
+  
+  I decided to add the functionality into the URL API itself so that all
+  users of these functions get the benefits, when for example wanting to
+  compare two URLs. Also, it makes curl built to use c-ares now support
+  them as well and make curl builds more consistent.
+  
+  The normalization makes HTTPS and virtual hosted HTTP work fine even
+  when curl gets the address specified using one of the "obscure" formats.
+  
+  Test 1560 is extended to verify.
+  
+  Fixes #6863
+  Closes #6871
+
+- libssh: fix "empty expression statement has no effect" warnings
+  
+  ... by fixing macros to do-while constructs and moving out the calls to
+  "break" outside of the actual macro. It also fixes the problem where the
+  macro was used witin a loop and the break didn't do right.
+  
+  Reported-by: Emil Engler
+  Fixes #6847
+  Closes #6909
+
+- hsts: enable by default
+  
+  No longer considered experimental.
+  
+  Closes #6700
+
+- vtls: refuse setting any SSL version
+  
+  ... previously they were supported if a TLS library would (unexpectedly)
+  still support them, but from this change they will be refused already in
+  curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
+  many years now.
+  
+  Closes #6773
+
+- curl: ignore options asking for SSLv2 or SSLv3
+  
+  Instead output a warning about it and continue with the defaults.
+  
+  These SSL versions are typically not supported by the TLS libraries since a
+  long time back already since they are inherently insecure and broken. Asking
+  for them to be used will just cause an error to be returned slightly later.
+  
+  In the unlikely event that a user's TLS library actually still supports these
+  protocol versions, this change might make the request a little less insecure.
   
-  Introduce a new runtests.pl command option: -rm
+  Closes #6772
+
+- test972: verify the json output with jsonlint
   
-  For now only required and implemented for Windows.
-  Ignore stunnel logs due to long running processes.
+  Make sure one of the azure jobs has jsonlint installed so that the test
+  runs there.
   
-  Requires Sysinternals handle[64].exe to be on PATH.
+  Ref: #6905
+
+- [Jay Satiro brought this change]
+
+  tool_writeout: fix the HTTP_CODE json output
   
-  Reviewed-by: Jay Satiro
+  Update test 970 accordingly.
   
-  Ref: #6058
-  Closes #6179
+  Reported-by: Michal Rus
+  Fixes #6905
+  Closes #6906
 
-- pathhelp.pm: fix use of pwd -L in Msys environment
+- openldap: protect SSL-specific code with proper #ifdef
   
-  While Msys2 has a pwd binary which supports -L,
-  Msys1 only has a shell built-in with that feature.
+  Closes #6901
+
+- libssh2: fix Value stored to 'sshp' is never read
   
-  Reviewed-by: Jay Satiro
+  Pointed out by scan-build
   
-  Part of #6179
+  Closes #6900
 
-Daniel Gustafsson (1 Mar 2021)
-- ldap: use correct memory free function
+- [Victor Vieux brought this change]
+
+  tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
   
-  unescaped is coming from Curl_urldecode and not a unicode conversion
-  function, so reclaiming its memory should be performed with a normal
-  call to free rather than curlx_unicodefree.  In reality, this is the
-  same thing as curlx_unicodefree is implemented as a call to free but
-  that's not guaranteed to always hold.  Using the curlx macro present
-  issues with memory debugging as well.
+  Signed-off-by: Victor Vieux <victorvieux@gmail.com>
   
-  Closes #6671
-  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6895
 
-- url: fix typo in comment
+- configure: provide --with-openssl, deprecate --with-ssl
   
-  Correct a small typo which snuck in with a304051620.
+  Makes the option more explicit.
+  
+  Closes #6887
 
-Jay Satiro (28 Feb 2021)
-- tool_help: Increase space between option and description
+- RELEASE-NOTES: synced
   
-  - Increase the minimum number of spaces between the option and the
-    description from 1 to 2.
+  and bumped curlver to 7.77.0
+
+- [Javier Blazquez brought this change]
+
+  rustls: only return CURLE_AGAIN when TLS session is fully drained
   
-  Before:
-  ~~~
-   -u, --user <user:password> Server user and password
-   -A, --user-agent <name> Send User-Agent <name> to server
-   -v, --verbose       Make the operation more talkative
-   -V, --version       Show version number and quit
-   -w, --write-out <format> Use output FORMAT after completion
-       --xattr         Store metadata in extended file attributes
-  ~~~
+  The code in cr_recv was returning prematurely as soon as the socket
+  reported no more data to read. However, this could be leaving some
+  unread plaintext data in the rustls session from a previous call,
+  causing causing the transfer to hang if the socket never receives
+  further data.
   
-  After:
-  ~~~
-   -u, --user <user:password>  Server user and password
-   -A, --user-agent <name>  Send User-Agent <name> to server
-   -v, --verbose       Make the operation more talkative
-   -V, --version       Show version number and quit
-   -w, --write-out <format>  Use output FORMAT after completion
-       --xattr         Store metadata in extended file attributes
-  ~~~
+  We need to ensure that the session is fully drained of plaintext data
+  before returning CURLE_AGAIN to the caller.
   
-  Closes https://github.com/curl/curl/pull/6674
+  Reviewed-by: Jacob Hoffman-Andrews
+  Closes #6894
 
-Daniel Stenberg (27 Feb 2021)
-- curl: set CURLOPT_NEW_FILE_PERMS if requested
+- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
   
-  The --create-file-mode code logic accepted the value but never actually
-  passed it on to libcurl!
+  Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
+  the cookiejar from memory.
   
-  Follow-up to a7696c73436f (shipped in 7.75.0)
-  Reported-by: Johannes Lesr
-  Fixes #6657
-  Closes #6666
+  Reported-by: Stefan Karpinski
+  Fixes #6889
+  Closes #6891
 
-- tool_operate: check argc before accessing argv[1]
+Version 7.76.1 (14 Apr 2021)
+
+Daniel Stenberg (14 Apr 2021)
+- RELEASE-NOTES: synced
   
-  Follow-up to 09363500b
-  Reported-by: Emil Engler
-  Reviewed-by: Daniel Gustafsson
-  Closes #6668
+  curl 7.76.1 release
 
-Daniel Gustafsson (26 Feb 2021)
-- [Jean-Philippe Menil brought this change]
+- THANKS: add names from 7.76.1
 
-  openssl: remove get_ssl_version_txt in favor of SSL_get_version
+- misc: update copyright year ranges to match latest updates
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+  ngtcp2: Use ALPN h3-29 for now
   
-  openssl: use SSL_get_version to get connection protocol
+  Fixes #6864
+  Cloes #6886
+
+Jay Satiro (11 Apr 2021)
+- TODO: remove 18.22 --fail-with-body
   
-  Replace our bespoke get_ssl_version_txt in favor of SSL_get_version.
-  We can get rid of few lines of code, since SSL_get_version achieve
-  the exact same thing
+  --fail-with-body was added in 8a964cb (precedes curl-7_76_0).
+
+Daniel Stenberg (10 Apr 2021)
+- [Jürgen Gmach brought this change]
+
+  src/tool_vms.c: remove duplicated word in comment
   
-  Closes #6665
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
-  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+  Closes #6881
 
-- gnutls: Fix nettle discovery
+- configure: fix CURL_DARWIN_CFLAGS use
   
-  Commit e06fa7462ac258c removed support for libgcrypt leaving only
-  support for nettle which has been the default crypto library in
-  GnuTLS for a long time. There were however a few conditionals on
-  USE_GNUTLS_NETTLE which cause compilation errors in the metalink
-  code (as it used the gcrypt fallback instead as a result). See the
-  below autobuild for an example of the error:
+  The macro name change was not completely done.
   
-    https://curl.se/dev/log.cgi?id=20210225123226-30704#prob1
+  Follow-up to 5d2c384452543c
+  Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
+  Reported-by: Marcel Raad
+  Closes #6878
+
+- [Anthony Shaw brought this change]
+
+  github/workflow: add "security-extended" to codeql-analysis.yml
   
-  This removes all uses of USE_GNUTLS_NETTLE and also removes the
-  gcrypt support from the metalink code while at it.
+  Extends the CodeQL code scan.
   
-  Closes #6656
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6815
 
-- cookies: Support multiple -b parameters
+- [Jochem Broekhoff brought this change]
+
+  examples/hiperfifo.c: check event_initialized before delete
   
-  Previously only a single -b cookie parameter was supported with the last
-  one winning.  This adds support for supplying multiple -b params to have
-  them serialized semicolon separated.  Both cookiefiles and cookies can be
-  entered multiple times.
+  If event_del is called with the event struct (still) zeroed out, a
+  segmentation fault may occur.  event_initialized checks whether the
+  event struct is nonzero.
   
-  Closes #6649
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Closes #6876
 
-Daniel Stenberg (25 Feb 2021)
-- build: remove all traces of USE_BLOCKING_SOCKETS
+- [Patrick Monnerat brought this change]
+
+  ntlm: fix negotiated flags usage
   
-  libcurl doesn't behave properly with the define set
+  According to Microsoft document MS-NLMP, current flags usage is not
+  accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
+  extended security in an NTLM authentication message and NTLM version 2
+  cannot be negotiated within the protocol.
   
-  Closes #6655
+  The solution implemented here is: if the extended security flag is set,
+  prefer using NTLM version 2 (as a server featuring extended security
+  should also support version 2). If version 2 has been disabled at
+  compile time, use extended security.
+  
+  Tests involving NTLM are adjusted to this new behavior.
+  
+  Fixes #6813
+  Closes #6849
 
-- RELEASE-NOTES: synced
+- [Patrick Monnerat brought this change]
 
-Daniel Gustafsson (25 Feb 2021)
-- docs: Fix typos
+  ntlm: support version 2 on 32-bit platforms
   
-  Random typos spotted when skimming docs.
+  Closes #6849
 
-- cookies: Use named parameters in header prototypes
-  
-  Align header with project style of using named parameters in the
-  function prototypes to aid readability and self-documentation.
-  
-  Closes #6653
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+- [Patrick Monnerat brought this change]
 
-Daniel Stenberg (24 Feb 2021)
-- urldata: make 'actions[]' use unsigned char instead of int
+  curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
   
-  ... as it only needs a few bits per index anyway.
+  ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
+  whole NTLM.
   
-  Reviewed-by: Daniel Gustafsson
-  Closes #6648
+  Closes #6849
 
-- configure: fail if --with-quiche is used and quiche isn't found
+- lib: remove unused HAVE_INET_NTOA_R* defines
   
-  Closes #6652
+  Closes #6867
 
-- [Gregor Jasny brought this change]
+- [Michael Forney brought this change]
 
-  cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
+  configure: include <time.h> unconditionally
+  
+  In 2682e5f5, several instances of AC_HEADER_TIME were removed since
+  it is a deprecated autoconf macro. However, this was the macro that
+  defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
+  can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
+  used in the configure test body and since it is no longer defined,
+  <time.h> is *not* included on systems that have <sys/time.h>.
+  
+  In particular, at least on musl libc and glibc, <sys/time.h> does
+  not implicitly include <time.h> and does not declare clock_gettime,
+  gmtime_r, or localtime_r. This causes configure to fail to detect
+  those functions.
+  
+  The AC_HEADER_TIME macro deprecation text says
+  
+  > All current systems provide time.h; it need not be checked for.
+  > Not all systems provide sys/time.h, but those that do, all allow
+  > you to include it and time.h simultaneously.
+  
+  So, to fix this issue, simply include <time.h> unconditionally when
+  testing for time-related functions and in libcurl, and don't bother
+  checking for it.
   
-  Reviewed-by: Sergei Nikulov
-  Closes #6440
+  Closes #6859
 
-Viktor Szakats (23 Feb 2021)
-- mingw: enable using strcasecmp()
+- [Michael Forney brought this change]
+
+  configure: remove use of RETSIGTYPE
   
-  This makes the 'Features:' list sorted case-insensitively,
-  bringing output in-line with *nix builds.
+  This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
+  which was removed in 2682e5f5. The deprecation text says
   
-  Reviewed-by: Jay Satiro
-  Closes #6644
-
-- build: delete unused feature guards
+  > Your code may safely assume C89 semantics that RETSIGTYPE is void.
   
-  - `HAVE_STRNCASECMP`
-  - `HAVE_TCGETATTR`
-  - `HAVE_TCSETATTR`
+  So, remove it and just use void instead.
   
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Daniel Stenberg
-  Closes #6645
+  Closes #6861
 
-Jay Satiro (23 Feb 2021)
-- docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
+- [Muhammed Yavuz Nuzumlalı brought this change]
+
+  install: add instructions for Apple Darwin platforms
   
-  Closes https://github.com/curl/curl/pull/6639
+  Closes #6860
 
-Daniel Stenberg (23 Feb 2021)
-- [Jacob Hoffman-Andrews brought this change]
+- [Muhammed Yavuz Nuzumlalı brought this change]
 
-  configure: make hyper opt-in, and fail if missing
-  
-  Previously, configure would look for hyper by default, and use it if
-  found; otherwise it would not use hyper, and not error.
-  
-  Now, configure will not look for hyper unless --with-hyper is passed. If
-  configure looks for hyper and fails, it will error.
-  
-  Also, add -ld -lpthread -lm to Hyper's libs. I think they are required.
+  configure: disable min version set for Darwin
   
-  Closes #6598
+  Fixes #6838
+  Closes #6860
 
-- multi: do once-per-transfer inits in before_perform in DID state
-  
-  ... since the state machine might go to RATELIMITING and then back to
-  PERFORMING doing once-per-transfer inits in that function is wrong and
-  it caused problems with receiving chunked HTTP and it set the
-  PRETRANSFER time much too often...
+- [David Hu brought this change]
+
+  docs/HTTP3.md: update the build instruction using gnutls
   
-  Regression from b68dc34af341805aeb7b3715 (shipped in 7.75.0)
+  In ngtcp2 the `with-gnutls` option is disabled by default, which will
+  cause `curl` unable to be `make` because of lacking the libraries
+  needed.
   
-  Reported-by: Amaury Denoyelle
-  Fixes #6640
-  Closes #6641
+  Closes #6857
 
 - RELEASE-NOTES: synced
 
-- CODE_STYLE.md: fix broken link to INTERNALS
+- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
   
-  ... the link would only work if browsed on GitHub, while this link now
-  takes the user to the website instead and thus should work on either.
+  ... and not values.
   
-  Reported-by: David Demelier
+  Reported-by: locpyl-tidnyd on github
+  Fixes #6818
+  Closes #6819
 
-- curl_url_set.3: mention CURLU_PATH_AS_IS
-  
-  ... it has been supported since the URL API was added.
+- ngtcp2+gnutls: clear credentials when freed
   
-  Bug: https://curl.se/mail/lib-2021-02/0046.html
+  ... to avoid double-free.
   
-  Closes #6638
+  Reported-by: Kenneth Davidson
+  Fixes #6824
+  Closes #6856
 
-Viktor Szakats (21 Feb 2021)
-- time: enable 64-bit time_t in supported mingw environments
-  
-  (Unless 32-bit `time_t` is selected manually via the `_USE_32BIT_TIME_T`
-  mingw macro.)
-  
-  Previously, 64-bit `time_t` was enabled on VS2005 and newer only, and
-  32-bit `time_t` was used on all other Windows builds.
-  
-  Assisted-by: Jay Satiro
-  Closes #6636
+Jay Satiro (5 Apr 2021)
+- [Cherish98 brought this change]
 
-Jay Satiro (20 Feb 2021)
-- test1188: Check for --fail HTTP status
+  tool_progress: Fix progress meter in parallel mode
   
-  - Change the test to check for curl error on HTTP 404 Not Found.
+  Make sure the total amount of DL/UL bytes are counted before the
+  transfer finalizes. Otherwise if a transfer finishes too quick, its
+  total numbers are not added, and results in a DL%/UL% that goes above
+  100%.
   
-  test1188 tests "--write-out with %{onerror} and %{urlnum} to stderr".
-  Prior to this change it did that by specifying a non-existent host which
-  would cause an error. ISPs may hijack DNS and resolve non-existent hosts
-  so the test would not work if that was the case.
+  Detail:
   
-  Ref: https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs
-  Ref: https://github.com/curl/curl/issues/6621
-  Ref: https://github.com/curl/curl/pull/6623
+  progress_meter() is called periodically, and it may not catch a
+  transfer's total bytes if the value was unknown during the last call,
+  and the transfer is finished and deleted (i.e., lost) during the next
+  call.
   
-  Closes https://github.com/curl/curl/pull/6637
+  Closes https://github.com/curl/curl/pull/6840
 
-- memdebug: close debug logfile explicitly on exit
-  
-  - Use atexit to register a dbg cleanup function that closes the logfile.
+- [Emil Engler brought this change]
+
+  libssh: get rid of PATH_MAX
   
-  LeakSantizier (LSAN) calls _exit() instead of exit() when a leak is
-  detected on exit so the logfile must be closed explicitly or data could
-  be lost. Though _exit() does not call atexit handlers such as this,
-  LSAN's call to _exit() comes after the atexit handlers are called.
+  This removes the last occurrence of PATH_MAX inside our libssh
+  implementation by calculating the path length from the string length of
+  the two components.
   
-  Prior to this change the logfile was not explicitly closed so it was
-  possible that if LSAN detected a leak and called _exit (which does
-  not flush or close files like exit) then the logfile could be missing
-  data. That could then cause curl's memanalyze to report false leaks
-  (eg a malloc was recorded to the logfile but the corresponding free was
-  discarded from the buffer instead of written to the logfile, then
-  memanalyze reports that as a leak).
+  Closes #6829
+
+Daniel Stenberg (5 Apr 2021)
+- http_proxy: only loop on 407 + close if we have credentials
   
-  Ref: https://github.com/google/sanitizers/issues/1374
+  ... to fix the retry-loop.
   
-  Bug: https://github.com/curl/curl/pull/6591#issuecomment-780396541
+  Add test 718 to verify.
   
-  Closes https://github.com/curl/curl/pull/6620
+  Reported-by: Daniel Kurečka
+  Fixes #6828
+  Closes #6850
 
-- curl_multibyte: always return a heap-allocated copy of string
-  
-  - Change the Windows char <-> UTF-8 conversion functions to return an
-    allocated copy of the passed in string instead of the original.
-  
-  Prior to this change the curlx_convert_ functions would, as what I
-  assume was an optimization, not make a copy of the passed in string if
-  no conversion was required. No conversion is required in non-UNICODE
-  Windows builds since our tchar strings are type char and remain in
-  whatever the passed in encoding is, which is assumed to be UTF-8 but may
-  be other encoding.
+- h2: allow 100 streams by default
   
-  In contrast the UNICODE Windows builds require conversion
-  (wchar <-> char) and do return a copy. That inconsistency could lead to
-  programming errors where the developer expects a copy, and does not
-  realize that won't happen in all cases.
+  instead of 13, before the server has told how many streams it
+  accepts. The server can always reject new streams anyway if we go above
+  what it accepts.
   
-  Closes https://github.com/curl/curl/pull/6602
+  Ref: #6826
+  Closes #6852
 
-Viktor Szakats (19 Feb 2021)
-- http: add new files missed from referrer commit
-  
-  Ref: 44872aefc2d54f297caf2b0cc887df321bc9d791
-  Ref: #6591
+- [Luke Granger-Brown brought this change]
 
-- http: add support to read and store the referrer header
-  
-  - add CURLINFO_REFERER libcurl option
-  - add --write-out '%{referer}' command-line option
-  - extend --xattr command-line option to fill user.xdg.referrer.url extended
-    attribute with the referrer (if there was any)
+  file: support GETing directories again
   
-  Closes #6591
-
-Daniel Stenberg (19 Feb 2021)
-- urldata: remove the _ORIG suffix from string names
+  After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
+  expected_size for directories. This has the upshot that when we compare
+  even an empty Range with the available size, we fail.
   
-  It doesn't provide any useful info but only makes the names longer.
+  This brings back the previous behaviour, which was to succeed, but with
+  empty content. This also removes the "Accept-ranges: bytes" header,
+  which is nonsensical on directories.
   
-  Closes #6624
+  Adds test 3016
+  Fixes #6845
+  Closes #6846
 
-- url: fix memory leak if OOM in the HSTS handling
-  
-  Reported-by: Viktor Szakats
-  Bug: https://github.com/curl/curl/pull/6627#issuecomment-781626205
+- RELEASE-NOTES: synced
   
-  Closes #6628
+  and bumped to 7.76.1
 
-- gnutls: assume nettle crypto support
+- TLS: fix HTTP/2 selection
   
-  nettle has been the default crypto library with GnuTLS since 2010. By
-  dropping support for the previous libcrypto, we simplify code.
+  for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
+  wolfSSL...
   
-  Closes #6625
+  Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
+  Reported-by: Kenneth Davidson
+  Reported-by: romamik om github
+  Fixes #6825
+  Closes #6827
 
-- asyn-ares: use consistent resolve error message
+Jay Satiro (2 Apr 2021)
+- hostip: Fix for builds that disable all asynchronous DNS
   
-  ... with the help of Curl_resolver_error() which now is moved from
-  asyn-thead.c and is provided globally for this purpose.
+  - Define Curl_resolver_error function only when USE_CURL_ASYNC.
   
-  Follow-up to 35ca04ce1b77636
+  Prior to this change building curl without an asynchronous resolver
+  backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
+  also asynchronous but independent of resolver backend) would cause a
+  build error since Curl_resolver_error is called by and evaluates
+  variables only available in asynchronous builds.
   
-  Makes test 1188 work for c-ares builds
+  Reported-by: Benbuck Nason
   
-  Closes #6626
+  Fixes https://github.com/curl/curl/issues/6831
+  Closes https://github.com/curl/curl/pull/6832
 
-Viktor Szakats (18 Feb 2021)
-- ci: stop building on freebsd-12-1
-  
-  An updated freebsd-12-2 image was added a few months ago, and this
-  older one is consistently failing to go past `pkginstall`:
-  ```
-  Newer FreeBSD version for package py37-mlt:
-  To ignore this error set IGNORE_OSVERSION=yes
-  - package: 1202000
-  - running kernel: 1201000
-  Ignore the mismatch and continue? [Y/n]: pkg: repository FreeBSD contains packages for wrong OS version: FreeBSD:12:amd64
-  ```
+Daniel Stenberg (31 Mar 2021)
+- [Gilles Vollant brought this change]
+
+  openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
   
-  FreeBSD thread suggests that 12.1 is EOL, and best to avoid.
+  Reported-by: Christian Schmitz
+  Fixes #6816
+  Closes #6820
+
+Version 7.76.0 (31 Mar 2021)
+
+Daniel Stenberg (31 Mar 2021)
+- RELEASE-NOTES: synced
   
-  Ref: https://forums.freebsd.org/threads/78856/
+  curl 7.76.0 release
+
+- THANKS: added names from 7.76.0
+
+- CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
   
-  Reviewed-by: Daniel Stenberg
-  Closes #6622
+  ... some users may not want that!
 
-Daniel Stenberg (18 Feb 2021)
-- test1188: change error from connect to resolve error
+- define: remove CURL_DISABLE_NTLM ifdefs
   
-  Using the %NOLISTENPORT to trigger a connection failure is somewhat
-  "risky" (since it isn't guaranteed to not be listened to) and caused
-  occasional CI problems. This fix changes the infused error to be a more
-  reliable one but still verifies the --write-out functionality properly -
-  which is the purpose of this test.
+  It was never defined anywhere. Fixed disable-scan (test 1165) to also
+  scan headers, which found this issue.
   
-  Reported-by: Jay Satiro
-  Fixes #6621
-  Closes #6623
+  Closes #6809
 
-- url.c: use consistent error message for failed resolve
+- vtls: fix addsessionid for non-proxy builds
+  
+  Follow-up to b09c8ee15771c61
+  Fixes #6812
+  Closes #6811
 
-- BUGS: language polish
+- [Li Xinwei brought this change]
 
-- wolfssl: don't store a NULL sessionid
-  
-  This caused a memory leak as the session id cache entry was still
-  erroneously stored with a NULL sessionid and that would later be treated
-  as not needed to get freed.
+  cmake: support WinIDN
   
-  Reported-by: Gisle Vanem
-  Fixes #6616
-  Closes #6617
+  Closes #6807
 
-- parse_proxy: fix a memory leak in the OOM path
+- transfer: clear 'referer' in declaration
   
-  Reported-by: Jay Satiro
-  Reviewed-by: Jay Satiro
-  Reviewed-by: Emil Engler
+  To silence (false positive) compiler warnings about it.
   
-  Closes #6614
-  Bug: https://github.com/curl/curl/pull/6591#issuecomment-780396541
+  Follow-up to 7214288898f5625
+  
+  Reviewed-by: Marcel Raad
+  Closes #6810
 
-Jay Satiro (17 Feb 2021)
-- url: fix possible use-after-free in default protocol
+- [Marc Hoersken brought this change]
+
+  config: fix SSPI enabling NTLM if crypto auth is disabled
   
-  Prior to this change if the user specified a default protocol and a
-  separately allocated non-absolute URL was used then it was freed
-  prematurely, before it was then used to make the replacement URL.
+  Avoid enabling NTLM feature based upon Windows SSPI
+  being enabled in case that crypto auth is disabled.
   
-  Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219
-  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
+  Reported-by: Marcel Raad
   
-  Closes https://github.com/curl/curl/pull/6613
+  Follow-up to #6277
+  Fixes #6803
+  Closes #6808
 
-Daniel Stenberg (16 Feb 2021)
-- multi: rename the multi transfer states
+- HISTORY: add two 2021 events
+
+- vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
   
-  While working on documenting the states it dawned on me that step one is
-  to use more descriptive names on the states. This also changes prefix on
-  the states to make them shorter in the source.
+  To make sure we set and extract the correct session.
   
-  State names NOT ending with *ing are transitional ones.
+  Reported-by: Mingtao Yang
+  Bug: https://curl.se/docs/CVE-2021-22890.html
   
-  Closes #6612
+  CVE-2021-22890
 
-Viktor Szakats (16 Feb 2021)
-- http: do not add a referrer header with empty value
+- [Viktor Szakats brought this change]
+
+  transfer: strip credentials from the auto-referer header field
   
-  Previously an empty 'Referer:' header was added to the HTTP request when
-  passing `--referer ';auto'` or `--referer ''` on the command-line. This
-  patch makes `--referer` work like `--header 'Referer:'` and will only add
-  the header if it has a non-zero length value.
+  Added test 2081 to verify.
   
-  Reviewed-by: Jay Satiro
-  Closes #6610
+  CVE-2021-22876
+  
+  Bug: https://curl.se/docs/CVE-2021-22876.html
 
-Daniel Stenberg (16 Feb 2021)
-- lib: remove 'conn->data' completely
+- curl_sasl: fix compiler error with --disable-crypto-auth
   
-  The Curl_easy pointer struct entry in connectdata is now gone. Just
-  before commit 215db086e0 landed on January 8, 2021 there were 919
-  references to conn->data.
+  ... if libgsasl was found.
   
-  Closes #6608
+  Closes #6806
 
-- openldap: pass 'data' to the callbacks instead of 'conn'
+- [Patrick Monnerat brought this change]
 
-Jay Satiro (15 Feb 2021)
-- doh: Fix sharing user's resolve list with DOH handles
+  ldap: only set the callback ptr for TLS context when TLS is used
   
-  - Share the shared object from the user's easy handle with the DOH
-    handles.
+  Follow-up to a5eee22e594c2460f
+  Fixes #6804
+  Closes #6805
+
+- copyright: update copyright year ranges to 2021
   
-  Prior to this change if the user had set a shared object with shared
-  cached DNS (CURL_LOCK_DATA_DNS) for their easy handle then that wasn't
-  used by any associated DOH handles, since they used the multi's default
-  hostcache.
+  Reviewed-by: Emil Engler
+  Closes #6802
+
+- send_speed: simplify the checks for if a speed limit is set
   
-  This change means all the handles now use the same hostcache, which is
-  either the shared hostcache from the user created shared object if it
-  exists or if not then the multi's default hostcache.
+  ... as we know the value cannot be set to negative: enforced by
+  setopt()
+
+- http: cap body data amount during send speed limiting
   
-  Reported-by: Manuj Bhatia
+  By making sure never to send off more than the allowed number of bytes
+  per second the speed limit logic is given more room to actually work.
   
-  Fixes https://github.com/curl/curl/issues/6589
-  Closes https://github.com/curl/curl/pull/6607
+  Reported-by: Fabian Keil
+  Bug: https://curl.se/mail/lib-2021-03/0042.html
+  Closes #6797
 
-Daniel Stenberg (15 Feb 2021)
-- http2: remove conn->data use
+- urldata: merge "struct DynamicStatic" into "struct UrlState"
   
-  ... but instead use a private alternative that points to the "driving
-  transfer" from the connection. We set the "user data" associated with
-  the connection to be the connectdata struct, but when we drive transfers
-  the code still needs to know the pointer to the transfer. We can change
-  the user data to become the Curl_easy handle, but with older nghttp2
-  version we cannot dynamically update that pointer properly when
-  different transfers are used over the same connection.
+  Both were used for the same purposes and there was no logical separation
+  between them. Combined, this also saves 16 bytes in less holes in my
+  test build.
   
-  Closes #6520
+  Closes #6798
 
-- openssl: remove conn->data use
+- tests/README.md: mentioned that en_US.UTF-8 is required
   
-  We still make the trace callback function get the connectdata struct
-  passed to it, since the callback is anchored on the connection.
+  Reported-by: Oumph on github
+  Fixes #6768
+
+- HISTORY: fixed the Mac OS X 10.1 release date
   
-  Repeatedly updating the callback pointer to set 'data' with
-  SSL_CTX_set_msg_callback_arg() doesn't seem to work, probably because
-  there might already be messages in the queue with the old pointer.
+  Based on what Wikipedia says
+
+Jay Satiro (26 Mar 2021)
+- examples: Remove threaded-shared-conn.c due to bug
   
-  This code therefore makes sure to set the "logger" handle before using
-  OpenSSL calls so that the right easy handle gets used for tracing.
+  Known bug 11.11 is the shared object's connection cache is not thread
+  safe, so we should not have an example for it.
   
-  Closes #6522
-
-- RELEASE-NOTES: synced
+  Ref: https://github.com/curl/curl/issues/4915
+  Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not
+  
+  Closes https://github.com/curl/curl/pull/6795
 
-Jay Satiro (14 Feb 2021)
-- doh: add options to disable ssl verification
+- KNOWN_BUGS: Update 11.9 - DoH option inheritance
   
-  - New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
-    CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
-    same as their respective counterparts.
+  - Add description: Explain that some options aren't inherited because
+    they are not relevant for the DoH SSL connections or may result in
+    unexpected behavior.
   
-  - New curl tool options --doh-insecure and --doh-cert-status do the same
-    as their respective counterparts.
+  - Remove the reference to #4578 (SSL verify options not inherited) since
+    that was fixed by #6597 (separate DoH-specific options for verify).
   
-  Prior to this change DOH SSL certificate verification settings for
-  verifyhost and verifypeer were supposed to be inherited respectively
-  from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
-  were not. As a result DOH verification remained at the default, ie
-  enabled, and it was not possible to disable. This commit changes
-  behavior so that the DOH verification settings are independent and not
-  inherited.
+  - Explain that DoH-specific options (those created by #6597) are
+    available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
+    CURLOPT_DOH_SSL_VERIFYSTATUS.
   
-  Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676
+  - Add a reference to #6605 and explain that the user's debug function is
+    not inherited because it would be unexpected to pass internal handles
+    (ie DoH handles) to the user's callback.
   
-  Fixes https://github.com/curl/curl/issues/4578
-  Closes https://github.com/curl/curl/pull/6597
+  Closes https://github.com/curl/curl/issues/6605
 
-- hostip: fix crash in sync resolver builds that use DOH
+Daniel Stenberg (26 Mar 2021)
+- curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
+
+- [Jean-Philippe Menil brought this change]
+
+  openssl: ensure to check SSL_CTX_set_alpn_protos return values
   
-  - Guard some Curl_async accesses with USE_CURL_ASYNC instead of
-    !CURLRES_SYNCH.
+  SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure
   
-  This is another follow-up to 8335c64 which moved the async struct from
-  the connectdata struct into the Curl_easy struct. A previous follow-up
-  6cd167a fixed building for sync resolver by guarding some async struct
-  accesses with !CURLRES_SYNCH. The problem is since DOH (DNS-over-HTTPS)
-  is available as an asynchronous secondary resolver the async struct may
-  be used even when libcurl is built for the sync resolver. That means
-  that CURLRES_SYNCH and USE_CURL_ASYNC may be defined at the same time.
+  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
   
-  Closes https://github.com/curl/curl/pull/6603
+  Closes #6794
 
-Daniel Stenberg (13 Feb 2021)
-- KNOWN_BUGS: cannot enable LDAPS on Windows with cmake
+- multi: close the connection when h2=>h1 downgrading
+  
+  Otherwise libcurl is likely to reuse the connection again in the next
+  attempt since the connection reuse logic doesn't take downgrades into
+  account.
+  
+  Reported-by: Anthony Ramine
+  Fixes #6788
+  Closes #6793
+
+- openssl: set the transfer pointer for logging early
+  
+  Otherwise, the transfer will be NULL in the trace function when the
+  early handshake details arrive and then curl won't show them.
   
-  Reported-by: Jack Boos Yu
-  Closes #6284
+  Regresssion in 7.75.0
+  
+  Reported-by: David Hu
+  Fixes #6783
+  Closes #6792
 
-- KNOWN_BUGS: Excessive HTTP/2 packets with TCP_NODELAY
+- RELEASE-NOTES: synced
+
+- TODO: Custom progress meter update interval
   
-  Reported-by: Alex Xu
-  Closes #6363
+  Ref: https://stackoverflow.com/q/66789977/93747
 
-- http: use credentials from transfer, not connection
+- docs/ABI: tighten up the language
   
-  HTTP auth "accidentally" worked before this cleanup since the code would
-  always overwrite the connection credentials with the credentials from
-  the most recent transfer and since HTTP auth is typically done first
-  thing, this has not been an issue. It was still wrong and subject to
-  possible race conditions or future breakage if the sequence of functions
-  would change.
+  Make the promises more firm
   
-  The data.set.str[] strings MUST remain unmodified exactly as set by the
-  user, and the credentials to use internally are instead set/updated in
-  state.aptr.*
+  Closes #6786
+
+- openldap: disconnect better
   
-  Added test 675 to verify different credentials used in two requests done
-  over a reused HTTP connection, which previously behaved wrongly.
+  Instead of clearing the callback argument in disconnect, set it to the
+  (new) transfer to make sure the correct data is passed to the callbacks.
   
-  Fixes #6542
-  Closes #6545
+  Follow-up to e467ea3bd937f38
+  Assisted-by: Patrick Monnerat
+  Closes #6787
 
-- test433: clear some home dir env variables
+- libssh2: kdb_callback: get the right struct pointer
   
-  Follow-up to bd6b54ba1f55b5
+  After the recent conn/data refactor in this source file, this function
+  was mistakenly still getting the old struct pointer which would lead to
+  crash on servers with keyboard-interactive auth enabled.
   
-  ... so that XDG_CONFIG_HOME is the only home dir variable set and thus
-  used correctly in the test!
+  Follow-up to a304051620b92e12b (shipped in 7.75.0)
   
-  Fixes #6599
-  Closes #6600
+  Reported-by: Christian Schmitz
+  Fixes #6691
+  Closes #6782
 
-- RELEASE-NOTES: synced
+- tftp: remove unused struct fields
   
-  bumped the version to 7.76.0
+  Follow-up to d3d90ad9c00530d
+  
+  Closes #6781
 
-- travis: install libgsasl-dev to add that to the builds
+- openldap: avoid NULL pointer dereferences
   
-  Closes #6588
+  Follow-up to a59c33ceffb8f78
+  Reported-by: Patrick Monnerat
+  Fixes #6676
+  Closes #6780
 
-- urldata: don't touch data->set.httpversion at run-time
+- http: strip default port from URL sent to proxy
   
-  Rename it to 'httpwant' and make a cloned field in the state struct as
-  well for run-time updates.
+  To make sure the Host: header and the URL provide the same authority
+  portion when sent to the proxy, strip the default port number from the
+  URL if one was provided.
   
-  Also: refuse non-supported HTTP versions. Verified with test 129.
+  Reported-by: Michael Brown
+  Fixes #6769
+  Closes #6778
+
+- azure: disable test 433 on azure-ubuntu
   
-  Closes #6585
+  Something in that environment sets XDG_CONFIG_HOME for us in a way that
+  breaks the test.
+  
+  Reported-by: Marc Hörsken
+  Fixes #6739
+  Closes #6777
 
-Viktor Szakats (11 Feb 2021)
-- tests: disable .curlrc in more environments
+- tftp: remove the 3600 second default timeout
   
-  by also setting CURL_HOME and XDG_CONFIG_HOME envvars to the local
-  directory.
+  ... it was never meant to be there.
   
-  Reviewed-by: Daniel Stenberg
-  Fixes #6595
-  Closes #6596
+  Reported-by: Tomas Berger
+  Fixes #6774
+  Closes #6776
 
-- docs/Makefile.inc: format to be update-friendly
+- docs: make gen.pl support *italic* and **bold**
   
-  - one source file per line
-  - convert tabs to spaces
-  - do not align line-continuation backslashes
-  - sort source files alphabetically
+  Remove some nroffisms from the cmdline doc files to simplify editing,
+  and instead support this markdown style.
   
-  Reviewed-by: Daniel Stenberg
-  Closes #6593
+  Closes #6771
 
-Daniel Stenberg (11 Feb 2021)
-- curl: provide libgsasl version and feature info in -V output
+- ngtcp2: sync with recent API updates
   
-  Closes #6592
+  Closes #6770
 
-- gsasl: provide CURL_VERSION_GSASL if built-in
+- RELEASE-NOTES: synced
+
+- libssh2:ssh_connect: clear session pointer after free
   
-  To let applications know the feature is available.
+  If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
+  ssh session was freed but the pointer wasn't cleared which made libcurl
+  later call libssh2 to cleanup using the stale pointer.
   
-  Closes #6592
+  Fixes #6764
+  Closes #6766
 
-- curl: add --fail-with-body
+- [Jacob Hoffman-Andrews brought this change]
+
+  docs: document version of crustls dependency
   
-  Prevent both --fail and --fail-with-body on the same command line.
+  This also pins a specific release in the Travis test so future
+  API-breaking changins in crustls won't break curl builds.
   
-  Verify with test 349, 360 and 361.
+  Add RUSTLS documentation to release tarball.
   
-  Closes #6449
-
-- TODO: remove HSTS
+  Enable running tests for rustls, minus FTP tests (require
+  connect_blocking, which rustls doesn't implement) and 313 (requires CRL
+  handling).
   
-  Provided now since commit 7385610d0c74
+  Closes #6763
 
-Jay Satiro (10 Feb 2021)
-- tests: Fix tests failing due to change in curl --help
-  
-  Follow-up to parent 3183217 which added add missing <mode> argument to
-  --create-file-mode <mode>.
-  
-  Ref: https://github.com/curl/curl/issues/6590
+- [Jacob Hoffman-Andrews brought this change]
 
-- tool_help: add missing argument for --create-file-mode
+  rustls: Handle close_notify.
   
-  Prior to this change the required argument was not shown in curl --help.
+  If we get a close_notify, treat that as EOF. If we get an EOF from the
+  TCP stream, treat that as an error (because we should have ended the
+  connection earlier, when we got a close_notify).
   
-  before:
-       --create-file-mode File mode for created files
+  Closes #6763
+
+- docs: clarify timeouts for queued transfers in multi API
   
-  after:
-       --create-file-mode <mode> File mode (octal) for created files
+  Closes #6758
+
+- ftpserver: only load the preprocessed test file
   
-  Reported-by: ZimCodes@users.noreply.github.com
+  We always preprocess and tests are no longer sensible to load "raw"
   
-  Fixes https://github.com/curl/curl/issues/6590
+  Closes #6738
 
-- create-file-mode.d: add missing Arg tag
+- tests: use %TESTNUMBER instead of fixed number
   
-  Prior to this change the required argument was not shown.
+  This makes the tests easier to copy and relocate to other test numbers
+  without having to update content.
   
-  curl.1 before: --create-file-mode
-  curl.1 after: --create-file-mode <mode>
+  Closes #6738
+
+- KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
   
-  Reported-by: ZimCodes@users.noreply.github.com
+  Closes #5747
+
+- TODO: provide timing info for each redirect
   
-  Fixes https://github.com/curl/curl/issues/6590
+  Closes #6743
 
-Viktor Szakats (10 Feb 2021)
-- gsasl: fix errors/warnings building against libgsasl
+Jay Satiro (17 Mar 2021)
+- docs: Add SSL backend names to CURL_SSL_BACKEND
   
-  - also fix an indentation
-  - make Curl_auth_gsasl_token() use CURLcode (by Daniel Stenberg)
+  - Document the names that can be used with CURL_SSL_BACKEND:
+    bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
+    schannel, secure-transport, wolfssl
   
-  Ref: https://github.com/curl/curl/pull/6372#issuecomment-776118711
-  Ref: https://github.com/curl/curl/pull/6588
+  Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
+  Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201
   
-  Reviewed-by: Jay Satiro
-  Assisted-by: Daniel Stenberg
-  Reviewed-by: Simon Josefsson
-  Closes #6587
+  Closes https://github.com/curl/curl/pull/6755
 
-- Makefile.m32: add support for libgsasl dependency
+- docs: Explain DOH transfers inherit some SSL settings
   
-  Reviewed-by: Marcel Raad
-  Closes #6586
-
-Marcel Raad (10 Feb 2021)
-- ngtcp2: clarify calculation precedence
+  - Document in DOH that some SSL settings are inherited but DOH hostname
+    and peer verification are not and are controlled separately.
   
-  As suggested by Codacy/cppcheck.
+  - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
+    we're considering changing behavior to no longer inherit it. Request
+    feedback.
   
-  Closes https://github.com/curl/curl/pull/6576
+  Closes https://github.com/curl/curl/pull/6688
 
-- server: remove redundant condition
+Daniel Stenberg (17 Mar 2021)
+- http: make 416 not fail with resume + CURLOPT_FAILONERRROR
   
-  `end` is always non-null here.
+  When asked to resume a download, libcurl will convert that to HTTP logic
+  and if then the entire file is already transferred it will result in a
+  416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
+  scenario, it should *not* lead to an error return.
   
-  Closes https://github.com/curl/curl/pull/6576
-
-- lib: remove redundant code
+  Updated test 1156, added test 1273
   
-  Closes https://github.com/curl/curl/pull/6576
+  Reported-by: Jonathan Watt
+  Fixes #6740
+  Closes #6753
 
-- mqttd: remove unused variable
+- Curl_timeleft: check both timeouts during connect
   
-  Closes https://github.com/curl/curl/pull/6576
-
-- tool_paramhlp: reduce variable scope
+  The duration of a connect and the total transfer are calculated from two
+  different time-stamps. It can end up with the total timeout triggering
+  before the connect timeout expires and we should make sure to
+  acknowledge whichever timeout that is reached first.
   
-  Closes https://github.com/curl/curl/pull/6576
+  This is especially notable when a transfer first sits in PENDING, as
+  that time is counted in the total time but the connect timeout is based
+  on the time since the handle changed to the CONNECT state.
+  
+  The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
+  operation.
+  
+  Fixes #6744
+  Closes #6745
+  Reported-by: Andrei Bica
+  Assisted-by: Jay Satiro
 
-- tests: reduce variable scopes
+- configure: remove use of deprecated macros
   
-  Closes https://github.com/curl/curl/pull/6576
+  AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL
 
-- lib: reduce variable scopes
+- configure: make AC_TRY_* into AC_*_IFELSE
   
-  Closes https://github.com/curl/curl/pull/6576
+  ... as the former versions are deprecated.
 
-- ftp: fix Codacy/cppcheck warning about null pointer arithmetic
+- configure: s/AC_HELP_STRING/AS_HELP_STRING
   
-  Increment `bytes` only if it is non-null.
+  AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
+  already since 2.59 so bump the minimum required version to that.
   
-  Closes https://github.com/curl/curl/pull/6576
+  Reported-by: Emil Engler
+  Fixes #6647
+  Closes #6748
 
-Daniel Stenberg (9 Feb 2021)
-- ngtcp2: adapt to the new recv_datagram callback
+- RELEASE-NOTES: synced
 
-- quiche: fix build error: use 'int' for port number
+- travis: use ubuntu nghttp2 package instead of build our own
   
-  Follow-up to cb2dc1ba8
+  Closes #6751
 
-- ftp: add 'list_only' to the transfer state struct
-  
-  and rename it from 'ftp_list_only' since it is also used for SSH and
-  POP3. The state is updated internally for 'type=D' FTP URLs.
-  
-  Added test case 1570 to verify.
-  
-  Closes #6578
+- travis: bump wolfssl to 4.7.0
 
-- ftp: add 'prefer_ascii' to the transfer state struct
-  
-  ... and make sure the code never updates 'set.prefer_ascii' as it breaks
-  handle reuse which should use the setting as the user specified it.
-  
-  Added test 1569 to verify: it first makes an FTP transfer with ';type=A'
-  and then another without type on the same handle and the second should
-  then use binary. Previously, curl failed this.
+- travis: only build wolfssl when needed
   
-  Closes #6578
-
-- RELEASE-NOTES: synced
+  Closes #6751
 
 - [Jacob Hoffman-Andrews brought this change]
 
-  vtls: initial implementation of rustls backend
-  
-  This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
-  from https://github.com/abetterinternet/crustls.
+  rustls: allocate a buffer for TLS data.
   
-  Rustls is at https://github.com/ctz/rustls/.
+  Previously, rustls was using an on-stack array for TLS data. However,
+  crustls has an (unusual) requirement that buffers it deals with are
+  initialized before writing to them. By using calloc, we can ensure the
+  buffer is initialized once and then reuse it across calls.
   
-  There is still a fair bit to be done, like sending CloseNotify on
-  connection shutdown, respecting CAPATH, and properly indicating features
-  like "supports TLS 1.3 ciphersuites." But it works well enough to make
-  requests and receive responses.
+  Closes #6742
+
+- travis: add a rustls build
   
-  Blog post for context:
-  https://www.abetterinternet.org/post/memory-safe-curl/
+  ... that doesn't run any tests (yet)
   
-  Closes #6350
+  Closes #6750
 
-- [Simon Josefsson brought this change]
+- HTTP2: remove the outdated remark about multiplexing for the tool
 
-  sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
-  
-  Closes #6372
+- [Robert Ronto brought this change]
 
-Jay Satiro (9 Feb 2021)
-- lib: use int type for more port variables
+  http2: don't set KEEP_SEND when there's no more data to be sent
   
-  This is a follow-up to 764c6bd. Prior to that change port variables
-  were usually type long.
+  this should fix an issue where curl sometimes doesn't send out a request
+  with authorization info after a 401 is received over http2
   
-  Closes https://github.com/curl/curl/pull/6553
+  Closes #6747
 
-- tool_writeout: refactor write-out and write-out json
-  
-  - Deduplicate the logic used by write-out and write-out json.
-  
-  Rather than have separate writeLong, writeString, etc, logic for
-  each of write-out and write-out json instead have respective shared
-  functions that can output either format and a 'use_json' parameter to
-  indicate whether it is json that is output.
-  
-  This will make it easier to maintain. Rather than have to go through
-  two sets of logic now we only have to go through one.
+Marc Hoersken (15 Mar 2021)
+- config: fix building SMB with configure using Win32 Crypto
   
-  - Support write-out %{errormsg} and %{exitcode} in json.
+  Align conditions for NTLM features between CMake and configure
+  builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
+  just like curl_setup.h does internally to detect support of:
   
-  - Clarify in the doc that %{exitcode} is the exit code of the transfer.
+  - USE_NTLM: required for NTLM crypto authentication feature
+  - USE_CURL_NTLM_CORE: required for SMB protocol
   
-  Prior to this change it just said "The numerical exitcode" which
-  implies it's the exit code of the tool, and it's not necessarily that.
+  Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
+  in wincrypt.h which are not available in the Windows App environment.
   
-  Closes https://github.com/curl/curl/pull/6544
-
-- lib: drop USE_SOCKETPAIR in favor of CURL_DISABLE_SOCKETPAIR
+  Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
+  Fix condition of Schannel SSL backend in CMake build accordingly.
   
-  .. since the former is undocumented and they both do the same thing.
+  Reviewed-by: Marcel Raad
   
-  Closes https://github.com/curl/curl/pull/6517
+  Closes #6277
 
-- curl_multibyte: fall back to local code page stat/access on Windows
+- config: fix detection of restricted Windows App environment
   
-  If libcurl is built with Unicode support for Windows then it is assumed
-  the filename string is Unicode in UTF-8 encoding and it is converted to
-  UTF-16 to be passed to the wide character version of the respective
-  function (eg wstat). However the filename string may actually be in the
-  local encoding so, even if it successfully converted to UTF-16, if it
-  could not be stat/accessed then try again using the local code page
-  version of the function (eg wstat fails try stat).
+  Move the detection of the restricted Windows App environment
+  in curl_setup.h before the definition of USE_WIN32_CRYPTO
+  via included config-win32.h in case no build system is used.
   
-  We already do this with fopen (ie wfopen fails try fopen), so I think it
-  makes sense to extend it to stat and access functions.
+  Reviewed-by: Marcel Raad
   
-  Closes https://github.com/curl/curl/pull/6514
+  Part of #6277
 
-- [Stephan Szabo brought this change]
+Daniel Stenberg (15 Mar 2021)
+- HISTORY: curl 7.7.2 was the first version used in Mac OS X 10.1
 
-  file: Support unicode urls on windows
+- gen.pl: quote "bare" minuses in the nroff curl.1
   
-  Closes https://github.com/curl/curl/pull/6501
-
-- [Vincent Torri brought this change]
+  Reported-by: Alejandro Colomar
+  Fixes #6698
+  Closes #6722
 
-  cmake: fix import library name for non-MS compiler on Windows
+Daniel Gustafsson (14 Mar 2021)
+- hsts: remove unused defines
   
-  - Use _imp.lib suffix only for Microsoft's compiler (MSVC).
+  MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
+  and mostly likely leftovers from early development.  Remove as they're not
+  used for anything.
   
-  Prior to this change library suffix _imp.lib was used for the import
-  library on Windows regardless of compiler.
+  Closes #6741
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (12 Mar 2021)
+- github: add torture-ftp for FTP-only torture testing
   
-  With this change the other compilers should now use their default
-  suffix which should be .dll.a.
+  and at 20% to try to keep the run-time reasonable
   
-  This change is motivated by the usage of pkg-config on MSYS2.
-  Indeed, when 'pkg-config --libs libcurl' is used, -lcurl is
-  passed to ld. The documentation of ld on Windows :
+  Closes #6728
+
+- travis: split "torture" into a separate "events" build as well
   
-  https://sourceware.org/binutils/docs/ld/WIN32.html
+  Run torture without FTP and reducing coverage to 20%
   
-  lists, in the 'direct linking to a dll' section, the pattern
-  of the searched import library, and libcurl_imp.lib is not there.
+  For some reason the torture tests now run a lot slower on travis and run
+  into the 50 minute limit all the time.
   
-  Closes https://github.com/curl/curl/pull/6225
+  Closes #6728
 
-Daniel Stenberg (9 Feb 2021)
-- urldata: move 'followlocation' to UrlState
+- ftp: fix memory leak in ftp_done
   
-  As this is a state variable it does not belong in UserDefined which is
-  used to store values set by the user.
+  If after a transfer is complete Curl_GetFTPResponse() returns an error,
+  curl would not free the ftp->pathalloc block.
   
-  Closes #6582
+  Found by torture-testing test 576
+  
+  Closes #6737
 
-- [Ikko Ashimine brought this change]
+- [oxalica brought this change]
 
-  http_proxy: fix typo in http_proxy.c
-  
-  settting -> setting
+  http2: fail if connection terminated without END_STREAM
   
-  Closes #6583
+  Closes #6736
 
-- [Fabian Keil brought this change]
+- RELEASE-NOTES: synced
 
-  tests/server: Bump MAX_TAG_LEN to 200
+- [Jacob Hoffman-Andrews brought this change]
+
+  rustls: support CURLOPT_SSL_VERIFYPEER
   
-  This is useful for tests containing HTML inside of <data> sections.
-  For <img> tags it's not uncommon to be longer than the previous
-  limit of 79 bytes.
+  This requires the latest main branch of crustls, which provides
+  rustls_client_config_builder_dangerous_set_certificate_verifier and
+  rustls_client_config_builder_set_enable_sni.
   
-  An example of a previously problem-causing tag is:
-  <img src="http://config.privoxy.org/send-banner?type=auto" border="0" title="Killed-http://www.privoxy.org/images/privoxy.png-by-size" width="88" height="31">
-  which is needed for a Privoxy test for the banners-by-size filter.
+  This refactors the session setup into its own function, and adds a new
+  function cr_hostname_is_ip. Because crustls doesn't support verification
+  of IP addresses, special handling is needed: We disable SNI and set a
+  placeholder hostname (which never actually gets sent on the wire).
   
-  Previously it caused server failures like:
-  12:29:05.786961 ====> Client connect
-  12:29:05.787116 accept_connection 3 returned 4
-  12:29:05.787194 accept_connection 3 returned 0
-  12:29:05.787285 Read 119 bytes
-  12:29:05.787345 Process 119 bytes request
-  12:29:05.787407 Got request: GET /banners-by-size/9 HTTP/1.1
-  12:29:05.787464 Requested test number 9 part 0
-  12:29:05.787686 getpart() failed with error: -2
-  12:29:05.787744 - request found to be complete (9)
-  12:29:05.787912 getpart() failed with error: -2
-  12:29:05.788048 Wrote request (119 bytes) input to log/server.input
-  12:29:05.788157 Send response test9 section <data>
-  12:29:05.788443 getpart() failed with error: -2
-  12:29:05.788498 instructed to close connection after server-reply
-  12:29:05.788550 ====> Client disconnect 0
-  12:29:05.871448 exit_signal_handler: 15
-  12:29:05.871714 signalled to die
-  12:29:05.872040 ========> IPv4 sws (port 21108 pid: 51758) exits with signal (15)
-
-- [Fabian Keil brought this change]
-
-  tests/badsymbols.pl: when opening '$incdir' fails include it in the error message
-
-- [Fabian Keil brought this change]
-
-  runtests.1: document -o, -P, -L, and -E
-
-- [Fabian Keil brought this change]
+  Closes #6719
 
-  runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
+Daniel Gustafsson (12 Mar 2021)
+- cookies: Fix potential NULL pointer deref with PSL
+  
+  Curl_cookie_init can be called with data being NULL, and this can in turn
+  be passed to Curl_cookie_add, meaning that both functions must be careful
+  to only use data where it's checked for being a NULL pointer.  The libpsl
+  support code does however dereference data without checking, so if we are
+  indeed having an unset data pointer we cannot PSL check the cookiedomain.
+  
+  This is currently not a reachable dereference, as the only caller with a
+  NULL data isn't passing a file to initialize cookies from, but since the
+  API has this contract let's ensure we hold it.
+  
+  Closes #6731
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- [Fabian Keil brought this change]
+Daniel Stenberg (12 Mar 2021)
+- [Michael Hordijk brought this change]
 
-  runtests.pl: add an -o option to change internal variables
+  configure: only add OpenSSL paths if they are defined
   
-  runtests.pl has lots of internal variables one might want to
-  change in certain situations, but adding a dedicated option
-  for every single one of them isn't practical.
+  Add paths for OpenSSL compiling and linking only if they have been
+  defined.  If they haven't been defined, we'll assume that the paths are
+  already available to the toolchain.
   
-  Usage:
-  ./runtests.pl -o TESTDIR=$privoxy_curl_test_dir -o HOSTIP=10.0.0.1 ...
-
-- [Fabian Keil brought this change]
+  Closes #6730
 
-  runtests.pl: cleanups
+Jay Satiro (12 Mar 2021)
+- retry.d: Clarify transient 5xx HTTP response codes
   
-  - show the summarized test result in the last line of the report
-  - do not use $_ after mapping it to a named variable
-    Doing that makes the code harder to follow.
-  - log the restraints sorted by the number of their occurrences
-  - fix language when logging restraints that only occured once
-  - let runhttpserver() use $TESTDIR instead of $srcdir
-    ... so it works if a non-default $TESTDIR is being used.
-
-- [Fabian Keil brought this change]
+  - Clarify the only 5xx response codes that are treated as transient are
+    500, 502, 503 and 504.
+  
+  Prior to this change it said it treated all 5xx as transient, but the
+  code says otherwise.
+  
+  Ref: https://github.com/curl/curl/blob/curl-7_75_0/src/tool_operate.c#L462-L495
+  
+  Closes https://github.com/curl/curl/pull/6724
 
-  runtests.pl: add an -E option to specify an exclude file
+- retry-all-errors.d: Explain curl errors versus HTTP response errors
   
-  It can contain additional restraints for test numbers,
-  keywords and tools.
+  - Add a paragraph explaining that curl does not consider HTTP response
+    errors as curl errors, and how that behavior can be modified by using
+    --retry and --fail.
   
-  The idea is to let third parties like the Privoxy project
-  distribute an exclude file with their tarballs that specifies
-  which curl tests are not expected to work when using Privoxy
-  as a proxy, without having to fork the whole curl test suite.
+  The --retry-all-errors doc says "Retry on any error" which some users
+  may find misleading without the added explanation.
   
-  The syntax could be changed to be extendable and maybe
-  more closely reflect the "curl test" syntax. Currently
-  it's a bunch of lines like these:
+  Ref: https://curl.se/docs/faq.html#Why_do_I_get_downloaded_data_eve
+  Ref: https://curl.se/docs/faq.html#curl_doesn_t_return_error_for_HT
   
-  test:$TESTNUMBER:Reason why this test with number $TESTNUMBER should be skipped
-  keyword:$KEYWORD:Reason why tests whose keywords contain the $KEYWORD should be skipped
-  tool:$TOOL:Reason why tests with tools that contain $TOOL should be skipped
+  Reported-by: Lawrence Gripper
   
-  To specify multiple $TESTNUMBERs, $KEYWORDs and $TOOLs
-  on a single line, split them with commas.
-
-- [Fabian Keil brought this change]
+  Fixes https://github.com/curl/curl/issues/6712
+  Closes https://github.com/curl/curl/pull/6720
 
-  runtests.pl: add -L parameter to require additional perl libraries
+Daniel Stenberg (11 Mar 2021)
+- travis: switch ngtcp2 build over to quictls
   
-  This is useful to change the behaviour of the script without
-  having to modify the file itself, for example to use a custom
-  compareparts() function that ignores header differences that
-  are expected to occur when an external proxy is being used.
+  The ngtcp2 project switched over to using the quictls OpenSSL fork
+  instead of their own patched OpenSSL. We follow suit.
   
-  Such differences are proxy-specific and thus the modifications
-  should be maintained together with the proxy.
+  Closes #6729
 
-- [Fabian Keil brought this change]
+- test220/314: adjust to run with Hyper
 
-  runtests.pl: add a -P option to specify an external proxy
-  
-  ... that should be used when executing the tests.
-  
-  The assumption is that the proxy is an HTTP proxy.
-  
-  This option should be used together with -L to provide
-  a customized compareparts() version that knows which
-  proxy-specific header differences should be ignored.
+- c-hyper: support automatic content-encoding
   
-  This option doesn't work for all test types yet.
+  Closes #6727
 
-- [Fabian Keil brought this change]
+- http: remove superfluous NULL assign
+  
+  Closes #6727
 
-  tests: fixup several tests
+- tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
   
-  missing CRs and modified %hostip
+  Closes #6727
+
+- setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
   
-  lib556/test556: use a real HTTP version to make test reuse more convenient
+  Not supported.
   
-  make sure the weekday in Date headers matches the date
+  Closes #6727
+
+- test306: make it not run with Hyper
   
-  test61: replace stray "^M" (5e 4d) at the end of a cookie with a '^M' (0d)
+  ... as it tests HTTP/0.9 which Hyper doesn't support.
+
+- test304: header CRLF cleanup to work with Hyper
+
+- FTP: allow SIZE to fail when doing (resumed) upload
   
-  Gets the test working with external proxies like Privoxy again.
+  Added test 362 to verify.
   
-  Closes #6463
+  Reported-by: Jordan Brown
+  Regression since 7ea2e1d0c5a7f (7.73.0)
+  Fixes #6715
+  Closes #6725
 
-- ftp: never set data->set.ftp_append outside setopt
-  
-  Since the set value then risks getting used like that when the easy
-  handle is reused by the application.
+- configure: provide Largefile feature for curl-config
   
-  Also: renamed the struct field from 'ftp_append' to 'remote_append'
-  since it is also used for SSH protocols.
+  ... as cmake now does it correctly, and make test1014 check for it
   
-  Closes #6579
+  Closes #6702
 
-- urldata: remove the 'rtspversion' field
+- config: remove CURL_SIZEOF_CURL_OFF_T use only SIZEOF_CURL_OFF_T
   
-  from struct connectdata and the corresponding code in http.c that set
-  it. It was never used for anything!
+  Make the code consistently use a single name for the size of the
+  "curl_off_t" type.
   
-  Closes #6581
+  Closes #6702
 
-- CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
+Jay Satiro (10 Mar 2021)
+- [Jun-ya Kato brought this change]
+
+  ngtcp2: Fix build error due to change in ngtcp2_addr_init
   
-  ... so passed in commands may confuse libcurl's knowledge of state.
+  ngtcp2/ngtcp2@b8d90a9 changed the function prototype.
   
-  Reported-by: Bodo Bergmann
-  Fixes #6577
-  Closes #6580
+  Closes https://github.com/curl/curl/pull/6716
 
-- [Jacob Hoffman-Andrews brought this change]
+Daniel Stenberg (10 Mar 2021)
+- [ejanchivdorj brought this change]
 
-  vtls: factor out Curl_ssl_getsock to field of Curl_ssl
+  multi: update pending list when removing handle
   
-  Closes #6558
+  when removing a handle, most of the lists are updated but pending list
+  is not updated. Updating now.
+  
+  Closes #6713
 
-- RELEASE-PROCEDURE: remove old release dates, add new
+- [kokke brought this change]
 
-- docs/SSL-PROBLEMS: enhanced
-  
-  Elaborate on the intermediate cert issue, and mention that anything
-  below TLS 1.2 is generally considered insecure these days.
+  lib1536: check ptr against NULL before dereferencing it
   
-  Closes #6572
+  Closes #6710
 
-- THANKS: remove a Jon Rumsey dupe
+- [kokke brought this change]
 
-Daniel Gustafsson (5 Feb 2021)
-- [nimaje brought this change]
+  lib1537: check ptr against NULL before dereferencing it
+  
+  Fixes #6707
+  Closes #6708
 
-  docs: fix FILE example url in --metalink documentation
+- travis: make torture tests skip TLS-SRP tests
   
-  In a url after <scheme>:// follows the possibly empty authority part
-  till the next /, so that url missed a /.
+  ... as it seems to often hang.
   
-  Closes #6573
-  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Also: skip the "normal" tests as they're already run by many other
+  builds.
+  
+  Closes #6705
 
-Daniel Stenberg (5 Feb 2021)
-- hostip: fix build with sync resolver
+- openssl: adapt to v3's new const for a few API calls
   
-  Reported-by: David Goerger
-  Follow-up from 8335c6417
-  Fixes #6566
-  Closes #6568
+  Closes #6703
 
-- mailmap: Jon Rumsey
+- quiche: fix crash when failing to connect
+  
+  Reported-by: ウさん
+  Fixes #6664
+  Closes #6701
 
-- [Jon Rumsey brought this change]
+- RELEASE-NOTES: synced
+  
+  Fixed the release counter and added a missing contributor
 
-  gskit: correct the gskit_send() prototype
+- RELEASE-NOTES: synced
+
+- dynbuf: bump the max HTTP request to 1MB
   
-  gskit_send() first paramater is a pointer to Curl_easy not connectdata
-  struct.
+  Raised from 128KB to allow longer request headers.
   
-  Closes #6570
-  Fixes #6569
+  Reported-by: Carl Zogheib
+  Fixes #6681
+  Closes #6685
 
-- urldata: fix build without HTTP and MQTT
+Jay Satiro (6 Mar 2021)
+- schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
   
-  Reported-by: Joseph Chen
-  Fixes #6562
-  Closes #6563
-
-- ftp: avoid SIZE when asking for a TYPE A file
+  - Change use of those options from CURLOPT_SSL_OPTIONS that are not
+    already evaluated via SSL_SET_OPTION in schannel and secure transport
+    to use that instead of data->set.ssl.optname.
   
-  ... as we ignore it anyway because servers don't report the correct size
-  and proftpd even blatantly returns a 550.
+  Example:
   
-  Updates a set of tests accordingly.
+  Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
   
-  Reported-by: awesomenode on github
-  Fixes #6564
-  Closes #6565
-
-- pingpong: rename the curl_pp_transfer enum to use PP prefix
+  This change is because options set via CURLOPT_SSL_OPTIONS
+  (data->set.ssl.optname) are separate from those set for HTTPS proxy via
+  CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
+  SSL_SET_OPTION macro determines whether the connection is for HTTPS
+  proxy and based on that which option to evaluate.
   
-  Using an FTP prefix for PP provided functionality was misleading.
-
-- RELEASE-NOTES: synced
+  Since neither Schannel nor Secure Transport backends currently support
+  HTTPS proxy in libcurl, this change is for posterity and has no other
+  effect.
   
-  ... and bump pending version to 7.75.1 (for now)
+  Closes https://github.com/curl/curl/pull/6690
+
+- [kokke brought this change]
 
-Jay Satiro (4 Feb 2021)
-- build: fix --disable-http-auth
+  c-hyper: Remove superfluous pointer check
   
-  Broken since 215db08 (precedes 7.75.0).
+  `n` pointer is never NULL once set. Found by static analysis.
   
-  Reported-by: Benbuck Nason
+  Ref: https://github.com/curl/curl/issues/6696
   
-  Fixes https://github.com/curl/curl/issues/6567
+  Closes https://github.com/curl/curl/pull/6697
 
-- build: fix --disable-dateparse
+- version.d: Add missing features to the features list
   
-  Broken since 215db08 (precedes 7.75.0).
+  - Add missing entries for gsasl, Kerberos, NTLM_WB, TrackMemory,
+    Unicode and zstd.
   
-  Bug: https://curl.se/mail/lib-2021-02/0008.html
-  Reported-by: Firefox OS
-
-Daniel Stenberg (4 Feb 2021)
-- [Jon Rumsey brought this change]
-
-  OS400: update for CURLOPT_AWS_SIGV4
+  - Remove krb4 since it's no longer a feature.
   
-  chkstrings fails because a new string option that could require codepage
-  conversion has been added.
+  Reported-by: Ádler Jonas Gross
   
-  Closes #6561
-  Fixes #6560
-
-- BUG-BOUNTY: removed the cooperation mention
-
-Version 7.75.0 (3 Feb 2021)
-
-Daniel Stenberg (3 Feb 2021)
-- RELEASE-NOTES: synced
-
-- THANKS: added contributors from 7.75.0
+  Fixes https://github.com/curl/curl/issues/6677
+  Closes https://github.com/curl/curl/pull/6687
 
-- copyright: fix year ranges in need of updates
+- [Vladimir Varlamov brought this change]
 
-- TODO: remove items for next SONAME bump etc
+  docs: add missing Arg tag to --stderr
   
-  We want to avoid that completely, so we don't plan for things after such
-  an event.
-
-- [Jay Satiro brought this change]
-
-  ngtcp2: Fix build error due to change in ngtcp2_settings
+  Prior to this change the required argument was not shown.
   
-  - Separate ngtcp2_transport_params.
+  curl.1 before: --stderr
+  curl.1 after: --stderr <file>
   
-  ngtcp2/ngtcp2@05d7adc made ngtcp2_transport_params separate from
-  ngtcp2_settings.
+  curl --help before:
+       --stderr        Where to redirect stderr
   
-  ngtcp2 master is required to build curl with http3 support.
+  curl --help after:
+       --stderr <file>  Where to redirect stderr
   
-  Closes #6554
+  Closes https://github.com/curl/curl/pull/6692
 
-- vtls: remove md5sum
+- projects: Update VS projects for OpenSSL 1.1.x
   
-  As it is not used anymore.
+  - Update VS project templates to use the OpenSSL lib names and include
+    directories for OpenSSL 1.1.x.
   
-  Reported-by: Jacob Hoffman-Andrews
-  Bug: https://curl.se/mail/lib-2021-02/0000.html
+  This change means the VS project files will now build only with OpenSSL
+  1.1.x when an OpenSSL configuration is chosen. Prior to this change the
+  project files built only with OpenSSL 1.0.x (end-of-life) when an
+  OpenSSL configuration was chosen.
   
-  Closes #6557
-
-- [Alessandro Ghedini brought this change]
-
-  quiche: don't use primary_ip / primary_port
+  The template changes in this commit were made by script:
   
-  Closes #6555
-
-Alessandro Ghedini (1 Feb 2021)
-- travis: enable quiche's FFI feature
-
-Daniel Stenberg (30 Jan 2021)
-- [Dmitry Wagin brought this change]
-
-  http: improve AWS HTTP v4 Signature auth
+  libeay32.lib => libcrypto.lib
+  ssleay32.lib => libssl.lib
+  ..\..\..\..\..\openssl\inc32 => ..\..\..\..\..\openssl\include
   
-  - Add support services without region and service prefixes in
-  the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
-  by providing region and service parameters via aws-sigv4 option.
-  - Add [:region[:service]] suffix to aws-sigv4 option;
-  - Fix memory allocation errors.
-  - Refactor memory management.
-  - Use Curl_http_method instead() STRING_CUSTOMREQUEST.
-  - Refactor canonical headers generating.
-  - Remove repeated sha256_to_hex() usage.
-  - Add some docs fixes.
-  - Add some codestyle fixes.
-  - Add overloaded strndup() for debug - curl_dbg_strndup().
-  - Update tests.
+  And since the output directory now contains the includes it's prepended:
+  ..\..\..\..\..\openssl\build\Win{32,64}\VC{6..15}\{DLL,LIB}
+  {Debug,Release}\include
   
-  Closes #6524
-
-- hyper: fix CONNECT to set 'data' as userdata
+  - Change build-openssl.bat to copy the build's include directory to the
+    output directory (as seen above).
   
-  Follow-up to 14e075d1a7fd
-
-- [Layla brought this change]
-
-  connect: fix compile errors in `Curl_conninfo_local`
+  Each build has its own opensslconf.h which is different so we can't just
+  include the source include directory any longer.
   
-  .. for the `#else` (`!HAVE_GETSOCKNAME`) case
+  Note the include directory in the output directory is a full copy from
+  the build so technically we don't need to include the OpenSSL source
+  include directory in the template. However, I left it last in case the
+  user made a custom OpenSSL build using the old method which would put
+  opensslconf in the OpenSSL source include directory.
   
-  Fixes https://github.com/curl/curl/issues/6548
-  Closes #6549
+  - Change build-openssl.bat to use a temporary install directory that is
+    different from the temporary build directory.
   
-  Signed-off-by: Layla <layla@insightfulvr.com>
-
-- [Michał Antoniak brought this change]
-
-  transfer: fix GCC 10 warning with flag '-Wint-in-bool-context'
+  For OpenSSL 1.1.x the temporary paths must be separate not a descendant
+  of the other, otherwise pdb files will be lost between builds.
   
-  ... and return the error code from the Curl_mime_rewind call.
+  Ref: https://curl.se/mail/lib-2018-10/0049.html
+  Ref: https://gist.github.com/jay/125191c35bbeb894444eff827651f755
+  Ref; https://github.com/openssl/openssl/issues/10005
   
-  Closes #6537
-
-- [Michał Antoniak brought this change]
-
-  avoid warning: enum constant in boolean context
-
-- copyright: fix missing year (range) updates
-
-- RELEASE-NOTES: synced
+  Fixes https://github.com/curl/curl/issues/984
+  Closes https://github.com/curl/curl/pull/6675
 
-- openssl: lowercase the hostname before using it for SNI
+- doh: Inherit CURLOPT_STDERR from user's easy handle
   
-  ... because it turns out several servers out there don't actually behave
-  correctly otherwise in spite of the fact that the SNI field is
-  specifically said to be case insensitive in RFC 6066 section 3.
+  Prior to this change if the user set their easy handle's error stream
+  to something other than stderr it was not inherited by the doh handles,
+  which meant that they would still write to the default standard error
+  stream (stderr) for verbose output.
   
-  Reported-by: David Earl
-  Fixes #6540
-  Closes #6543
-
-- KNOWN_BUGS: cmake: ExternalProject_Add does not set CURL_CA_PATH
+  Bug: https://github.com/curl/curl/issues/6605
+  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
   
-  Closes #6313
+  Closes https://github.com/curl/curl/pull/6661
 
-- KNOWN_BUGS: Multi perform hangs waiting for threaded resolver
+Marc Hoersken (1 Mar 2021)
+- CI/azure: replace python-impacket with python3-impacket
   
-  Closes #4852
+  As of this month Azure DevOps uses Ubuntu 20.04 LTS which
+  no longer supports Python 2 and instead ships Python 3.
+  
+  Closes #6678
 
-- KNOWN_BUGS: "pulseUI VPN client" is known to be buggy
+- runtests.pl: kill processes locking test log files
   
-  First entry in the new section "applications" for known problems in
-  libcurl using applications.
+  Introduce a new runtests.pl command option: -rm
   
-  Closes #6306
-
-- tool_writeout: make %{errormsg} blank for no errors
+  For now only required and implemented for Windows.
+  Ignore stunnel logs due to long running processes.
   
-  Closes #6539
-
-Jay Satiro (27 Jan 2021)
-- [Gisle Vanem brought this change]
-
-  build: fix djgpp builds
+  Requires Sysinternals handle[64].exe to be on PATH.
   
-  - Update build instructions in packages/DOS/README
+  Reviewed-by: Jay Satiro
   
-  - Extend 'VPATH' with 'vquic' and 'vssh'.
+  Ref: #6058
+  Closes #6179
+
+- pathhelp.pm: fix use of pwd -L in Msys environment
   
-  - Allow 'Makefile.dist' to build both 'lib' and 'src'.
+  While Msys2 has a pwd binary which supports -L,
+  Msys1 only has a shell built-in with that feature.
   
-  - Allow using the Windows hosted djgpp cross compiler to build for MSDOS
-    under Windows.
+  Reviewed-by: Jay Satiro
   
-  - 'USE_SSL' -> 'USE_OPENSSL'
+  Part of #6179
+
+Daniel Gustafsson (1 Mar 2021)
+- ldap: use correct memory free function
   
-  - Added a 'link_EXE' macro. Etc, etc.
+  unescaped is coming from Curl_urldecode and not a unicode conversion
+  function, so reclaiming its memory should be performed with a normal
+  call to free rather than curlx_unicodefree.  In reality, this is the
+  same thing as curlx_unicodefree is implemented as a call to free but
+  that's not guaranteed to always hold.  Using the curlx macro present
+  issues with memory debugging as well.
   
-  - Linking 'curl.exe' needs '$(CURLX_CFILES)' too.
+  Closes #6671
+  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- url: fix typo in comment
   
-  - Do not pick-up '../lib/djgpp/*.o' files. Recompile locally.
+  Correct a small typo which snuck in with a304051620.
+
+Jay Satiro (28 Feb 2021)
+- tool_help: Increase space between option and description
   
-  - Generate a gzipped 'tool_hugehelp.c' if 'USE_ZLIB=1'.
+  - Increase the minimum number of spaces between the option and the
+    description from 1 to 2.
   
-  - Remove 'djgpp-clean'
+  Before:
+  ~~~
+   -u, --user <user:password> Server user and password
+   -A, --user-agent <name> Send User-Agent <name> to server
+   -v, --verbose       Make the operation more talkative
+   -V, --version       Show version number and quit
+   -w, --write-out <format> Use output FORMAT after completion
+       --xattr         Store metadata in extended file attributes
+  ~~~
   
-  - Adapt to new C-ares directory structure
+  After:
+  ~~~
+   -u, --user <user:password>  Server user and password
+   -A, --user-agent <name>  Send User-Agent <name> to server
+   -v, --verbose       Make the operation more talkative
+   -V, --version       Show version number and quit
+   -w, --write-out <format>  Use output FORMAT after completion
+       --xattr         Store metadata in extended file attributes
+  ~~~
+  
+  Closes https://github.com/curl/curl/pull/6674
+
+Daniel Stenberg (27 Feb 2021)
+- curl: set CURLOPT_NEW_FILE_PERMS if requested
   
-  - Use conditional variable assignments
+  The --create-file-mode code logic accepted the value but never actually
+  passed it on to libcurl!
   
-  Clarify the 'conditional variable assignment' in 'common.dj'.
+  Follow-up to a7696c73436f (shipped in 7.75.0)
+  Reported-by: Johannes Lesr
+  Fixes #6657
+  Closes #6666
+
+- tool_operate: check argc before accessing argv[1]
   
-  Closes https://github.com/curl/curl/pull/6382
+  Follow-up to 09363500b
+  Reported-by: Emil Engler
+  Reviewed-by: Daniel Gustafsson
+  Closes #6668
 
-Daniel Stenberg (27 Jan 2021)
-- [Ikko Ashimine brought this change]
+Daniel Gustafsson (26 Feb 2021)
+- [Jean-Philippe Menil brought this change]
 
-  hyper: fix typo in c-hyper.c
+  openssl: remove get_ssl_version_txt in favor of SSL_get_version
   
-  settting -> setting
+  openssl: use SSL_get_version to get connection protocol
   
-  Closes #6538
+  Replace our bespoke get_ssl_version_txt in favor of SSL_get_version.
+  We can get rid of few lines of code, since SSL_get_version achieve
+  the exact same thing
+  
+  Closes #6665
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+  Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
 
-- libssh2: fix CURL_LIBSSH2_DEBUG-enabled build
+- gnutls: Fix nettle discovery
   
-  Follow-up to 2dcc940959772a
+  Commit e06fa7462ac258c removed support for libgcrypt leaving only
+  support for nettle which has been the default crypto library in
+  GnuTLS for a long time. There were however a few conditionals on
+  USE_GNUTLS_NETTLE which cause compilation errors in the metalink
+  code (as it used the gcrypt fallback instead as a result). See the
+  below autobuild for an example of the error:
   
-  Reported-by: Gisle Vanem
-  Bug: https://github.com/curl/curl/commit/2dcc940959772a652f6813fb6bd3092095a4877b#commitcomment-46420088
-
-Jay Satiro (27 Jan 2021)
-- asyn-thread: fix build for when getaddrinfo missing
+    https://curl.se/dev/log.cgi?id=20210225123226-30704#prob1
   
-  This is a follow-up to 8315343 which several days ago moved the resolver
-  pointer into the async struct but did not update the code that uses it
-  when getaddrinfo is not present.
+  This removes all uses of USE_GNUTLS_NETTLE and also removes the
+  gcrypt support from the metalink code while at it.
   
-  Closes https://github.com/curl/curl/pull/6536
+  Closes #6656
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-Daniel Stenberg (27 Jan 2021)
-- urldata: move 'ints' to the end of 'connectdata'
+- cookies: Support multiple -b parameters
   
-  To optimize storage slightly.
+  Previously only a single -b cookie parameter was supported with the last
+  one winning.  This adds support for supplying multiple -b params to have
+  them serialized semicolon separated.  Both cookiefiles and cookies can be
+  entered multiple times.
   
-  Closes #6534
+  Closes #6649
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- urldata: store ip version in a single byte
+Daniel Stenberg (25 Feb 2021)
+- build: remove all traces of USE_BLOCKING_SOCKETS
   
-  Closes #6534
-
-- urldata: remove duplicate 'upkeep_interval_ms' from connectdata
+  libcurl doesn't behave properly with the define set
   
-  ... and rely only on the value already set in Curl_easy.
+  Closes #6655
+
+- RELEASE-NOTES: synced
+
+Daniel Gustafsson (25 Feb 2021)
+- docs: Fix typos
   
-  Closes #6534
+  Random typos spotted when skimming docs.
 
-- urldata: remove 'local_ip' from the connectdata struct
+- cookies: Use named parameters in header prototypes
   
-  As the info is already stored in the transfer handle anyway, there's no
-  need to carry around a duplicate buffer for the life-time of the handle.
+  Align header with project style of using named parameters in the
+  function prototypes to aid readability and self-documentation.
   
-  Closes #6534
+  Closes #6653
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 
-- urldata: remove duplicate port number storage
+Daniel Stenberg (24 Feb 2021)
+- urldata: make 'actions[]' use unsigned char instead of int
   
-  ... and use 'int' for ports. We don't use 'unsigned short' since -1 is
-  still often used internally to signify "unknown value" and 0 - 65535 are
-  all valid port numbers.
+  ... as it only needs a few bits per index anyway.
   
-  Closes #6534
+  Reviewed-by: Daniel Gustafsson
+  Closes #6648
 
-- urldata: remove the duplicate 'ip_addr_str' field
-  
-  ... as the numerical IP address is already stored and kept in 'primary_ip'.
+- configure: fail if --with-quiche is used and quiche isn't found
   
-  Closes #6534
+  Closes #6652
 
-- select: convert Curl_select() to private static function
+- [Gregor Jasny brought this change]
+
+  cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
   
-  The old function should not be used anywhere anymore (the only remaining
-  gskit use has to be fixed to instead use Curl_poll or none at all).
+  Reviewed-by: Sergei Nikulov
+  Closes #6440
+
+Viktor Szakats (23 Feb 2021)
+- mingw: enable using strcasecmp()
   
-  The static function version is now called our_select() and is only built
-  if necessary.
+  This makes the 'Features:' list sorted case-insensitively,
+  bringing output in-line with *nix builds.
   
-  Closes #6531
+  Reviewed-by: Jay Satiro
+  Closes #6644
 
-- Curl_chunker: shrink the struct
+- build: delete unused feature guards
   
-  ... by removing a field, converting the hex index into a byte and
-  rearranging the order. Cuts it down from 48 bytes to 32 on x86_64.
+  - `HAVE_STRNCASECMP`
+  - `HAVE_TCGETATTR`
+  - `HAVE_TCSETATTR`
   
-  Closes #6527
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Daniel Stenberg
+  Closes #6645
 
-- curl: include the file name in --xattr/--remote-time error msgs
+Jay Satiro (23 Feb 2021)
+- docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
+  
+  Closes https://github.com/curl/curl/pull/6639
 
-- curl: s/config->global/global/ in single_transfer()
+Daniel Stenberg (23 Feb 2021)
+- [Jacob Hoffman-Andrews brought this change]
 
-- curl: move fprintf outputs to warnf
+  configure: make hyper opt-in, and fail if missing
   
-  For setting and getting time of the download. To make the outputs
-  respect --silent etc.
+  Previously, configure would look for hyper by default, and use it if
+  found; otherwise it would not use hyper, and not error.
   
-  Reported-by: Viktor Szakats
-  Fixes #6533
-  Closes #6535
-
-- [Tatsuhiro Tsujikawa brought this change]
-
-  ngtcp2: Fix http3 upload stall
+  Now, configure will not look for hyper unless --with-hyper is passed. If
+  configure looks for hyper and fails, it will error.
   
-  Closes #6521
-
-- [Tatsuhiro Tsujikawa brought this change]
-
-  ngtcp2: Fix stack buffer overflow
+  Also, add -ld -lpthread -lm to Hyper's libs. I think they are required.
   
-  Closes #6521
+  Closes #6598
 
-- warnless.h: remove the prototype for curlx_ultosi
+- multi: do once-per-transfer inits in before_perform in DID state
   
-  Follow-up to 217552503ff3
-
-- warnless: remove curlx_ultosi
+  ... since the state machine might go to RATELIMITING and then back to
+  PERFORMING doing once-per-transfer inits in that function is wrong and
+  it caused problems with receiving chunked HTTP and it set the
+  PRETRANSFER time much too often...
   
-  ... not used anywhere
+  Regression from b68dc34af341805aeb7b3715 (shipped in 7.75.0)
   
-  Closes #6530
-
-- [Patrick Monnerat brought this change]
+  Reported-by: Amaury Denoyelle
+  Fixes #6640
+  Closes #6641
 
-  lib: remove conn->data uses
-  
-  Closes #6515
+- RELEASE-NOTES: synced
 
-- pingpong: remove the 'conn' struct member
+- CODE_STYLE.md: fix broken link to INTERNALS
   
-  ... as it's superfluous now when Curl_easy is passed in and we can
-  derive the connection from that instead and avoid the duplicate copy.
+  ... the link would only work if browsed on GitHub, while this link now
+  takes the user to the website instead and thus should work on either.
   
-  Closes #6525
+  Reported-by: David Demelier
 
-- hostip/proxy: remove conn->data use
+- curl_url_set.3: mention CURLU_PATH_AS_IS
   
-  Closes #6513
-
-- url: reduce conn->data references
+  ... it has been supported since the URL API was added.
   
-  ... there are a few left but let's keep them to last
+  Bug: https://curl.se/mail/lib-2021-02/0046.html
   
-  Closes #6512
-
-- scripts/singleuse: add curl_easy_option*
+  Closes #6638
 
-Jay Satiro (25 Jan 2021)
-- test410: fix for windows
+Viktor Szakats (21 Feb 2021)
+- time: enable 64-bit time_t in supported mingw environments
   
-  - Pass the very long request header via file instead of command line.
+  (Unless 32-bit `time_t` is selected manually via the `_USE_32BIT_TIME_T`
+  mingw macro.)
   
-  Prior to this change the 49k very long request header string was passed
-  via command line and on Windows that is too long so it was truncated and
-  the test would fail (specifically msys CI).
+  Previously, 64-bit `time_t` was enabled on VS2005 and newer only, and
+  32-bit `time_t` was used on all other Windows builds.
   
-  Closes https://github.com/curl/curl/pull/6516
+  Assisted-by: Jay Satiro
+  Closes #6636
 
-Daniel Stenberg (25 Jan 2021)
-- libssh2: move data from connection object to transfer object
+Jay Satiro (20 Feb 2021)
+- test1188: Check for --fail HTTP status
   
-  Readdir data, filenames and attributes are strictly related to the
-  transfer and not the connection. This also reduces the total size of the
-  fixed connectdata struct.
+  - Change the test to check for curl error on HTTP 404 Not Found.
   
-  Closes #6519
-
-- RELEASE-NOTES: synced
-
-- [Patrick Monnerat brought this change]
-
-  lib: remove conn->data uses
+  test1188 tests "--write-out with %{onerror} and %{urlnum} to stderr".
+  Prior to this change it did that by specifying a non-existent host which
+  would cause an error. ISPs may hijack DNS and resolve non-existent hosts
+  so the test would not work if that was the case.
   
-  Closes #6499
+  Ref: https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs
+  Ref: https://github.com/curl/curl/issues/6621
+  Ref: https://github.com/curl/curl/pull/6623
+  
+  Closes https://github.com/curl/curl/pull/6637
 
-- hyper: remove the conn->data references
+- memdebug: close debug logfile explicitly on exit
+  
+  - Use atexit to register a dbg cleanup function that closes the logfile.
+  
+  LeakSantizier (LSAN) calls _exit() instead of exit() when a leak is
+  detected on exit so the logfile must be closed explicitly or data could
+  be lost. Though _exit() does not call atexit handlers such as this,
+  LSAN's call to _exit() comes after the atexit handlers are called.
   
-  Closes #6508
-
-- travis: build ngtcp2 --with-gnutls
+  Prior to this change the logfile was not explicitly closed so it was
+  possible that if LSAN detected a leak and called _exit (which does
+  not flush or close files like exit) then the logfile could be missing
+  data. That could then cause curl's memanalyze to report false leaks
+  (eg a malloc was recorded to the logfile but the corresponding free was
+  discarded from the buffer instead of written to the logfile, then
+  memanalyze reports that as a leak).
   
-  ... since they disable it by default since a few days back.
+  Ref: https://github.com/google/sanitizers/issues/1374
   
-  Closes #6506
-  Fixes #6493
+  Bug: https://github.com/curl/curl/pull/6591#issuecomment-780396541
+  
+  Closes https://github.com/curl/curl/pull/6620
 
-- hostip: remove conn->data from resolver functions
+- curl_multibyte: always return a heap-allocated copy of string
   
-  This also moves the 'async' struct from the connectdata struct into the
-  Curl_easy struct, which seems like a better home for it.
+  - Change the Windows char <-> UTF-8 conversion functions to return an
+    allocated copy of the passed in string instead of the original.
   
-  Closes #6497
-
-Jay Satiro (22 Jan 2021)
-- strerror: skip errnum >= 0 assertion on windows
+  Prior to this change the curlx_convert_ functions would, as what I
+  assume was an optimization, not make a copy of the passed in string if
+  no conversion was required. No conversion is required in non-UNICODE
+  Windows builds since our tchar strings are type char and remain in
+  whatever the passed in encoding is, which is assumed to be UTF-8 but may
+  be other encoding.
   
-  On Windows an error number may be greater than INT_MAX and negative once
-  cast to int.
+  In contrast the UNICODE Windows builds require conversion
+  (wchar <-> char) and do return a copy. That inconsistency could lead to
+  programming errors where the developer expects a copy, and does not
+  realize that won't happen in all cases.
   
-  The assertion is checked only in debug builds.
+  Closes https://github.com/curl/curl/pull/6602
+
+Viktor Szakats (19 Feb 2021)
+- http: add new files missed from referrer commit
   
-  Closes https://github.com/curl/curl/pull/6504
+  Ref: 44872aefc2d54f297caf2b0cc887df321bc9d791
+  Ref: #6591
 
-Daniel Stenberg (21 Jan 2021)
-- doh: make Curl_doh_is_resolved survive a NULL pointer
+- http: add support to read and store the referrer header
   
-  ... if Curl_doh() returned a NULL, this function gets called anyway as
-  in a asynch procedure. Then the doh struct pointer is NULL and signifies
-  an OOM situation.
+  - add CURLINFO_REFERER libcurl option
+  - add --write-out '%{referer}' command-line option
+  - extend --xattr command-line option to fill user.xdg.referrer.url extended
+    attribute with the referrer (if there was any)
   
-  Follow-up to 6246a1d8c6776
+  Closes #6591
 
-- wolfssh: remove conn->data references
+Daniel Stenberg (19 Feb 2021)
+- urldata: remove the _ORIG suffix from string names
   
-  ... and repair recent build breakage
+  It doesn't provide any useful info but only makes the names longer.
   
-  Closes #6507
+  Closes #6624
 
-- http: empty reply connection are not left intact
+- url: fix memory leak if OOM in the HSTS handling
   
-  ... so mark the connection as closed in this condition to prevent that
-  verbose message to wrongly appear.
+  Reported-by: Viktor Szakats
+  Bug: https://github.com/curl/curl/pull/6627#issuecomment-781626205
   
-  Reported-by: Matt Holt
-  Bug: https://twitter.com/mholt6/status/1352130240265375744
-  Closes #6503
+  Closes #6628
 
-- chunk/encoding: remove conn->data references
+- gnutls: assume nettle crypto support
   
-  ... by anchoring more functions on Curl_easy instead of connectdata
+  nettle has been the default crypto library with GnuTLS since 2010. By
+  dropping support for the previous libcrypto, we simplify code.
   
-  Closes #6498
-
-Jay Satiro (20 Jan 2021)
-- [Erik Olsson brought this change]
+  Closes #6625
 
-  lib: save a bit of space with some structure packing
+- asyn-ares: use consistent resolve error message
   
-  - Reorder some internal struct members so that less padding is used.
+  ... with the help of Curl_resolver_error() which now is moved from
+  asyn-thead.c and is provided globally for this purpose.
   
-  This is an attempt at saving a bit of space by packing some structs
-  (using pahole to find the holes) where it might make sense to do
-  so without losing readability.
+  Follow-up to 35ca04ce1b77636
   
-  I.e., I tried to avoid separating fields that seem grouped
-  together (like the cwd... fields in struct ftp_conn for instance).
-  Also abstained from touching fields behind conditional macros as
-  that quickly can get complicated.
+  Makes test 1188 work for c-ares builds
   
-  Closes https://github.com/curl/curl/pull/6483
+  Closes #6626
 
-Daniel Stenberg (20 Jan 2021)
-- INSTALL.md: fix typo
+Viktor Szakats (18 Feb 2021)
+- ci: stop building on freebsd-12-1
   
-  Found-by: Marcel Raad
-
-- [Fabian Keil brought this change]
-
-  http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
+  An updated freebsd-12-2 image was added a few months ago, and this
+  older one is consistently failing to go past `pkginstall`:
+  ```
+  Newer FreeBSD version for package py37-mlt:
+  To ignore this error set IGNORE_OSVERSION=yes
+  - package: 1202000
+  - running kernel: 1201000
+  Ignore the mismatch and continue? [Y/n]: pkg: repository FreeBSD contains packages for wrong OS version: FreeBSD:12:amd64
+  ```
   
-  Added test 1613 to verify.
+  FreeBSD thread suggests that 12.1 is EOL, and best to avoid.
   
-  Closes #6490
-
-- Merge branch 'bagder/curl_range-data-conn'
-
-- ftp: remove conn->data leftover
-
-- curl_range: remove conn->data
+  Ref: https://forums.freebsd.org/threads/78856/
   
-  Closes #6496
-
-- INSTALL: now at 85 operating systems
+  Reviewed-by: Daniel Stenberg
+  Closes #6622
 
-- quiche: fix unused parameter ‘conn’
+Daniel Stenberg (18 Feb 2021)
+- test1188: change error from connect to resolve error
   
-  Follow-up to 2bdec0b3
-
-- transfer: fix ‘conn’ undeclared mistake for iconv build
+  Using the %NOLISTENPORT to trigger a connection failure is somewhat
+  "risky" (since it isn't guaranteed to not be listened to) and caused
+  occasional CI problems. This fix changes the infused error to be a more
+  reliable one but still verifies the --write-out functionality properly -
+  which is the purpose of this test.
   
-  Follow-up to 219d9f8620d
+  Reported-by: Jay Satiro
+  Fixes #6621
+  Closes #6623
 
-- doh: allocate state struct on demand
-  
-  ... instead of having it static within the Curl_easy struct. This takes
-  away 1176 bytes (18%) from the Curl_easy struct that aren't used very
-  often and instead makes the code allocate it when needed.
-  
-  Closes #6492
+- url.c: use consistent error message for failed resolve
 
-- socks: use the download buffer instead
+- BUGS: language polish
+
+- wolfssl: don't store a NULL sessionid
   
-  The SOCKS code now uses the generic download buffer for temporary
-  storage during the connection procedure, instead of having its own
-  private 600 byte buffer that adds to the connectdata struct size. This
-  works fine because this point the buffer is allocated but is not use for
-  download yet since the connection hasn't completed.
+  This caused a memory leak as the session id cache entry was still
+  erroneously stored with a NULL sessionid and that would later be treated
+  as not needed to get freed.
   
-  This reduces the connection struct size by 22% on a 64bit arch!
+  Reported-by: Gisle Vanem
+  Fixes #6616
+  Closes #6617
+
+- parse_proxy: fix a memory leak in the OOM path
   
-  The SOCKS buffer needs to be at least 600 bytes, and the download buffer
-  is guaranteed to never be smaller than 1000 bytes.
+  Reported-by: Jay Satiro
+  Reviewed-by: Jay Satiro
+  Reviewed-by: Emil Engler
   
-  Closes #6491
+  Closes #6614
+  Bug: https://github.com/curl/curl/pull/6591#issuecomment-780396541
 
-- urldata: make magic be the first struct field
+Jay Satiro (17 Feb 2021)
+- url: fix possible use-after-free in default protocol
   
-  By making the `magic` identifier the same size and at the same place
-  within the structs (easy, multi, share), libcurl will be able to more
-  reliably detect and safely error out if an application passes in the
-  wrong handle to APIs. Easier to detect and less likely to cause crashes
-  if done.
+  Prior to this change if the user specified a default protocol and a
+  separately allocated non-absolute URL was used then it was freed
+  prematurely, before it was then used to make the replacement URL.
   
-  Such mixups can't be detected at compile-time due to them being
-  typedefed void pointers - unless `CURL_STRICTER` is defined.
+  Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219
+  Reported-by: arvids-kokins-bidstack@users.noreply.github.com
   
-  Closes #6484
+  Closes https://github.com/curl/curl/pull/6613
 
-- http_chunks: correct and clarify a comment on hexnumber length
-  
-  ... and also rename the define for max length.
+Daniel Stenberg (16 Feb 2021)
+- multi: rename the multi transfer states
   
-  Closes #6489
-
-- curl_path: remove conn->data use
+  While working on documenting the states it dawned on me that step one is
+  to use more descriptive names on the states. This also changes prefix on
+  the states to make them shorter in the source.
   
-  Closes #6487
-
-- transfer: remove conn->data use
+  State names NOT ending with *ing are transitional ones.
   
-  Closes #6486
+  Closes #6612
 
-- quic: remove conn->data use
+Viktor Szakats (16 Feb 2021)
+- http: do not add a referrer header with empty value
   
-  Closes #6485
-
-- [Fabian Keil brought this change]
-
-  Add test1181: Proxy request with --proxy-header "Connection: Keep-Alive"
-
-- [Fabian Keil brought this change]
-
-  Add test1180: Proxy request with -H "Proxy-Connection: Keep-Alive"
+  Previously an empty 'Referer:' header was added to the HTTP request when
+  passing `--referer ';auto'` or `--referer ''` on the command-line. This
+  patch makes `--referer` work like `--header 'Referer:'` and will only add
+  the header if it has a non-zero length value.
   
-  At the moment the test fails as curl sends two Proxy-Connection
-  headers.
-
-- c-hyper: avoid duplicated Proxy-Connection headers
+  Reviewed-by: Jay Satiro
+  Closes #6610
 
-- http: make providing Proxy-Connection header not cause duplicated headers
+Daniel Stenberg (16 Feb 2021)
+- lib: remove 'conn->data' completely
   
-  Fixes test 1180
+  The Curl_easy pointer struct entry in connectdata is now gone. Just
+  before commit 215db086e0 landed on January 8, 2021 there were 919
+  references to conn->data.
   
-  Bug: https://curl.se/mail/lib-2021-01/0095.html
-  Reported-by: Fabian Keil
-  Closes #6472
+  Closes #6608
 
-- runtests: preprocess DISABLED to allow conditionals
+- openldap: pass 'data' to the callbacks instead of 'conn'
+
+Jay Satiro (15 Feb 2021)
+- doh: Fix sharing user's resolve list with DOH handles
   
-  ... with this function provided, we can disable tests for specific
-  environments and setups directly within this file.
+  - Share the shared object from the user's easy handle with the DOH
+    handles.
   
-  Closes #6477
-
-- runtests: turn preprocessing into a separate function
+  Prior to this change if the user had set a shared object with shared
+  cached DNS (CURL_LOCK_DATA_DNS) for their easy handle then that wasn't
+  used by any associated DOH handles, since they used the multi's default
+  hostcache.
   
-  ... and remove all other variable substitutions as they're now done once
-  and for all in the preprocessor.
-
-- lib/Makefile.inc: convert to listing each file on its own line
+  This change means all the handles now use the same hostcache, which is
+  either the shared hostcache from the user created shared object if it
+  exists or if not then the multi's default hostcache.
   
-  ... to make it diff friendlier and easier to read.
+  Reported-by: Manuj Bhatia
   
-  Closes #6448
+  Fixes https://github.com/curl/curl/issues/6589
+  Closes https://github.com/curl/curl/pull/6607
 
-- ftplistparser: remove use of conn->data
+Daniel Stenberg (15 Feb 2021)
+- http2: remove conn->data use
   
-  Closes #6482
-
-- lib: more conn->data cleanups
+  ... but instead use a private alternative that points to the "driving
+  transfer" from the connection. We set the "user data" associated with
+  the connection to be the connectdata struct, but when we drive transfers
+  the code still needs to know the pointer to the transfer. We can change
+  the user data to become the Curl_easy handle, but with older nghttp2
+  version we cannot dynamically update that pointer properly when
+  different transfers are used over the same connection.
   
-  Closes #6479
-
-- [Patrick Monnerat brought this change]
+  Closes #6520
 
-  vtls: reduce conn->data use
+- openssl: remove conn->data use
   
-  Closes #6474
-
-- hyper: deliver data to application with Curl_client_write
+  We still make the trace callback function get the connectdata struct
+  passed to it, since the callback is anchored on the connection.
   
-  ... just as the native code path does. Avoids sending too large data
-  chunks in the callback and more.
+  Repeatedly updating the callback pointer to set 'data' with
+  SSL_CTX_set_msg_callback_arg() doesn't seem to work, probably because
+  there might already be messages in the queue with the old pointer.
   
-  Reported-by: Gisle Vanem
-  Fixes #6462
-  Closes #6473
+  This code therefore makes sure to set the "logger" handle before using
+  OpenSSL calls so that the right easy handle gets used for tracing.
+  
+  Closes #6522
 
-- gopher: remove accidental conn->data leftover
+- RELEASE-NOTES: synced
 
-- libssh: avoid plain free() of libssh-memory
+Jay Satiro (14 Feb 2021)
+- doh: add options to disable ssl verification
   
-  Since curl's own memory debugging system redefines free() calls to track
-  and fiddle with memory, it cannot be used on memory allocated by 3rd
-  party libraries.
+  - New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
+    CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
+    same as their respective counterparts.
+  
+  - New curl tool options --doh-insecure and --doh-cert-status do the same
+    as their respective counterparts.
   
-  Third party libraries SHOULD NOT require free() to release allocated
-  resources for this reason - and libs can use separate healp allocators
-  on some systems (like Windows) so free() doesn't necessarily work
-  anyway.
+  Prior to this change DOH SSL certificate verification settings for
+  verifyhost and verifypeer were supposed to be inherited respectively
+  from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
+  were not. As a result DOH verification remained at the default, ie
+  enabled, and it was not possible to disable. This commit changes
+  behavior so that the DOH verification settings are independent and not
+  inherited.
   
-  Filed as an issue with libssh: https://bugs.libssh.org/T268
+  Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676
   
-  Closes #6481
+  Fixes https://github.com/curl/curl/issues/4578
+  Closes https://github.com/curl/curl/pull/6597
 
-- send: assert that Curl_write_plain() has a ->conn when called
+- hostip: fix crash in sync resolver builds that use DOH
   
-  To help catch bad invokes.
+  - Guard some Curl_async accesses with USE_CURL_ASYNC instead of
+    !CURLRES_SYNCH.
   
-  Closes #6476
-
-- test410: verify HTTPS GET with a 49K request header
+  This is another follow-up to 8335c64 which moved the async struct from
+  the connectdata struct into the Curl_easy struct. A previous follow-up
+  6cd167a fixed building for sync resolver by guarding some async struct
+  accesses with !CURLRES_SYNCH. The problem is since DOH (DNS-over-HTTPS)
+  is available as an asynchronous secondary resolver the async struct may
+  be used even when libcurl is built for the sync resolver. That means
+  that CURLRES_SYNCH and USE_CURL_ASYNC may be defined at the same time.
   
-  skip test 410 for mesalink in the CI as it otherwise hangs "forever"
+  Closes https://github.com/curl/curl/pull/6603
 
-- lib: pass in 'struct Curl_easy *' to most functions
+Daniel Stenberg (13 Feb 2021)
+- KNOWN_BUGS: cannot enable LDAPS on Windows with cmake
   
-  ... in most cases instead of 'struct connectdata *' but in some cases in
-  addition to.
+  Reported-by: Jack Boos Yu
+  Closes #6284
+
+- KNOWN_BUGS: Excessive HTTP/2 packets with TCP_NODELAY
   
-  - We mostly operate on transfers and not connections.
+  Reported-by: Alex Xu
+  Closes #6363
+
+- http: use credentials from transfer, not connection
   
-  - We need the transfer handle to log, store data and more. Everything in
-    libcurl is driven by a transfer (the CURL * in the public API).
+  HTTP auth "accidentally" worked before this cleanup since the code would
+  always overwrite the connection credentials with the credentials from
+  the most recent transfer and since HTTP auth is typically done first
+  thing, this has not been an issue. It was still wrong and subject to
+  possible race conditions or future breakage if the sequence of functions
+  would change.
   
-  - This work clarifies and separates the transfers from the connections
-    better.
+  The data.set.str[] strings MUST remain unmodified exactly as set by the
+  user, and the credentials to use internally are instead set/updated in
+  state.aptr.*
   
-  - We should avoid "conn->data". Since individual connections can be used
-    by many transfers when multiplexing, making sure that conn->data
-    points to the current and correct transfer at all times is difficult
-    and has been notoriously error-prone over the years. The goal is to
-    ultimately remove the conn->data pointer for this reason.
+  Added test 675 to verify different credentials used in two requests done
+  over a reused HTTP connection, which previously behaved wrongly.
   
-  Closes #6425
+  Fixes #6542
+  Closes #6545
 
-Emil Engler (17 Jan 2021)
-- docs: fix typos in NEW-PROTOCOL.md
+- test433: clear some home dir env variables
   
-  This fixes a misspelled "it" and a grammatically wrong "-ing" suffix.
+  Follow-up to bd6b54ba1f55b5
+  
+  ... so that XDG_CONFIG_HOME is the only home dir variable set and thus
+  used correctly in the test!
   
-  Closes #6471
+  Fixes #6599
+  Closes #6600
 
-Daniel Stenberg (16 Jan 2021)
 - RELEASE-NOTES: synced
+  
+  bumped the version to 7.76.0
 
-Jay Satiro (16 Jan 2021)
-- [Razvan Cojocaru brought this change]
+- travis: install libgsasl-dev to add that to the builds
+  
+  Closes #6588
 
-  cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
+- urldata: don't touch data->set.httpversion at run-time
   
-  This does for cmake builds what --disable-openssl-auto-load-config
-  does for autoconf builds.
+  Rename it to 'httpwant' and make a cloned field in the state struct as
+  well for run-time updates.
   
-  Closes https://github.com/curl/curl/pull/6435
-
-Daniel Stenberg (15 Jan 2021)
-- test1918: verify curl_easy_option_by_name() and curl_easy_option_by_id()
+  Also: refuse non-supported HTTP versions. Verified with test 129.
   
-  ... and as a practical side-effect, make sure that the
-  Curl_easyopts_check() function is asserted in debug builds, which we
-  want to detect mismatches between the options list in easyoptions.c and
-  the options in curl.h
+  Closes #6585
+
+Viktor Szakats (11 Feb 2021)
+- tests: disable .curlrc in more environments
   
-  Found-by: Gisle Vanem
-  Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45991815
+  by also setting CURL_HOME and XDG_CONFIG_HOME envvars to the local
+  directory.
   
-  Closes #6461
+  Reviewed-by: Daniel Stenberg
+  Fixes #6595
+  Closes #6596
 
-- [Gisle Vanem brought this change]
+- docs/Makefile.inc: format to be update-friendly
+  
+  - one source file per line
+  - convert tabs to spaces
+  - do not align line-continuation backslashes
+  - sort source files alphabetically
+  
+  Reviewed-by: Daniel Stenberg
+  Closes #6593
 
-  easyoptions: add the missing AWS_SIGV4
+Daniel Stenberg (11 Feb 2021)
+- curl: provide libgsasl version and feature info in -V output
   
-  Follow-up from AWS_SIGV4
+  Closes #6592
 
-- schannel_verify: fix safefree call typo
+- gsasl: provide CURL_VERSION_GSASL if built-in
   
-  Follow-up from e87ad71d1ba00519
+  To let applications know the feature is available.
   
-  Closes #6459
+  Closes #6592
 
-- mime: make sure setting MIMEPOST to NULL resets properly
-  
-  ... so that a function can first use MIMEPOST and then set it to NULL to
-  reset it back to a blank POST.
+- curl: add --fail-with-body
   
-  Added test 584 to verify the fix.
+  Prevent both --fail and --fail-with-body on the same command line.
   
-  Reported-by: Christoph M. Becker
+  Verify with test 349, 360 and 361.
   
-  Fixes #6455
-  Closes #6456
+  Closes #6449
 
-- multi: set the PRETRANSFER time-stamp when we switch to PERFORM
+- TODO: remove HSTS
   
-  ... instead of at end of the DO state. This makes the timer more
-  accurate for the protocols that use the DOING state (such as FTP), and
-  simplifies how the function (now called init_perform) is called.
+  Provided now since commit 7385610d0c74
+
+Jay Satiro (10 Feb 2021)
+- tests: Fix tests failing due to change in curl --help
   
-  The timer will then include the entire procedure up to PERFORM -
-  including all instructions for getting the transfer started.
+  Follow-up to parent 3183217 which added add missing <mode> argument to
+  --create-file-mode <mode>.
   
-  Closes #6454
+  Ref: https://github.com/curl/curl/issues/6590
 
-- CURLINFO_PRETRANSFER_TIME.3: clarify
+- tool_help: add missing argument for --create-file-mode
   
-  ... the timer *does* include the instructions for getting the remote
-  file.
+  Prior to this change the required argument was not shown in curl --help.
   
-  Ref: #6452
-  Closes #6453
-
-- [Gisle Vanem brought this change]
-
-  schannel: plug a memory-leak
+  before:
+       --create-file-mode File mode for created files
+  
+  after:
+       --create-file-mode <mode> File mode (octal) for created files
   
-  ... when built without -DUNICODE.
+  Reported-by: ZimCodes@users.noreply.github.com
   
-  Closes #6457
+  Fixes https://github.com/curl/curl/issues/6590
 
-Jay Satiro (14 Jan 2021)
-- gitattributes: Set batch files to CRLF line endings on checkout
+- create-file-mode.d: add missing Arg tag
   
-  If a batch file is run without CRLF line endings (ie LF-only) then
-  arbitrary behavior may occur. I consider that a bug in Windows, however
-  the effects can be serious enough (eg unintended code executed) that
-  we're fixing it in the repo by requiring CRLF line endings for batch
-  files on checkout.
+  Prior to this change the required argument was not shown.
+  
+  curl.1 before: --create-file-mode
+  curl.1 after: --create-file-mode <mode>
   
-  Prior to this change the checked-out line endings of batch files were
-  dependent on a user's git preferences. On Windows it is common for git
-  users to have automatic CRLF conversion enabled (core.autocrlf true),
-  but those users that don't would run into this behavior.
+  Reported-by: ZimCodes@users.noreply.github.com
   
-  For example a user has reported running the Visual Studio project
-  generator batch file (projects/generate.bat) and it looped forever.
-  Output showed that the Windows OS interpreter was occasionally jumping
-  to arbitrary points in the batch file and executing commands. This
-  resulted in unintended files being removed (a removal sequence called)
-  and looping forever.
+  Fixes https://github.com/curl/curl/issues/6590
+
+Viktor Szakats (10 Feb 2021)
+- gsasl: fix errors/warnings building against libgsasl
   
-  Ref: https://serverfault.com/q/429594
-  Ref: https://stackoverflow.com/q/232651
-  Ref: https://www.dostips.com/forum/viewtopic.php?t=8988
-  Ref: https://git-scm.com/docs/gitattributes#_checking_out_and_checking_in
-  Ref: https://git-scm.com/book/en/v2/Customizing-Git-Git-Configuration#_core_autocrlf
+  - also fix an indentation
+  - make Curl_auth_gsasl_token() use CURLcode (by Daniel Stenberg)
   
-  Bug: https://github.com/curl/curl/discussions/6427
-  Reported-by: Ganesh Kamath
+  Ref: https://github.com/curl/curl/pull/6372#issuecomment-776118711
+  Ref: https://github.com/curl/curl/pull/6588
   
-  Closes https://github.com/curl/curl/pull/6442
-
-Daniel Stenberg (14 Jan 2021)
-- tool_operate: spellfix a comment
+  Reviewed-by: Jay Satiro
+  Assisted-by: Daniel Stenberg
+  Reviewed-by: Simon Josefsson
+  Closes #6587
 
-- ROADMAP: refreshed
+- Makefile.m32: add support for libgsasl dependency
   
-  o removed HSTS - already implemented
-  o added HTTPS RR records
-  o mention HTTP/3 completion
-
-- http_chunks: remove Curl_ prefix from static functions
-
-- transfer: remove Curl_ prefix from static functions
-
-- tftp: remove Curl_ prefix from static functions
-
-- multi: remove Curl_ prefix from static functions
-
-- ldap: remove Curl_ prefix from static functions
-
-- doh: remove Curl_ prefix from static functions
-
-- asyn-ares: remove Curl_ prefix from static functions
-
-- vtls: remove Curl_ prefix from static functions
-
-- bearssl: remove Curl_ prefix from static functions
-
-- mbedtls: remove Curl_ prefix from static functions
-
-- wolfssl: remove Curl_ prefix from static functions
-
-- nss: remove Curl_ prefix from static functions
+  Reviewed-by: Marcel Raad
+  Closes #6586
 
-- gnutls: remove Curl_ prefix from static functions
+Marcel Raad (10 Feb 2021)
+- ngtcp2: clarify calculation precedence
+  
+  As suggested by Codacy/cppcheck.
+  
+  Closes https://github.com/curl/curl/pull/6576
 
-- openssl: remove Curl_ prefix from static functions
+- server: remove redundant condition
   
-  ... as we reserve this prefix to library-wide functions.
+  `end` is always non-null here.
   
-  Closes #6443
+  Closes https://github.com/curl/curl/pull/6576
 
-- nss: get the run-time version instead of build-time
+- lib: remove redundant code
   
-  Closes #6445
+  Closes https://github.com/curl/curl/pull/6576
 
-Jay Satiro (12 Jan 2021)
-- tool_doswin: Restore original console settings on CTRL signal
+- mqttd: remove unused variable
   
-  - Move Windows terminal init code from tool_main to tool_doswin.
+  Closes https://github.com/curl/curl/pull/6576
+
+- tool_paramhlp: reduce variable scope
   
-  - Restore the original console settings on CTRL+C and CTRL+BREAK.
+  Closes https://github.com/curl/curl/pull/6576
+
+- tests: reduce variable scopes
   
-  Background: On Windows the curl tool changes the console settings to
-  enable virtual terminal processing (eg color output) if supported
-  (ie Win 10). The original settings are restored on exit but prior to
-  this change were not restored in the case of the CTRL signals.
+  Closes https://github.com/curl/curl/pull/6576
+
+- lib: reduce variable scopes
   
-  Windows VT behavior varies depending on console/powershell/terminal;
-  refer to the discussion in #6226.
+  Closes https://github.com/curl/curl/pull/6576
+
+- ftp: fix Codacy/cppcheck warning about null pointer arithmetic
   
-  Assisted-by: Rich Turner
+  Increment `bytes` only if it is non-null.
   
-  Closes https://github.com/curl/curl/pull/6226
+  Closes https://github.com/curl/curl/pull/6576
 
-Daniel Stenberg (12 Jan 2021)
-- gen.pl: fix perl syntax
-  
-  Follow-up to 324cf1d2e
+Daniel Stenberg (9 Feb 2021)
+- ngtcp2: adapt to the new recv_datagram callback
 
-- [Emil Engler brought this change]
+- quiche: fix build error: use 'int' for port number
+  
+  Follow-up to cb2dc1ba8
 
-  help: update to current codebase
+- ftp: add 'list_only' to the transfer state struct
   
-  This commit bumps the help to the current state of the project.
+  and rename it from 'ftp_list_only' since it is also used for SSH and
+  POP3. The state is updated internally for 'type=D' FTP URLs.
   
-  Closes #6437
-
-- [Emil Engler brought this change]
+  Added test case 1570 to verify.
+  
+  Closes #6578
 
-  docs: fix line length bug in gen.pl
+- ftp: add 'prefer_ascii' to the transfer state struct
+  
+  ... and make sure the code never updates 'set.prefer_ascii' as it breaks
+  handle reuse which should use the setting as the user specified it.
   
-  The script warns if the length of $opt and $desc is > 78. However, these
-  two variables are on totally separate lines so the check makes no sense.
-  Also the $bitmask field is totally forgotten. Currently this leads to
-  two warnings within `--resolve` and `--aws-sigv4`.
+  Added test 1569 to verify: it first makes an FTP transfer with ';type=A'
+  and then another without type on the same handle and the second should
+  then use binary. Previously, curl failed this.
   
-  Closes #6438
+  Closes #6578
 
-- [Emil Engler brought this change]
+- RELEASE-NOTES: synced
 
-  docs: fix wrong documentation in help.d
-  
-  curl does not list all categories when you invoke "--help" without any
-  parameters.
-  
-  Closes #6436
+- [Jacob Hoffman-Andrews brought this change]
 
-- aws-sigv4.d: polish the wording
+  vtls: initial implementation of rustls backend
   
-  Make it shorter and imperative form
+  This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
+  from https://github.com/abetterinternet/crustls.
   
-  Closes #6439
-
-- [Fabian Keil brought this change]
-
-  misc: fix typos
+  Rustls is at https://github.com/ctz/rustls/.
   
-  Bug: https://curl.se/mail/lib-2021-01/0063.html
-  Closes #6434
-
-- multi_runsingle: bail out early on data->conn == NULL
+  There is still a fair bit to be done, like sending CloseNotify on
+  connection shutdown, respecting CAPATH, and properly indicating features
+  like "supports TLS 1.3 ciphersuites." But it works well enough to make
+  requests and receive responses.
   
-  As that's a significant error condition and scan-build warns for NULL
-  pointer dereferences if we don't.
+  Blog post for context:
+  https://www.abetterinternet.org/post/memory-safe-curl/
   
-  Closes #6433
+  Closes #6350
 
-- multi: skip DONE state if there's no connection left for ftp wildcard
-  
-  ... to avoid running in that state with data->conn being NULL.
+- [Simon Josefsson brought this change]
 
-- libssh2: fix "Value stored to 'readdir_len' is never read"
+  sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
   
-  Detected by scan-build
+  Closes #6372
 
-- connect: mark intentional ignores of setsockopt return values
+Jay Satiro (9 Feb 2021)
+- lib: use int type for more port variables
   
-  Pointed out by Coverity
+  This is a follow-up to 764c6bd. Prior to that change port variables
+  were usually type long.
   
-  Closes #6431
+  Closes https://github.com/curl/curl/pull/6553
 
-Jay Satiro (11 Jan 2021)
-- http_proxy: Fix CONNECT chunked encoding race condition
+- tool_writeout: refactor write-out and write-out json
   
-  - During the end-of-headers response phase do not mark the tunnel
-    complete unless the response body was completely parsed/ignored.
+  - Deduplicate the logic used by write-out and write-out json.
   
-  Prior to this change if the entirety of a CONNECT response with chunked
-  encoding was not received by the time the final header was parsed then
-  the connection would be marked done prematurely, before all the chunked
-  data could be read in and ignored (since this is what we do with any
-  CONNECT response body) and the connection could not be used.
+  Rather than have separate writeLong, writeString, etc, logic for
+  each of write-out and write-out json instead have respective shared
+  functions that can output either format and a 'use_json' parameter to
+  indicate whether it is json that is output.
   
-  Bug: https://curl.se/mail/lib-2021-01/0033.html
-  Reported-by: Fabian Keil
+  This will make it easier to maintain. Rather than have to go through
+  two sets of logic now we only have to go through one.
   
-  Closes https://github.com/curl/curl/pull/6432
-
-Daniel Stenberg (11 Jan 2021)
-- RELEASE-NOTES: synced
-
-- url: if IDNA conversion fails, fallback to Transitional
+  - Support write-out %{errormsg} and %{exitcode} in json.
   
-  This improves IDNA2003 compatiblity.
+  - Clarify in the doc that %{exitcode} is the exit code of the transfer.
   
-  Reported-by: Bubu on github
-  Fixes #6423
-  Closes #6428
-
-- travis: make the Hyper build from its master branch
+  Prior to this change it just said "The numerical exitcode" which
+  implies it's the exit code of the tool, and it's not necessarily that.
   
-  Closes #6430
+  Closes https://github.com/curl/curl/pull/6544
 
-- http: make 'authneg' also work for Hyper
+- lib: drop USE_SOCKETPAIR in favor of CURL_DISABLE_SOCKETPAIR
   
-  When doing a request with a request body expecting a 401/407 back, that
-  initial request is sent with a zero content-length. Test 177 and more.
+  .. since the former is undocumented and they both do the same thing.
   
-  Closes #6424
+  Closes https://github.com/curl/curl/pull/6517
 
-Jay Satiro (8 Jan 2021)
-- cmake: Add an option to disable libidn2
-  
-  New option USE_LIBIDN2 defaults to ON for libidn2 detection. Prior to
-  this change libidn2 detection could not be turned off in cmake builds.
+- curl_multibyte: fall back to local code page stat/access on Windows
   
-  Reported-by: William A Rowe Jr
+  If libcurl is built with Unicode support for Windows then it is assumed
+  the filename string is Unicode in UTF-8 encoding and it is converted to
+  UTF-16 to be passed to the wide character version of the respective
+  function (eg wstat). However the filename string may actually be in the
+  local encoding so, even if it successfully converted to UTF-16, if it
+  could not be stat/accessed then try again using the local code page
+  version of the function (eg wstat fails try stat).
   
-  Fixes https://github.com/curl/curl/issues/6361
-  Closes https://github.com/curl/curl/pull/6362
-
-Daniel Stenberg (8 Jan 2021)
-- HYPER: no longer needs the special branch
-
-- test179: use consistent header line endings
+  We already do this with fopen (ie wfopen fails try fopen), so I think it
+  makes sense to extend it to stat and access functions.
   
-  ... to make "Hyper mode" work better.
+  Closes https://github.com/curl/curl/pull/6514
 
-- file: don't provide content-length for directories
-  
-  ... as it is misleading.
-  
-  Ref #6379
-  Closes #6421
+- [Stephan Szabo brought this change]
 
-- TODO: Directory listing for FILE:
+  file: Support unicode urls on windows
   
-  Ref #6379
+  Closes https://github.com/curl/curl/pull/6501
 
-- curl.h: add CURLPROTO_GOPHERS as own protocol identifier
-  
-  Follow-up to a1f06f32b860, to make sure it can be handled separately
-  from plain gopher.
-  
-  Closes #6418
+- [Vincent Torri brought this change]
 
-- http: have CURLOPT_FAILONERROR fail after all headers
+  cmake: fix import library name for non-MS compiler on Windows
   
-  ... so that Retry-After and other meta-content can still be used.
+  - Use _imp.lib suffix only for Microsoft's compiler (MSVC).
   
-  Added 1634 to verify. Adjusted test 194 and 281 since --fail now also
-  includes the header-terminating CRLF in the output before it exits.
+  Prior to this change library suffix _imp.lib was used for the import
+  library on Windows regardless of compiler.
   
-  Fixes #6408
-  Closes #6409
-
-- global_init: debug builds allocates a byte in init
+  With this change the other compilers should now use their default
+  suffix which should be .dll.a.
   
-  ... to make build tools/valgrind warn if no curl_global_cleanup is
-  called.
+  This change is motivated by the usage of pkg-config on MSYS2.
+  Indeed, when 'pkg-config --libs libcurl' is used, -lcurl is
+  passed to ld. The documentation of ld on Windows :
   
-  This is conditionally only done for debug builds with the env variable
-  CURL_GLOBAL_INIT set.
+  https://sourceware.org/binutils/docs/ld/WIN32.html
   
-  Closes #6410
-
-- lib/unit tests: add missing curl_global_cleanup() calls
-
-- travis: adapt to Hyper build change
+  lists, in the 'direct linking to a dll' section, the pattern
+  of the searched import library, and libcurl_imp.lib is not there.
   
-  Closes #6419
+  Closes https://github.com/curl/curl/pull/6225
 
-- pretransfer: setup the User-Agent header here
+Daniel Stenberg (9 Feb 2021)
+- urldata: move 'followlocation' to UrlState
   
-  ... and not in the connection setup, as for multiplexed transfers the
-  connection setup might be skipped and then the transfer would end up
-  without the set user-agent!
+  As this is a state variable it does not belong in UserDefined which is
+  used to store values set by the user.
   
-  Reported-by: Flameborn on github
-  Assisted-by: Andrey Gursky
-  Assisted-by: Jay Satiro
-  Assisted-by: Mike Gelfand
-  Fixes #6312
-  Closes #6417
+  Closes #6582
 
-- test66: disable with Hyper
-  
-  ...as Hyper doesn't support HTTP/0.9
+- [Ikko Ashimine brought this change]
 
-- c-hyper: poll the tasks until end correctly
+  http_proxy: fix typo in http_proxy.c
   
-  ... makes test 36 work.
+  settting -> setting
   
-  Closes #6412
+  Closes #6583
 
-- [Gergely Nagy brought this change]
+- [Fabian Keil brought this change]
 
-  mk-ca-bundle.pl: deterministic output when using -t
+  tests/server: Bump MAX_TAG_LEN to 200
   
-  Printing trust purposes are now sorted, making the output deterministic
-  when running on the same input certdata.txt.
+  This is useful for tests containing HTML inside of <data> sections.
+  For <img> tags it's not uncommon to be longer than the previous
+  limit of 79 bytes.
   
-  Closes #6413
-
-- KNOWN_BUGS: fixed "wolfSSL lacks support for renegotiation"
+  An example of a previously problem-causing tag is:
+  <img src="http://config.privoxy.org/send-banner?type=auto" border="0" title="Killed-http://www.privoxy.org/images/privoxy.png-by-size" width="88" height="31">
+  which is needed for a Privoxy test for the banners-by-size filter.
   
-  Fixed by #6411
+  Previously it caused server failures like:
+  12:29:05.786961 ====> Client connect
+  12:29:05.787116 accept_connection 3 returned 4
+  12:29:05.787194 accept_connection 3 returned 0
+  12:29:05.787285 Read 119 bytes
+  12:29:05.787345 Process 119 bytes request
+  12:29:05.787407 Got request: GET /banners-by-size/9 HTTP/1.1
+  12:29:05.787464 Requested test number 9 part 0
+  12:29:05.787686 getpart() failed with error: -2
+  12:29:05.787744 - request found to be complete (9)
+  12:29:05.787912 getpart() failed with error: -2
+  12:29:05.788048 Wrote request (119 bytes) input to log/server.input
+  12:29:05.788157 Send response test9 section <data>
+  12:29:05.788443 getpart() failed with error: -2
+  12:29:05.788498 instructed to close connection after server-reply
+  12:29:05.788550 ====> Client disconnect 0
+  12:29:05.871448 exit_signal_handler: 15
+  12:29:05.871714 signalled to die
+  12:29:05.872040 ========> IPv4 sws (port 21108 pid: 51758) exits with signal (15)
 
-- [Himanshu Gupta brought this change]
+- [Fabian Keil brought this change]
 
-  wolfssl: add SECURE_RENEGOTIATION support
-  
-  Closes #6411
+  tests/badsymbols.pl: when opening '$incdir' fails include it in the error message
 
-- RELEASE-NOTES: synced
+- [Fabian Keil brought this change]
 
-- wolfssl: update copyright year range
-  
-  Follow-up to 7de2e96535e9
+  runtests.1: document -o, -P, -L, and -E
 
-- c-hyper: make CURLE_GOT_NOTHING work
-  
-  Test 30
-  
-  Closes #6407
+- [Fabian Keil brought this change]
 
-- http_proxy: make CONNECT work with the Hyper backend
-  
-  Makes test 80 run
-  
-  Closes #6406
+  runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
 
-- TODO: --fail-with-body perchance?
+- [Fabian Keil brought this change]
 
-Jay Satiro (4 Jan 2021)
-- tool_operate: fix the suppression logic of some error messages
-  
-  - Fix the failed truncation and failed writing body error messages to
-    not be shown unless error messages are shown. (ie the user has
-    specified -sS, or has not specified -s).
-  
-  - Also prefix same error messages with "curl: ", for example:
-    curl: (23) Failed to truncate, exiting
-  
-  Prior to this change the failed truncation error messages would be shown
-  if not -s, but did not account for -sS which should show.
-  
-  Prior to this change the failed writing body error messages would be
-  shown always.
+  runtests.pl: add an -o option to change internal variables
   
-  Ref: https://curl.se/docs/manpage.html#-S
+  runtests.pl has lots of internal variables one might want to
+  change in certain situations, but adding a dedicated option
+  for every single one of them isn't practical.
   
-  Bug: https://curl.se/mail/archive-2020-12/0017.html
-  Reported-by: Hongyi Zhao
+  Usage:
+  ./runtests.pl -o TESTDIR=$privoxy_curl_test_dir -o HOSTIP=10.0.0.1 ...
+
+- [Fabian Keil brought this change]
+
+  runtests.pl: cleanups
   
-  Closes https://github.com/curl/curl/pull/6402
+  - show the summarized test result in the last line of the report
+  - do not use $_ after mapping it to a named variable
+    Doing that makes the code harder to follow.
+  - log the restraints sorted by the number of their occurrences
+  - fix language when logging restraints that only occured once
+  - let runhttpserver() use $TESTDIR instead of $srcdir
+    ... so it works if a non-default $TESTDIR is being used.
+
+- [Fabian Keil brought this change]
 
-- wolfssl: Support wolfSSL builds missing TLS 1.1
+  runtests.pl: add an -E option to specify an exclude file
   
-  The wolfSSL TLS library defines NO_OLD_TLS in some of their build
-  configurations and that causes the library to be built without TLS 1.1.
-  For example if MD5 is explicitly disabled when building wolfSSL then
-  that defines NO_OLD_TLS and the library is built without TLS 1.1 [1].
+  It can contain additional restraints for test numbers,
+  keywords and tools.
   
-  Prior to this change attempting to build curl with a wolfSSL that was
-  built with NO_OLD_TLS would cause a build link error undefined reference
-  to wolfTLSv1_client_method.
+  The idea is to let third parties like the Privoxy project
+  distribute an exclude file with their tarballs that specifies
+  which curl tests are not expected to work when using Privoxy
+  as a proxy, without having to fork the whole curl test suite.
   
-  [1]: https://github.com/wolfSSL/wolfssl/blob/v4.5.0-stable/configure.ac#L2366
+  The syntax could be changed to be extendable and maybe
+  more closely reflect the "curl test" syntax. Currently
+  it's a bunch of lines like these:
   
-  Bug: https://curl.se/mail/lib-2020-12/0121.html
-  Reported-by: Julian Montes
+  test:$TESTNUMBER:Reason why this test with number $TESTNUMBER should be skipped
+  keyword:$KEYWORD:Reason why tests whose keywords contain the $KEYWORD should be skipped
+  tool:$TOOL:Reason why tests with tools that contain $TOOL should be skipped
   
-  Closes https://github.com/curl/curl/pull/6388
+  To specify multiple $TESTNUMBERs, $KEYWORDs and $TOOLs
+  on a single line, split them with commas.
 
-Daniel Stenberg (4 Jan 2021)
-- test1633: set appropriate name
-  
-  "--retry with a 429 response and Retry-After:"
+- [Fabian Keil brought this change]
 
-- travis: limit the tests with quiche builds to HTTPS and FTPS only
+  runtests.pl: add -L parameter to require additional perl libraries
   
-  ... since it runs into the 50 minute time limit too often otherwise.
+  This is useful to change the behaviour of the script without
+  having to modify the file itself, for example to use a custom
+  compareparts() function that ignores header differences that
+  are expected to occur when an external proxy is being used.
   
-  Closes #6403
+  Such differences are proxy-specific and thus the modifications
+  should be maintained together with the proxy.
 
-- HISTORY: added dates to early history
-  
-  Mostly thanks to this archived web page for urlget:
-  
-  https://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html
+- [Fabian Keil brought this change]
 
-- httpauth: make multi-request auth work with custom port
-  
-  When doing HTTP authentication and a port number set with CURLOPT_PORT,
-  the code would previously have the URL's port number override as if it
-  had been a redirect to an absolute URL.
+  runtests.pl: add a -P option to specify an external proxy
   
-  Added test 1568 to verify.
+  ... that should be used when executing the tests.
   
-  Reported-by: UrsusArctos on github
-  Fixes #6397
-  Closes #6400
-
-- [Emil Engler brought this change]
-
-  language: s/behaviour/behavior/g
+  The assumption is that the proxy is an HTTP proxy.
   
-  We currently use both spellings the british "behaviour" and the american
-  "behavior". However "behavior" is more used in the project so I think
-  it's worth dropping the british name.
+  This option should be used together with -L to provide
+  a customized compareparts() version that knows which
+  proxy-specific header differences should be ignored.
   
-  Closes #6395
+  This option doesn't work for all test types yet.
 
-- cmdline-opts/retry.d: mention response code 429 as well
-  
-  Reported-by: Cherish98
-  Bug: https://curl.se/mail/archive-2020-12/0018.html
+- [Fabian Keil brought this change]
 
-- docs/HYPER.md: mention outstanding issues
+  tests: fixup several tests
   
-  To make it more obvious to users what doesn't work (yet)
+  missing CRs and modified %hostip
   
-  Closes #6389
-
-- COPYING/configure: bump copyright year range
-
-- c-hyper: add timecondition to the request
+  lib556/test556: use a real HTTP version to make test reuse more convenient
   
-  Test 77-78
+  make sure the weekday in Date headers matches the date
   
-  Closes #6391
-
-- c-hyper: make Digest and NTLM work
+  test61: replace stray "^M" (5e 4d) at the end of a cookie with a '^M' (0d)
   
-  Test 64, 65, 67, 68, 69, 70, 72
+  Gets the test working with external proxies like Privoxy again.
   
-  Closes #6390
+  Closes #6463
 
-- examples/curlgtk.c: fix the copyright year range
+- ftp: never set data->set.ftp_append outside setopt
   
-  ... and make private functions static.
-
-- [Olaf Hering brought this change]
-
-  docs/examples: adjust prototypes for CURLOPT_READFUNCTION
+  Since the set value then risks getting used like that when the easy
+  handle is reused by the application.
   
-  The type of the buffer in curl_read_callback is 'char *', not 'void *'.
+  Also: renamed the struct field from 'ftp_append' to 'remote_append'
+  since it is also used for SSH protocols.
   
-  Signed-off-by: Olaf Hering <olaf@aepfle.de>
-  Closes #6392
+  Closes #6579
 
-- examples: fix more empty expression statement has no effect
+- urldata: remove the 'rtspversion' field
   
-  Follow-up to 26e46617b9
-
-- cleanup: fix two empty expression statement has no effect
+  from struct connectdata and the corresponding code in http.c that set
+  it. It was never used for anything!
   
-  Follow-up to 26e46617b9
+  Closes #6581
 
-- configure: set -Wextra-semi-stmt for clang with --enable-debug
+- CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
   
-  To have it properly complain on empty statements with no effect.
+  ... so passed in commands may confuse libcurl's knowledge of state.
   
-  Ref: #6376
-  Closes #6378
+  Reported-by: Bodo Bergmann
+  Fixes #6577
+  Closes #6580
+
+- [Jacob Hoffman-Andrews brought this change]
 
-- tests/unit: fix empty statements with no effect
+  vtls: factor out Curl_ssl_getsock to field of Curl_ssl
   
-  ... by making macros use "do {} while(0)"
+  Closes #6558
 
-- [Paul Groke brought this change]
+- RELEASE-PROCEDURE: remove old release dates, add new
 
-  dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
-  
-  Extend the syntax of CURLOPT_RESOLVE strings: allow using a '+' prefix
-  (similar to the existing '-' prefix for removing entries) to add
-  DNS cache entries that will time out just like entries that are added
-  by libcurl itself.
-  
-  Append " (non-permanent)" to info log message in case a non-permanent
-  entry is added.
-  
-  Adjust relevant comments to reflect the new behavior.
-  
-  Adjust documentation.
+- docs/SSL-PROBLEMS: enhanced
   
-  Extend unit1607 to test the new functionality.
+  Elaborate on the intermediate cert issue, and mention that anything
+  below TLS 1.2 is generally considered insecure these days.
   
-  Closes #6294
+  Closes #6572
 
-- schannel: fix "empty expression statement has no effect"
-  
-  Bug: https://github.com/curl/curl/commit/8ab78f720ae478d533e30b202baec4b451741579#commitcomment-45445950
-  Reported-by: Gisle Vanem
-  Closes #6381
+- THANKS: remove a Jon Rumsey dupe
 
-- [Denis Laxalde brought this change]
+Daniel Gustafsson (5 Feb 2021)
+- [nimaje brought this change]
 
-  docs: remove redundant "better" in --fail help
+  docs: fix FILE example url in --metalink documentation
   
-  Closes #6385
-
-- [Kevin Ushey brought this change]
-
-  curl.1: fix typo microsft -> microsoft
+  In a url after <scheme>:// follows the possibly empty authority part
+  till the next /, so that url missed a /.
   
-  Closes #6380
-
-- [XhmikosR brought this change]
+  Closes #6573
+  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 
-  misc: assorted typo fixes
+Daniel Stenberg (5 Feb 2021)
+- hostip: fix build with sync resolver
   
-  Closes #6375
+  Reported-by: David Goerger
+  Follow-up from 8335c6417
+  Fixes #6566
+  Closes #6568
 
-- RELEASE-NOTES: synced
+- mailmap: Jon Rumsey
 
-- tool_operate: avoid NULL dereference of first_arg
-  
-  Follow-up to 6a5e020d4d2b04a
-  Identified by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28999
-  Closes #6377
+- [Jon Rumsey brought this change]
 
-- misc: fix "warning: empty expression statement has no effect"
+  gskit: correct the gskit_send() prototype
   
-  Turned several macros into do-while(0) style to allow their use to work
-  find with semicolon.
+  gskit_send() first paramater is a pointer to Curl_easy not connectdata
+  struct.
   
-  Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279
-  Follow-up to 08e8455dddc5e4
-  Reported-by: Gisle Vanem
-  Closes #6376
+  Closes #6570
+  Fixes #6569
 
-- KNOWN_BUGS: 6.10 curl never completes Negotiate over HTTP
+- urldata: fix build without HTTP and MQTT
   
-  Closes #5235
-  Closes #6370
+  Reported-by: Joseph Chen
+  Fixes #6562
+  Closes #6563
 
-- writeout: fix NULL dereference for "this url"
+- ftp: avoid SIZE when asking for a TYPE A file
   
-  Detected by torture test 1029
+  ... as we ignore it anyway because servers don't report the correct size
+  and proftpd even blatantly returns a 550.
   
-  Follow-up to 7a90ddf88f5a
+  Updates a set of tests accordingly.
   
-  Closes #6374
+  Reported-by: awesomenode on github
+  Fixes #6564
+  Closes #6565
 
-- failf: remove newline from formatting strings
-  
-  ... as failf adds one itself.
-  
-  Also: add an assert() to failf() that triggers on a newline in the
-  format string!
+- pingpong: rename the curl_pp_transfer enum to use PP prefix
   
-  Closes #6365
-
-- [XhmikosR brought this change]
+  Using an FTP prefix for PP provided functionality was misleading.
 
-  CI: fix warning with the latest versions
-  
-  `git checkout HEAD^2` is no longer needed
+- RELEASE-NOTES: synced
   
-  Closes #6369
+  ... and bump pending version to 7.75.1 (for now)
 
-- INSTALL: update the list known OSes and CPU archs curl has run on
+Jay Satiro (4 Feb 2021)
+- build: fix --disable-http-auth
   
-  Closes #6366
-
-- [Cherish98 brought this change]
-
-  curl: fix handling of -q option
+  Broken since 215db08 (precedes 7.75.0).
   
-  The match of the "-q" option (short for "--disable") should:
-  a) allow concatenation with other single-letters; and
-  b) be case-sensitive, lest confusing with "-Q" ("--quote")
+  Reported-by: Benbuck Nason
   
-  Closes #6364
+  Fixes https://github.com/curl/curl/issues/6567
 
-- tests/badsymbols.pl: ignore stand-alone single hash lines
+- build: fix --disable-dateparse
   
-  Bug: https://curl.se/mail/lib-2020-12/0084.html
-  Reported-by: Dennis Clarke
-  Assisted-by: Jay Satiro
+  Broken since 215db08 (precedes 7.75.0).
   
-  Closes #6355
+  Bug: https://curl.se/mail/lib-2021-02/0008.html
+  Reported-by: Firefox OS
 
-- curl_easy_pause.3: add multiplexed pause effects
-  
-  and generally refresh and update. Remove details for ancient versions.
-  
-  Reviewed-by: Jay Satiro
-  Closes #6360
+Daniel Stenberg (4 Feb 2021)
+- [Jon Rumsey brought this change]
 
-Jay Satiro (22 Dec 2020)
-- curl_easy_pause.3: fix man page reference
-  
-  Follow-up to ac9a724 from earlier today.
+  OS400: update for CURLOPT_AWS_SIGV4
   
-  Ref: https://github.com/curl/curl/pull/6359
-
-Daniel Stenberg (22 Dec 2020)
-- EXPERIMENTAL: add the Hyper backend to the list
+  chkstrings fails because a new string option that could require codepage
+  conversion has been added.
   
-  ... of current experimental features in curl.
+  Closes #6561
+  Fixes #6560
 
-- speedcheck: exclude paused transfers
-  
-  Paused transfers should not be stopped due to slow speed even when
-  CURLOPT_LOW_SPEED_LIMIT is set. Additionally, the slow speed timer is
-  now reset when the transfer is unpaused - as otherwise it would easily
-  just trigger immediately after unpausing.
-  
-  Reported-by: Harry Sintonen
-  Fixes #6358
-  Closes #6359
+- BUG-BOUNTY: removed the cooperation mention
 
-- h2: do not wait for RECV on paused transfers
-  
-  ... as the socket might be readable all the time when paused and thus
-  causing a busy-loop.
-  
-  Reported-by: Harry Sintonen
-  Reviewed-by: Jay Satiro
-  Fixes #6356
-  Closes #6357
+Version 7.75.0 (3 Feb 2021)
 
+Daniel Stenberg (3 Feb 2021)
 - RELEASE-NOTES: synced
 
-- cmdline-opts/gen.pl: return hard on errors
-  
-  ... as the warnings tend to go unnoticed otherwise!
-  
-  Closes #6354
+- THANKS: added contributors from 7.75.0
 
-- examples/libtest: add .checksrc to dist
-  
-  ... so that (auto)builds from tarballs also get the correct instructions.
-  
-  Fixes #6176
-  Closes #6353
+- copyright: fix year ranges in need of updates
 
-- test: verify new --write-out variables
+- TODO: remove items for next SONAME bump etc
   
-  Extended test 1029 and added 1188
+  We want to avoid that completely, so we don't plan for things after such
+  an event.
 
-- test970: adapted to the new internal order of variables
+- [Jay Satiro brought this change]
 
-- curl: add variables to --write-out
-  
-  In particular, these ones can help a user to create its own error
-  message when one or transfers fail.
+  ngtcp2: Fix build error due to change in ngtcp2_settings
   
-  writeout: add 'onerror', 'url', 'urlnum', 'exitcode', 'errormsg'
+  - Separate ngtcp2_transport_params.
   
-  onerror - lets a user only show the rest on non-zero exit codes
+  ngtcp2/ngtcp2@05d7adc made ngtcp2_transport_params separate from
+  ngtcp2_settings.
   
-  url - the input URL used for this transfer
+  ngtcp2 master is required to build curl with http3 support.
   
-  urlnum - the numerical URL counter (0 indexed) for this transfer
+  Closes #6554
+
+- vtls: remove md5sum
   
-  exitcode - the numerical exit code for the transfer
+  As it is not used anymore.
   
-  errormsg - obvious
+  Reported-by: Jacob Hoffman-Andrews
+  Bug: https://curl.se/mail/lib-2021-02/0000.html
   
-  Reported-by: Earnestly on github
-  Fixes #6199
-  Closes #6207
+  Closes #6557
 
-- [Matthias Gatto brought this change]
+- [Alessandro Ghedini brought this change]
 
-  tests: add very simple AWS HTTP v4 Signature test
+  quiche: don't use primary_ip / primary_port
   
-  Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
-
-- [Matthias Gatto brought this change]
+  Closes #6555
 
-  docs: add AWS HTTP v4 Signature
+Alessandro Ghedini (1 Feb 2021)
+- travis: enable quiche's FFI feature
 
-- [Matthias Gatto brought this change]
+Daniel Stenberg (30 Jan 2021)
+- [Dmitry Wagin brought this change]
 
-  tool: add AWS HTTP v4 Signature support
+  http: improve AWS HTTP v4 Signature auth
   
-  Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
-
-- [Matthias Gatto brought this change]
-
-  http: Make the call to v4 signature
+  - Add support services without region and service prefixes in
+  the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
+  by providing region and service parameters via aws-sigv4 option.
+  - Add [:region[:service]] suffix to aws-sigv4 option;
+  - Fix memory allocation errors.
+  - Refactor memory management.
+  - Use Curl_http_method instead() STRING_CUSTOMREQUEST.
+  - Refactor canonical headers generating.
+  - Remove repeated sha256_to_hex() usage.
+  - Add some docs fixes.
+  - Add some codestyle fixes.
+  - Add overloaded strndup() for debug - curl_dbg_strndup().
+  - Update tests.
   
-  This patch allow to call the v4 signature introduce in previous commit
+  Closes #6524
+
+- hyper: fix CONNECT to set 'data' as userdata
   
-  Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
+  Follow-up to 14e075d1a7fd
 
-- [Matthias Gatto brought this change]
+- [Layla brought this change]
 
-  http: introduce AWS HTTP v4 Signature
-  
-  It is a security process for HTTP.
-  
-  It doesn't seems to be standard, but it is used by some cloud providers.
-  
-  Aws:
-  https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
-  Outscale:
-  https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
-  GCP (I didn't test that this code work with GCP though):
-  https://cloud.google.com/storage/docs/access-control/signing-urls-manually
-  
-  most of the code is in lib/http_v4_signature.c
-  
-  Information require by the algorithm:
-  - The URL
-  - Current time
-  -  some prefix that are append to some of the signature parameters.
-  
-  The data extracted from the URL are: the URI, the region,
-  the host and the API type
-  
-  example:
-  https://api.eu-west-2.outscale.com/api/latest/ReadNets
-          ~~~ ~~~~~~~~               ~~~~~~~~~~~~~~~~~~~
-          ^       ^                          ^
-         /         \                        URI
-     API type     region
+  connect: fix compile errors in `Curl_conninfo_local`
   
-  Small description of the algorithm:
-  - make canonical header using content type, the host, and the date
-  - hash the post data
-  - make canonical_request using custom request, the URI,
-    the get data, the canonical header, the signed header
-    and post data hash
-  - hash canonical_request
-  - make str_to_sign using one of the prefix pass in parameter,
-    the date, the credential scope and the canonical_request hash
-  - compute hmac from date, using secret key as key.
-  - compute hmac from region, using above hmac as key
-  - compute hmac from api_type, using above hmac as key
-  - compute hmac from request_type, using above hmac as key
-  - compute hmac from str_to_sign using above hmac as key
-  - create Authorization header using above hmac, prefix pass in parameter,
-    the date, and above hash
+  .. for the `#else` (`!HAVE_GETSOCKNAME`) case
   
-  Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
+  Fixes https://github.com/curl/curl/issues/6548
+  Closes #6549
   
-  Closes #5703
+  Signed-off-by: Layla <layla@insightfulvr.com>
 
-- [Matthias Gatto brought this change]
+- [Michał Antoniak brought this change]
 
-  http: add hmac support for sha256
-  
-  It seems current hmac implementation use md5 for the hash,
-  V4 signature require sha256, so I've added the needed struct in
-  this commit.
+  transfer: fix GCC 10 warning with flag '-Wint-in-bool-context'
   
-  I've added the functions that do the hmac in v4 signature file
-  as a static function ,in the next patch of the serie,
-  because it's used only by this file.
+  ... and return the error code from the Curl_mime_rewind call.
   
-  Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
+  Closes #6537
 
-- [Cristian Rodríguez brought this change]
+- [Michał Antoniak brought this change]
 
-  connect: on linux, enable reporting of all ICMP errors on UDP sockets
-  
-  The linux kernel does not report all ICMP errors back to userspace due
-  to historical reasons.
-  
-  IP*_RECVERR sockopt must be turned on to have the correct behaviour
-  which is to pass all ICMP errors to userspace.
+  avoid warning: enum constant in boolean context
+
+- copyright: fix missing year (range) updates
+
+- RELEASE-NOTES: synced
+
+- openssl: lowercase the hostname before using it for SNI
   
-  See https://bugzilla.kernel.org/show_bug.cgi?id=202355
+  ... because it turns out several servers out there don't actually behave
+  correctly otherwise in spite of the fact that the SNI field is
+  specifically said to be case insensitive in RFC 6066 section 3.
   
-  Closes #6341
+  Reported-by: David Earl
+  Fixes #6540
+  Closes #6543
 
-- curl: add --create-file-mode [mode]
-  
-  This option sets the (octal) mode to use for the remote file when one is
-  created, using the SFTP, SCP or FILE protocols. When not set, the
-  default is 0644.
+- KNOWN_BUGS: cmake: ExternalProject_Add does not set CURL_CA_PATH
   
-  Closes #6244
+  Closes #6313
 
-- c-hyper: fix compiler warnings
+- KNOWN_BUGS: Multi perform hangs waiting for threaded resolver
   
-  Identified by clang on windows.
+  Closes #4852
+
+- KNOWN_BUGS: "pulseUI VPN client" is known to be buggy
   
-  Reported-by: Gisle Vanem
-  Bug: 58974d25d8173aec154e593ed9d866da566c9811
+  First entry in the new section "applications" for known problems in
+  libcurl using applications.
   
-  Closes #6351
+  Closes #6306
 
-- KNOWN_BUGS: Remote recursive folder creation with SFTP
+- tool_writeout: make %{errormsg} blank for no errors
   
-  Closes #5204
+  Closes #6539
+
+Jay Satiro (27 Jan 2021)
+- [Gisle Vanem brought this change]
 
-Jay Satiro (20 Dec 2020)
-- badsymbols.pl: Add verbose mode -v
+  build: fix djgpp builds
   
-  Use -v as the first option to enable verbose mode which will show source
-  input, extracted symbol and line info. For example:
+  - Update build instructions in packages/DOS/README
   
-  Source: ./../include/curl/typecheck-gcc.h
-  Symbol: curlcheck_socket_info(info)
-  Line #423: #define curlcheck_socket_info(info)                     \
+  - Extend 'VPATH' with 'vquic' and 'vssh'.
   
-  Ref: https://curl.se/mail/lib-2020-12/0084.html
+  - Allow 'Makefile.dist' to build both 'lib' and 'src'.
   
-  Closes https://github.com/curl/curl/pull/6349
-
-- KNOWN_BUGS: Secure Transport disabling hostname validation also disables SNI
+  - Allow using the Windows hosted djgpp cross compiler to build for MSDOS
+    under Windows.
   
-  That behavior is a limitation of Apple's Secure Transport.
+  - 'USE_SSL' -> 'USE_OPENSSL'
   
-  Reported-by: Cory Benfield
-  Reported-by: Ian Spence
-  Confirmed-by: Nick Zitzmann
+  - Added a 'link_EXE' macro. Etc, etc.
   
-  Ref: https://github.com/curl/curl/issues/998
+  - Linking 'curl.exe' needs '$(CURLX_CFILES)' too.
   
-  Closes https://github.com/curl/curl/issues/6347
-  Closes https://github.com/curl/curl/pull/6348
-
-Daniel Stenberg (18 Dec 2020)
-- TODO: alt-svc should fallback if alt-svc doesn't work
+  - Do not pick-up '../lib/djgpp/*.o' files. Recompile locally.
   
-  Closes #4908
-
-- travis: restrict the openssl3 job to only run https and ftps tests
+  - Generate a gzipped 'tool_hugehelp.c' if 'USE_ZLIB=1'.
   
-  ... as it runs too long otherwise and the other tests are verified in
-  other builds anyway.
+  - Remove 'djgpp-clean'
   
-  Closes #6345
-
-- build: repair http disabled but mqtt enabled build
+  - Adapt to new C-ares directory structure
   
-  ... as the mqtt code reuses the "method" originally used for HTTP.
+  - Use conditional variable assignments
   
-  Closes #6344
-
-- [Jon Wilkes brought this change]
-
-  cookie: avoid the C1001 internal compiler error with MSVC 14
+  Clarify the 'conditional variable assignment' in 'common.dj'.
   
-  Fixes #6112
-  Closes #6135
+  Closes https://github.com/curl/curl/pull/6382
 
-- RELEASE-NOTES: synced
+Daniel Stenberg (27 Jan 2021)
+- [Ikko Ashimine brought this change]
 
-- mqtt: handle POST/PUBLISH without a set POSTFIELDSIZE
-  
-  Detected by OSS-Fuzz
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28735
+  hyper: fix typo in c-hyper.c
   
-  Added test 1916 and 1917 to verify.
+  settting -> setting
   
-  Closes #6338
-
-- travis: add CI job for Hyper build
-
-- tests: updated tests for Hyper
+  Closes #6538
 
-- lib: introduce c-hyper for using Hyper
+- libssh2: fix CURL_LIBSSH2_DEBUG-enabled build
   
-  ... as an alternative HTTP backend within libcurl.
-
-- tool_setopt: provide helper output in debug builds
+  Follow-up to 2dcc940959772a
   
-  ... for when setopt() returns error.
-
-- setopt: adjust to Hyper and disabled HTTP builds
-
-- rtsp: disable if Hyper is used
-
-- getinfo: build with disabled HTTP support
-
-- version: include hyper version
-
-- docs: add HYPER.md
+  Reported-by: Gisle Vanem
+  Bug: https://github.com/curl/curl/commit/2dcc940959772a652f6813fb6bd3092095a4877b#commitcomment-46420088
 
-- configure: add --with-hyper
+Jay Satiro (27 Jan 2021)
+- asyn-thread: fix build for when getaddrinfo missing
   
-  As the first (optional) HTTP backend alternative instead of native
+  This is a follow-up to 8315343 which several days ago moved the resolver
+  pointer into the async struct but did not update the code that uses it
+  when getaddrinfo is not present.
   
-  Close #6110
+  Closes https://github.com/curl/curl/pull/6536
 
-- test1522: add debug tracing
+Daniel Stenberg (27 Jan 2021)
+- urldata: move 'ints' to the end of 'connectdata'
   
-  I used this to track down some issues and I figured I could just as well
-  keep this extra logging in here for future needs.
+  To optimize storage slightly.
   
-  Closes #6331
+  Closes #6534
 
-- http: show the request as headers even when split-sending
+- urldata: store ip version in a single byte
   
-  When the initial request isn't possible to send in its entirety, the
-  remainder of request would be delivered to the debug callback as data
-  and would wrongly be counted internally as body-bytes sent.
+  Closes #6534
+
+- urldata: remove duplicate 'upkeep_interval_ms' from connectdata
   
-  Extended test 1295 to verify.
+  ... and rely only on the value already set in Curl_easy.
   
-  Closes #6328
+  Closes #6534
 
-- multi: when erroring in TOOFAST state, act as for PERFORM
+- urldata: remove 'local_ip' from the connectdata struct
   
-  When failing in TOOFAST, the multi_done() wasn't called so the same
-  cleanup and handling wasn't done like when it fails in PERFORM, which in
-  the case of FTP could mean that the control connection wouldn't be
-  marked as "dead" for the CURLE_ABORTED_BY_CALLBACK case. Which caused
-  ftp_disconnect() to use it to send "QUIT", which could end up waiting
-  for a response a long time before giving up!
+  As the info is already stored in the transfer handle anyway, there's no
+  need to carry around a duplicate buffer for the life-time of the handle.
   
-  Reported-by: Tomas Berger
-  Fixes #6333
-  Closes #6337
+  Closes #6534
 
-- cmake: enable gophers correctly in curl-config
+- urldata: remove duplicate port number storage
   
-  Closes #6336
-
-- test1198/9: add two mqtt publish tests without payload lengths
+  ... and use 'int' for ports. We don't use 'unsigned short' since -1 is
+  still often used internally to signify "unknown value" and 0 - 65535 are
+  all valid port numbers.
   
-  Closes #6335
+  Closes #6534
 
-- tests/mqttd: extract the client id from the correct offset
+- urldata: remove the duplicate 'ip_addr_str' field
   
-  Closes #6334
-
-- TODO: Prevent terminal injection when writing to terminal
+  ... as the numerical IP address is already stored and kept in 'primary_ip'.
   
-  Closes #6150
+  Closes #6534
 
-- Revert "CI/github: work-around for brew breakage on macOS"
+- select: convert Curl_select() to private static function
   
-  This reverts commit 4cbb17a2cbbbe6337142d39479e21c3990b9c22f.
+  The old function should not be used anywhere anymore (the only remaining
+  gskit use has to be fixed to instead use Curl_poll or none at all).
   
-  ... as the work-around now causes failures.
+  The static function version is now called our_select() and is only built
+  if necessary.
   
-  Closes #6332
+  Closes #6531
 
-- examples: remove superfluous asterisk uses
+- Curl_chunker: shrink the struct
   
-  ... for function pointers. Breaks in ancient compilers.
-
-- RELEASE-NOTES: synced
-
-- test1272: fix line ending
+  ... by removing a field, converting the hex index into a byte and
+  rearranging the order. Cuts it down from 48 bytes to 32 on x86_64.
   
-  Follow-up to f24784f9143
-
-- URL-SYNTAX: add gophers details
-
-- test1272: test gophers
+  Closes #6527
 
-- runtests: add support for gophers, gopher over TLS
+- curl: include the file name in --xattr/--remote-time error msgs
 
-- [parazyd brought this change]
+- curl: s/config->global/global/ in single_transfer()
 
-  gopher: Implement secure gopher protocol.
-  
-  This commit introduces a "gophers" handler inside the gopher protocol if
-  USE_SSL is defined. This protocol is no different than the usual gopher
-  prococol, with the added TLS encapsulation upon connecting. The protocol
-  has been adopted in the gopher community, and many people have enabled
-  TLS in their gopher daemons like geomyidae(8), and clients, like clic(1)
-  and hurl(1).
-  
-  I have not implemented test units for this protocol because my knowledge
-  of Perl is sub-par. However, for someone more knowledgeable it might be
-  fairly trivial, because the same test that tests the plain gopher
-  protocol can be used for "gophers" just by adding a TLS listener.
+- curl: move fprintf outputs to warnf
   
-  Signed-off-by: parazyd <parazyd@dyne.org>
+  For setting and getting time of the download. To make the outputs
+  respect --silent etc.
   
-  Closes #6208
+  Reported-by: Viktor Szakats
+  Fixes #6533
+  Closes #6535
 
-- TODO: Package curl for Windows in a signed installer
-  
-  Closes #5424
+- [Tatsuhiro Tsujikawa brought this change]
 
-- mqtt: deal with 0 byte reads correctly
-  
-  OSS-Fuzz found it
-  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28676
+  ngtcp2: Fix http3 upload stall
   
-  Closes #6327
+  Closes #6521
+
+- [Tatsuhiro Tsujikawa brought this change]
 
-- BUG-BOUNTY: minor language update
+  ngtcp2: Fix stack buffer overflow
   
-  ... and remove the wording about entries from before 2019 as the "within
-  12 months" is still there and covers that.
+  Closes #6521
+
+- warnless.h: remove the prototype for curlx_ultosi
   
-  Closes #6318
+  Follow-up to 217552503ff3
 
-- tooĺ_writeout: fix the -w time output units
+- warnless: remove curlx_ultosi
   
-  Fix regression from commit fc813f80e1bcac (#6248) that changed the unit
-  to microseconds instead of seconds with fractions
+  ... not used anywhere
   
-  Reported-by: 不确定
-  Fixes #6321
-  Closes #6322
+  Closes #6530
 
-- quiche: remove fprintf() leftover
+- [Patrick Monnerat brought this change]
 
-Jay Satiro (14 Dec 2020)
-- KNOWN_BUGS: SHA-256 digest not supported in Windows SSPI builds
+  lib: remove conn->data uses
   
-  Closes https://github.com/curl/curl/issues/6302
+  Closes #6515
 
-- digest_sspi: Show InitializeSecurityContext errors in verbose mode
-  
-  The error is shown with infof rather than failf so that the user will
-  see the extended error message information only in verbose mode, and
-  will still see the standard CURLE_AUTH_ERROR message. For example:
+- pingpong: remove the 'conn' struct member
   
-  ---
+  ... as it's superfluous now when Curl_easy is passed in and we can
+  derive the connection from that instead and avoid the duplicate copy.
   
-  * schannel: InitializeSecurityContext failed: SEC_E_QOP_NOT_SUPPORTED
-  (0x8009030A) - The per-message Quality of Protection is not supported by
-  the security package
-  * multi_done
-  * Connection #1 to host 127.0.0.1 left intact
-  curl: (94) An authentication function returned an error
+  Closes #6525
+
+- hostip/proxy: remove conn->data use
   
-  ---
+  Closes #6513
+
+- url: reduce conn->data references
   
-  Ref: https://github.com/curl/curl/issues/6302
+  ... there are a few left but let's keep them to last
   
-  Closes https://github.com/curl/curl/pull/6315
+  Closes #6512
 
-Daniel Stenberg (13 Dec 2020)
-- URL-SYNTAX: add default port numbers and IDNA details
-  
-  Closes #6316
+- scripts/singleuse: add curl_easy_option*
 
-- URL-SYNTAX: mention how FILE:// access can access network on windows
+Jay Satiro (25 Jan 2021)
+- test410: fix for windows
   
-  Closes #6314
-
-Jay Satiro (12 Dec 2020)
-- URL-SYNTAX: Document default SMTP port 25
+  - Pass the very long request header via file instead of command line.
   
-  Note that ports 25 and 587 are common ports for smtp, the former being
-  the default.
+  Prior to this change the 49k very long request header string was passed
+  via command line and on Windows that is too long so it was truncated and
+  the test would fail (specifically msys CI).
   
-  Closes https://github.com/curl/curl/pull/6310
+  Closes https://github.com/curl/curl/pull/6516
 
-Daniel Stenberg (12 Dec 2020)
-- CURLOPT_URL.3: remove scheme specific details
-  
-  ... that are now found in URL-SYNTAX.md
+Daniel Stenberg (25 Jan 2021)
+- libssh2: move data from connection object to transfer object
   
-  Closes #6307
-
-Dan Fandrich (12 Dec 2020)
-- docs: Fix some typos
+  Readdir data, filenames and attributes are strictly related to the
+  transfer and not the connection. This also reduces the total size of the
+  fixed connectdata struct.
   
-  [skip ci]
+  Closes #6519
 
-Daniel Stenberg (12 Dec 2020)
-- URL-SYNTAX: mention all supported schemes
-  
-  Closes #6311
+- RELEASE-NOTES: synced
 
-- [Douglas R. Reno brought this change]
+- [Patrick Monnerat brought this change]
 
-  URL-SYNTAX.md: minor language improvements
+  lib: remove conn->data uses
   
-  Closes #6308
+  Closes #6499
 
-- docs/URL-SYNTAX: the URL syntax curl accepts and works with
+- hyper: remove the conn->data references
   
-  Closes #6285
-
-- [0xflotus brought this change]
+  Closes #6508
 
-  docs: enable syntax highlighting in several docs files
+- travis: build ngtcp2 --with-gnutls
   
-  ... for better readability
+  ... since they disable it by default since a few days back.
   
-  Closes #6286
+  Closes #6506
+  Fixes #6493
 
-- test1564/1565: require the 'wakeup' feature to run
+- hostip: remove conn->data from resolver functions
   
-  Fixes #6299
-  Fixes #6300
-  Closes #6301
-
-- runtests: add 'wakeup' as a feature
-
-- tests/server/disabled: add "wakeup"
+  This also moves the 'async' struct from the connectdata struct into the
+  Curl_easy struct, which seems like a better home for it.
   
-  To allow the test suite to know if wakeup support is disabled in the
-  build.
-
-- lib1564/5: verify that curl_multi_wakeup returns OK
+  Closes #6497
 
-- tests: make --libcurl tests only test FTP options if ftp enabled
+Jay Satiro (22 Jan 2021)
+- strerror: skip errnum >= 0 assertion on windows
   
-  Adjust six --libcurl tests to only check the FTP option if FTP is
-  actually present in the build.
+  On Windows an error number may be greater than INT_MAX and negative once
+  cast to int.
   
-  Fixes #6303
-  Closes #6305
-
-- runtests.pl: fix "uninitialized value" warning
+  The assertion is checked only in debug builds.
   
-  follow-up to e12825c642a88774
+  Closes https://github.com/curl/curl/pull/6504
 
-- runtests: add support for %if [feature] conditions
-  
-  ... to make tests run differently or expect different results depending
-  on what features that are present or not in curl.
+Daniel Stenberg (21 Jan 2021)
+- doh: make Curl_doh_is_resolved survive a NULL pointer
   
-  Bonus: initial minor 'Hyper' awareness but nothing is using that yet
+  ... if Curl_doh() returned a NULL, this function gets called anyway as
+  in a asynch procedure. Then the doh struct pointer is NULL and signifies
+  an OOM situation.
   
-  Closes #6304
-
-- [Jon Rumsey brought this change]
+  Follow-up to 6246a1d8c6776
 
-  OS400: update ccsidcurl.c
+- wolfssh: remove conn->data references
   
-  Add 'struct' to cast and declaration of cfcdata to fix compilation
-  error.
+  ... and repair recent build breakage
   
-  Fixes #6292
-  Closes #6297
+  Closes #6507
 
-- ngtcp2: make it build it current master again
+- http: empty reply connection are not left intact
   
-  Closes #6296
-
-- [Cristian Rodríguez brought this change]
-
-  connect: defer port selection until connect() time
+  ... so mark the connection as closed in this condition to prevent that
+  verbose message to wrongly appear.
   
-  If supported, defer port selection until connect() time
-  if --interface is given and source port is 0.
+  Reported-by: Matt Holt
+  Bug: https://twitter.com/mholt6/status/1352130240265375744
+  Closes #6503
+
+- chunk/encoding: remove conn->data references
   
-  Reproducer:
+  ... by anchoring more functions on Curl_easy instead of connectdata
   
-  * start fast webserver on port 80
-  * starve system of ephemeral ports
-  $  sysctl net.ipv4.ip_local_port_range="60990 60999"
+  Closes #6498
+
+Jay Satiro (20 Jan 2021)
+- [Erik Olsson brought this change]
+
+  lib: save a bit of space with some structure packing
   
-  * start a curl/libcurl "crawler"
-  $curl --keepalive --parallel --parallel-immediate --head --interface
-  127.0.0.2 "http://127.0.0.[1-254]/file[001-002].txt"
+  - Reorder some internal struct members so that less padding is used.
   
-  current result:
-  (possible some successful data)
-  curl: (45) bind failed with errno 98: Address already in use
+  This is an attempt at saving a bit of space by packing some structs
+  (using pahole to find the holes) where it might make sense to do
+  so without losing readability.
   
-  result after patch:
-  (complete success or few connections failing, higlhy depending on load)
+  I.e., I tried to avoid separating fields that seem grouped
+  together (like the cwd... fields in struct ftp_conn for instance).
+  Also abstained from touching fields behind conditional macros as
+  that quickly can get complicated.
   
-  Fail only when all the possible 4-tuple combinations are exhausted,
-  which is impossible to do when port is selected at bind() time becuse
-  the kernel does not know if socket will be listen()'ed on or connect'ed
-  yet.
+  Closes https://github.com/curl/curl/pull/6483
+
+Daniel Stenberg (20 Jan 2021)
+- INSTALL.md: fix typo
   
-  Closes #6295
+  Found-by: Marcel Raad
 
-- [Hans-Christian Noren Egtvedt brought this change]
+- [Fabian Keil brought this change]
 
-  connect: zero variable on stack to silence valgrind complaint
-  
-  Valgrind will complain that ssrem buffer usage if not explicit
-  initialized, hence initialize it to zero.
+  http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
   
-  This completes the change intially started in commit 2c0d7212151 ('ftp:
-  retry getpeername for FTP with TCP_FASTOPEN') where the ssloc buffer has
-  a similar memset to zero.
+  Added test 1613 to verify.
   
-  Signed-off-by: Hans-Christian Noren Egtvedt <hegtvedt@cisco.com>
-  Closes #6289
+  Closes #6490
 
-- RELEASE-NOTES: synced
-  
-  start over on the next release cycle
+- Merge branch 'bagder/curl_range-data-conn'
 
-Version 7.74.0 (9 Dec 2020)
+- ftp: remove conn->data leftover
 
-Daniel Stenberg (9 Dec 2020)
-- RELEASE-NOTES: synced
+- curl_range: remove conn->data
   
-  for 7.74.0
+  Closes #6496
 
-Jay Satiro (7 Dec 2020)
-- [Jacob Hoffman-Andrews brought this change]
+- INSTALL: now at 85 operating systems
 
-  urldata: restore comment on ssl_connect_data.use
-  
-  This comment was originally on the `use` field, but was separated from
-  its field in 62a2534.
+- quiche: fix unused parameter ‘conn’
   
-  Closes https://github.com/curl/curl/pull/6287
+  Follow-up to 2bdec0b3
 
-Daniel Stenberg (7 Dec 2020)
-- VERSIONS: refreshed
+- transfer: fix ‘conn’ undeclared mistake for iconv build
   
-  We always use the patch number these days: all releases are
-  "major.minor.patch"
-
-- [Jakub Zakrzewski brought this change]
+  Follow-up to 219d9f8620d
 
-  cmake: don't use reserved target name 'test'
+- doh: allocate state struct on demand
   
-  CMake up to 3.10 always reserves this name
+  ... instead of having it static within the Curl_easy struct. This takes
+  away 1176 bytes (18%) from the Curl_easy struct that aren't used very
+  often and instead makes the code allocate it when needed.
   
-  Fixes #6257
-  Closes #6258
+  Closes #6492
 
-- openssl: make the OCSP verification verify the certificate id
-  
-  CVE-2020-8286
+- socks: use the download buffer instead
   
-  Reported by anonymous
+  The SOCKS code now uses the generic download buffer for temporary
+  storage during the connection procedure, instead of having its own
+  private 600 byte buffer that adds to the connectdata struct size. This
+  works fine because this point the buffer is allocated but is not use for
+  download yet since the connection hasn't completed.
   
-  Bug: https://curl.se/docs/CVE-2020-8286.html
-
-- ftp: make wc_statemach loop instead of recurse
+  This reduces the connection struct size by 22% on a 64bit arch!
   
-  CVE-2020-8285
+  The SOCKS buffer needs to be at least 600 bytes, and the download buffer
+  is guaranteed to never be smaller than 1000 bytes.
   
-  Fixes #6255
-  Bug: https://curl.se/docs/CVE-2020-8285.html
-  Reported-by: xnynx on github
+  Closes #6491
 
-- ftp: CURLOPT_FTP_SKIP_PASV_IP by default
-  
-  The command line tool also independently sets --ftp-skip-pasv-ip by
-  default.
+- urldata: make magic be the first struct field
   
-  Ten test cases updated to adapt the modified --libcurl output.
+  By making the `magic` identifier the same size and at the same place
+  within the structs (easy, multi, share), libcurl will be able to more
+  reliably detect and safely error out if an application passes in the
+  wrong handle to APIs. Easier to detect and less likely to cause crashes
+  if done.
   
-  Bug: https://curl.se/docs/CVE-2020-8284.html
-  CVE-2020-8284
+  Such mixups can't be detected at compile-time due to them being
+  typedefed void pointers - unless `CURL_STRICTER` is defined.
   
-  Reported-by: Varnavas Papaioannou
+  Closes #6484
 
-- urlapi: don't accept blank port number field without scheme
-  
-  ... as it makes the URL parser accept "very-long-hostname://" as a valid
-  host name and we don't want that. The parser now only accepts a blank
-  (no digits) after the colon if the URL starts with a scheme.
+- http_chunks: correct and clarify a comment on hexnumber length
   
-  Reported-by: d4d on hackerone
+  ... and also rename the define for max length.
   
-  Closes #6283
+  Closes #6489
 
-- Revert "multi: implement wait using winsock events"
+- curl_path: remove conn->data use
   
-  This reverts commit d2a7d7c185f98df8f3e585e5620cbc0482e45fac.
+  Closes #6487
+
+- transfer: remove conn->data use
   
-  This commit also reverts the subsequent follow-ups to that commit, which
-  were all done within windows #ifdefs that are removed in this
-  change. Marc helped me verify this.
+  Closes #6486
+
+- quic: remove conn->data use
   
-  Fixes #6146
-  Closes #6281
+  Closes #6485
 
-- [Klaus Crusius brought this change]
+- [Fabian Keil brought this change]
 
-  ftp: retry getpeername for FTP with TCP_FASTOPEN
-  
-  In the case of TFO, the remote host name is not resolved at the
-  connetion time.
-  
-  For FTP that has lead to missing hostname for the secondary connection.
-  Therefore the name resolution is done at the time, when FTP requires it.
-  
-  Fixes #6252
-  Closes #6265
-  Closes #6282
+  Add test1181: Proxy request with --proxy-header "Connection: Keep-Alive"
 
-- [Thomas Danielsson brought this change]
+- [Fabian Keil brought this change]
 
-  scripts/completion.pl: parse all opts
-  
-  For tab-completion it may be preferable to include all the
-  available options.
+  Add test1180: Proxy request with -H "Proxy-Connection: Keep-Alive"
   
-  Closes #6280
+  At the moment the test fails as curl sends two Proxy-Connection
+  headers.
 
-- RELEASE-NOTES: synced
+- c-hyper: avoid duplicated Proxy-Connection headers
 
-- openssl: use OPENSSL_init_ssl() with >= 1.1.0
+- http: make providing Proxy-Connection header not cause duplicated headers
+  
+  Fixes test 1180
   
-  Reported-by: Kovalkov Dmitrii and Per Nilsson
-  Fixes #6254
-  Fixes #6256
-  Closes #6260
+  Bug: https://curl.se/mail/lib-2021-01/0095.html
+  Reported-by: Fabian Keil
+  Closes #6472
 
-- SECURITY-PROCESS: disclose on hackerone
+- runtests: preprocess DISABLED to allow conditionals
   
-  Once a vulnerability has been published, the hackerone issue should be
-  disclosed. For tranparency.
+  ... with this function provided, we can disable tests for specific
+  environments and setups directly within this file.
   
-  Closes #6275
+  Closes #6477
 
-Marc Hoersken (3 Dec 2020)
-- tests/util.py: fix compatibility with Python 2
+- runtests: turn preprocessing into a separate function
   
-  Backporting the Python 3 implementation of setStream
-  to ClosingFileHandler as a fallback within Python 2.
+  ... and remove all other variable substitutions as they're now done once
+  and for all in the preprocessor.
+
+- lib/Makefile.inc: convert to listing each file on its own line
   
-  Reported-by: Jay Satiro
+  ... to make it diff friendlier and easier to read.
   
-  Fixes #6259
-  Closes #6270
+  Closes #6448
 
-Daniel Gustafsson (3 Dec 2020)
-- docs: fix typos and markup in ETag manpage sections
+- ftplistparser: remove use of conn->data
   
-  Reported-by: emanruse on github
-  Fixes #6273
+  Closes #6482
 
-Daniel Stenberg (2 Dec 2020)
-- quiche: close the connection
+- lib: more conn->data cleanups
   
-  Reported-by: Junho Choi
-  Fixes #6213
-  Closes #6217
+  Closes #6479
 
-Jay Satiro (2 Dec 2020)
-- ngtcp2: Fix build error due to symbol name change
-  
-  - NGTCP2_CRYPTO_LEVEL_APP -> NGTCP2_CRYPTO_LEVEL_APPLICATION
-  
-  ngtcp2/ngtcp2@76232e9 changed the name.
-  
-  ngtcp2 master is required to build curl with http3 support.
-  
-  Closes https://github.com/curl/curl/pull/6271
+- [Patrick Monnerat brought this change]
 
-Daniel Stenberg (1 Dec 2020)
-- [Klaus Crusius brought this change]
+  vtls: reduce conn->data use
+  
+  Closes #6474
 
-  cmake: check for linux/tcp.h
+- hyper: deliver data to application with Curl_client_write
   
-  The HAVE_LINUX_TCP_H define was not set by cmake.
+  ... just as the native code path does. Avoids sending too large data
+  chunks in the callback and more.
   
-  Closes #6252
+  Reported-by: Gisle Vanem
+  Fixes #6462
+  Closes #6473
+
+- gopher: remove accidental conn->data leftover

contrib/libs/curl/RELEASE-NOTES

@@ -1,198 +1,23 @@
-curl and libcurl 7.78.0
+curl and libcurl 7.79.1
 
- Public curl releases:         201
+ Public curl releases:         203
  Command line options:         242
  curl_easy_setopt() options:   290
  Public functions in libcurl:  85
- Contributors:                 2459
-
-This release includes the following changes:
-
- o curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE [118]
- o CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax [40]
- o hostip: make 'localhost' return fixed values [16]
- o mbedtls: add support for cert and key blob options [11]
- o metalink: remove all support for it [54]
- o mqtt: add support for username and password [91]
+ Contributors:                 2489
 
 This release includes the following bugfixes:
 
- o --socks4[a]: clarify where the host name is resolved [107]
- o ares: always store IPv6 addresses first [20]
- o asyn-ares: remove check for 'data' in Curl_resolver_cancel [89]
- o bearssl: explicitly initialize all fields of Curl_ssl [1]
- o bearssl: remove incorrect const on variable that is modified [1]
- o build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS [155]
- o c-hyper: abort CONNECT response reading early on non 2xx responses [75]
- o c-hyper: add support for transfer-encoding in the request [121]
- o c-hyper: bail on too long response headers [115]
- o c-hyper: clear NTLM auth buffer when request is issued [23]
- o c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL [21]
- o c-hyper: fix NTLM on closed connection tested with test159 [4]
- o c-hyper: fix the uploaded field in progress callbacks [78]
- o c-hyper: handle NULL from hyper_buf_copy() [19]
- o c-hyper: support CURLINFO_STARTTRANSFER_TIME [29]
- o c-hyper: support CURLOPT_HEADER [32]
- o ccsidcurl: fix the compile errors [27]
- o CI/cirrus: install impacket from PyPI instead of FreeBSD packages [166]
- o CI: add bearssl build [1]
- o CI: add Circle CI [92]
- o CI: add jobs using Zuul [86]
- o CI: delete --enable-hsts option (it is the default now) [2]
- o CI: remove travis details [144]
- o cleanup: spell DoH with a lowercase o [172]
- o cmake: add CURL_DISABLE_NTLM option [44]
- o cmake: avoid leaking absolute paths into exported config [3]
- o cmake: fix IoctlSocket FIONBIO check [156]
- o cmake: fix support for UnixSockets feature on Win32 [104]
- o cmake: remove libssh2 feature checks [122]
- o cmake: try well-known send/recv signature for Apple [12]
- o configure.ac: make non-executable [109]
- o configure/cmake: remove checks for many unused functions [95]
- o configure: add --disable-ntlm option [45]
- o configure: disable RTSP when hyper is selected [68]
- o configure: do not strip out debug flags [110]
- o configure: fix nghttp2 library name for static builds [157]
- o configure: inhibit the implicit-fallthrough warning on gcc-12 [106]
- o configure: rename get-easy-option configure option to get-easy-options [81]
- o conn_shutdown: if closed during CONNECT cleanup properly [59]
- o conncache: lowercase the hash key for better match [5]
- o cookies: track expiration in jar to optimize removals [25]
- o copyright: add boiler-plate headers to CI config files [143]
- o crustls: bump crustls version and use new URL [119]
- o curl.h: <sys/select.h> is supported by VxWorks7 [102]
- o curl.h: include sys/select.h for NuttX RTOS [100]
- o curl: ignore blank --output-dir [57]
- o curl_endian: remove the unused Curl_write64_le function [85]
- o curl_multibyte: Remove local encoding fallbacks [58]
- o Curl_ntlm_core_mk_nt_hash: fix OOM in error path [8]
- o Curl_ssl_getsessionid: fail if no session cache exists [14]
- o CURLOPT_WRITEFUNCTION.3: minor update of the example [80]
- o docs/BINDINGS: fix outdated links [116]
- o docs/examples: use curl_multi_poll() in multi examples [152]
- o docs/INSTALL: remove mentions of configure --with-darwin-ssl [55]
- o docs: document missing arguments to commands [160]
- o docs: fix inconsistencies in EGDSOCKET documentation [159]
- o docs: fix incorrect argument name reference [161]
- o docs: Fix typos [146]
- o docs: make docs for --etag-save match the program behaviour [169]
- o docs: use --max-redirs instead of --max-redir [28]
- o doh: (void)-prefix call to curl_easy_setopt
- o doh: fix wrong DEBUGASSERT for doh private_data [62]
- o easy: during upkeep, attach Curl_easy to connections in the cache [171]
- o examples/multi-single: fix scan-build warning [150]
- o examples: length-limit two sscanf() uses of %s [96]
- o examples: safer and more proper read callback logic [127]
- o filecheck: quietly remove test-place/*~ [39]
- o formdata: avoid "Argument cannot be negative" warning [131]
- o formdata: correct typecast in curl_mime_data call [137]
- o GHA: add a linux-hyper job [52]
- o GHA: add several libcurl tests to the hyper job
- o GHA: run the newly fixed tests with hyper [36]
- o github: timeout jobs on macOS after 90 minutes [42]
- o glob: pass an 'int' as len when using printf's %*s [139]
- o gnutls: set the preferred TLS versions in correct order [94]
- o GOVERNANCE: add 'user', 'committer' and 'contributor' [15]
- o hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies [105]
- o hostip: bad CURLOPT_RESOLVE syntax now returns error [35]
- o hsts: ignore numberical IP address hosts [17]
- o HSTS: not experimental anymore
- o http2: clarify 'Using HTTP2' verbose message [63]
- o http2: init recvbuf struct for pushed streams [13]
- o http2_connisdead: handle trailing GOAWAY better [18]
- o http: fix crash in rate-limited upload [142]
- o http: make the haproxy support work with unix domain sockets [99]
- o http_proxy: deal with non-200 CONNECT response with Hyper [22]
- o hyper: propagate errors back up from read callbacks [113]
- o HYPER: remove mentions of deprecated development branch
- o idn: fix libidn2 with windows unicode builds [117]
- o infof: remove newline from format strings, always append it [149]
- o lib: don't compare fd to FD_SETSIZE when using poll [61]
- o lib: fix compiler warnings with CURL_DISABLE_NETRC [168]
- o lib: fix type of len passed to *printf's %*s [133]
- o lib: more %u for port and int for %*s fixes [132]
- o lib: use %u instead of %ld for port number printf [134]
- o libcurl-security.3: mention file descriptors and forks [108]
- o libssh2: limit time a disconnect can take to 1 second [111]
- o mbedtls: make mbedtls_strerror always work [6]
- o mbedtls: Remove unnecessary include [175]
- o mqtt: detect illegal and too large file size [43]
- o mqtt: extend the error message for no topic [136]
- o msnprintf: return number of printed characters excluding null byte [148]
- o multi: add scan-build-6 work-around in curl_multi_fdset [88]
- o multi: alter transfer timeout ordering [97]
- o multi: do not switch off connect_only flag when closing [98]
- o multi: fix crash in curl_multi_wait / curl_multi_poll [153]
- o netrc: skip 'macdef' definitions [87]
- o ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS [83]
- o openssl: avoid static variable for seed flag [101]
- o openssl: don't remove session id entry in disassociate [56]
- o pinnedpubkey.d: fix formatting for version support lists [126]
- o proto.d: fix formatting for paragraphs after margin changes [125]
- o quiche: use send() instead of sendto() to avoid macOS issue [103]
- o Revert "c-hyper: handle body on HYPER_TASK_EMPTY" [26]
- o Revert "ftp: Expression 'ftpc->wait_data_conn' is always false" [147]
- o runtests: also find the last test in Makefile.inc [66]
- o runtests: enable 'hyper mode' only for HTTP tests [34]
- o runtests: init $VERSION to avoid warnings when using -l
- o runtests: parse data/Makefile.inc instead of using make [38]
- o runtests: skip disabled tests unless -f is used [82]
- o rustls: remove native_roots fallback [65]
- o schannel: set ALPN length correctly for HTTP/2 [24]
- o SChannel: Use '_tcsncmp()' instead [164]
- o sectransp: check for client certs by name first, then file [167]
- o setopt: fix incorrect comments [10]
- o socketpair: fix potential hangs [37]
- o socks4: scan for the IPv4 address in resolve results [124]
- o ssl: read pending close notify alert before closing the connection [9]
- o sws: malloc request struct instead of using stack [60]
- o telnet: fix option parser to not send uninitialized contents [170]
- o test1116: hyper doesn't pass through "surprise-trailers" [123]
- o test1147: hyper doesn't allow "crazy" request headers like built-in [114]
- o test1151: added missing CRLF to work with hyper [120]
- o test1216: adjusted for hyper mode [73]
- o test1218: adjusted for hyper mode [72]
- o test1230: adjust to work in hyper mode [74]
- o test1340/1341: adjusted for hyper mode [71]
- o test1438/1457: add HTTP keyword to make hyper mode work [70]
- o test1514: add a CRLF to the response to make it correct [130]
- o test1518: adjusted to work with hyper [129]
- o test1519: adjusted to work with hyper [128]
- o test1594/1595/1596: fix to work in hyper mode [69]
- o test269: disable for hyper [33]
- o test3010: work with hyper mode [67]
- o test328: avoid a header-looking body to make hyper mode work [53]
- o test339: CRLFify better to work in hyper mode [51]
- o test347: CRLFify to work in hyper mode [50]
- o test393: make Content-Length fit within 64 bit for hyper [49]
- o test394: hyper returns a different error [48]
- o test395: hyper cannot work around > 64 bit content-lengths like built-in [47]
- o test433: adjust for hyper mode [46]
- o test434: add HTTP keyword [76]
- o test500: adjust to work with hyper mode
- o test566: adjust to work with hyper mode [79]
- o test599: adjusted to work in hyper mode [77]
- o test644: remove as duplicate of test 587 [84]
- o tests: fix Accept-Encoding strips to work with Hyper builds [41]
- o TLS: prevent shutdown loops to get stuck [112]
- o tool: make _lseeki64() macro work with the PellesC compiler [163]
- o tool_help: document that --tlspassword takes a password [162]
- o tool_help: remove unused define [154]
- o url.c: remove two variable assigns that are never read [90]
- o url: (void)-prefix a curl_url_get() call [138]
- o url: bad CURLOPT_CONNECT_TO syntax now returns error [31]
- o version: turn version number functions into returning void [135]
- o vtls: exit addsessionid if no cache is inited [7]
- o vtls: fix connection reuse checks for issuer cert and case sensitivity [165]
- o vtls: only store TIMER_APPCONNECT for non-proxy connect [93]
- o vtls: use free() not curl_free() [140]
- o warnless: simplify type size handling [30]
- o Win32: fix build with Watt-32
- o winbuild/README: VC should be set to 6 'or larger' [64]
- o winbuild: support alternate nghttp2 static lib name [174]
- o wolfssl: failing to set a session id is not reason to error out [151]
- o write-out.d: clarify urlnum is not unique for de-globbed URLs [145]
- o zuul: use the new rustls directory name [141]
+ o Curl_http2_setup: don't change connection data on repeat invokes [10]
+ o curl_multi_fdset: make FD_SET() not operate on sockets out of range [4]
+ o dist: provide lib/.checksrc in the tarball [6]
+ o FAQ: add GOPHERS + curl works on data, not files
+ o hsts: CURLSTS_FAIL from hsts read callback should fail transfer [8]
+ o hsts: handle unlimited expiry [3]
+ o http: fix the broken >3 digit response code detection [1]
+ o strerror: use sys_errlist instead of strerror on Windows [5]
+ o test1184: disable [9]
+ o tests/sshserver.pl: make it work with openssh-8.7p1 [2]
 
 This release includes the following known bugs:
 
@@ -201,199 +26,19 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Albin Vass, Aleksander Mazur, Alexis Vachette, Alex Xu, Andrea Pappacoda,
-  Andrei Rybak, Bachue Zhou, Bastian Krause, Bin Lan, Bin Meng,
-  Christian Weisgerber, Christoph M. Becker, civodul on github, Dan Fandrich,
-  Daniel Gustafsson, Daniel Stenberg, David Hu, dEajL3kA on github,
-  Dmitry Karpov, Dmitry Kostjuchenko, Douglas R. Reno, Ebe Janchivdorj,
-  Fawad Mirza, Francisco Munoz, Gabriel Simmer, Gealber Morales, Gergely Nagy,
-  Gerrit Renker, Gisle Vanem, Gregor Jasny, Gregory Muchka, Harry Sintonen,
-  Hugh Macdonald, Jacob Hoffman-Andrews, Jishan Shaikh, Joel Depooter,
-  Jonathan Wernberg, Jon Rumsey, Josh Soref, Josie Huddleston, Jun-ya Kato,
-  Kevin Burke, Laurent Dufresne, Li Xinwei, MAntoniak on github, Marcel Raad,
-  Marc Hörsken, Mark Swaanenburg, Martin Howarth, Max Zettlmeißl,
-  Michael Forney, Michael Kaufmann, Mohammed Naser, nian6324 on github,
-  Nikos Mavrogiannopoulos, Paul Groke, Peter Körner, Phil E. Taylor,
-  Pierre Yager, Randolf J, Ray Satiro, Red Hat Product Security,
-  Richard Marion, Richard Whitehouse, Sergey Markelov, Shikha Sharma,
-  shithappens2016 on github, sylgal on github, Timur Artikov, Tobias Nyholm,
-  Tommy Chiang, User Sg, Vadim Grinshpun, Valentín Gutiérrez, Viktor Szakats,
-  William Desportes, Wyatt OʼDay, Xiang Xiao, Yongkang Huang, Younes El-karama,
-  Zhang Xiuhua, Борис Верховский, Коваленко Анатолий Викторович,
-  (83 contributors)
+  0xee on github, Daniel Stenberg, Evangelos Foutras, Glenn de boer,
+  Jonathan Cardoso Machado, Kamil Dudka, Marcel Raad, Ray Satiro,
+  RiderALT on github, tawmoto on github, Viktor Szakats,
+  (11 contributors)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.se/bug/?i=7133
- [2] = https://curl.se/bug/?i=7167
- [3] = https://curl.se/bug/?i=7152
- [4] = https://curl.se/bug/?i=7154
- [5] = https://curl.se/bug/?i=7159
- [6] = https://curl.se/bug/?i=7162
- [7] = https://curl.se/bug/?i=7165
- [8] = https://curl.se/bug/?i=7164
- [9] = https://curl.se/bug/?i=7095
- [10] = https://curl.se/bug/?i=7157
- [11] = https://curl.se/bug/?i=7157
- [12] = https://curl.se/bug/?i=7158
- [13] = https://curl.se/bug/?i=7153
- [14] = https://curl.se/bug/?i=7148
- [15] = https://curl.se/bug/?i=7151
- [16] = https://curl.se/bug/?i=7039
- [17] = https://curl.se/bug/?i=7146
- [18] = https://curl.se/mail/lib-2021-06/0001.html
- [19] = https://curl.se/bug/?i=7143
- [20] = https://curl.se/mail/lib-2021-06/0003.html
- [21] = https://curl.se/bug/?i=7141
- [22] = https://curl.se/bug/?i=7141
- [23] = https://curl.se/bug/?i=7139
- [24] = https://curl.se/bug/?i=7138
- [25] = https://curl.se/bug/?i=7172
- [26] = https://curl.se/bug/?i=7122
- [27] = https://curl.se/bug/?i=7134
- [28] = https://curl.se/bug/?i=7130
- [29] = https://curl.se/bug/?i=7204
- [30] = https://curl.se/bug/?i=7181
- [31] = https://curl.se/bug/?i=7183
- [32] = https://curl.se/bug/?i=7204
- [33] = https://curl.se/bug/?i=7184
- [34] = https://curl.se/bug/?i=7185
- [35] = https://curl.se/bug/?i=7170
- [36] = https://curl.se/bug/?i=7205
- [37] = https://curl.se/bug/?i=7144
- [38] = https://curl.se/bug/?i=7177
- [39] = https://curl.se/bug/?i=7179
- [40] = https://curl.se/bug/?i=7175
- [41] = https://curl.se/bug/?i=7169
- [42] = https://curl.se/bug/?i=7173
- [43] = https://curl.se/bug/?i=7166
- [44] = https://curl.se/bug/?i=7028
- [45] = https://curl.se/bug/?i=7028
- [46] = https://curl.se/bug/?i=7205
- [47] = https://curl.se/bug/?i=7205
- [48] = https://curl.se/bug/?i=7205
- [49] = https://curl.se/bug/?i=7205
- [50] = https://curl.se/bug/?i=7205
- [51] = https://curl.se/bug/?i=7205
- [52] = https://curl.se/bug/?i=7206
- [53] = https://curl.se/bug/?i=7203
- [54] = https://curl.se/bug/?i=7176
- [55] = https://curl.se/mail/lib-2021-06/0008.html
- [56] = https://curl.se/bug/?i=7222
- [57] = https://curl.se/bug/?i=7218
- [58] = https://curl.se/bug/?i=7257
- [59] = https://curl.se/bug/?i=7236
- [60] = https://curl.se/mail/lib-2021-06/0018.html
- [61] = https://curl.se/bug/?i=7240
- [62] = https://curl.se/bug/?i=7227
- [63] = https://github.com/curl/curl/discussions/7255
- [64] = https://curl.se/bug/?i=7253
- [65] = https://curl.se/bug/?i=7250
- [66] = https://curl.se/bug/?i=7209
- [67] = https://curl.se/bug/?i=7209
- [68] = https://curl.se/bug/?i=7209
- [69] = https://curl.se/bug/?i=7209
- [70] = https://curl.se/bug/?i=7209
- [71] = https://curl.se/bug/?i=7209
- [72] = https://curl.se/bug/?i=7209
- [73] = https://curl.se/bug/?i=7209
- [74] = https://curl.se/bug/?i=7209
- [75] = https://curl.se/bug/?i=493
- [76] = https://curl.se/bug/?i=7209
- [77] = https://curl.se/bug/?i=7209
- [78] = https://curl.se/bug/?i=7209
- [79] = https://curl.se/bug/?i=7209
- [80] = https://curl.se/bug/?i=7219
- [81] = https://curl.se/bug/?i=7211
- [82] = https://curl.se/bug/?i=7212
- [83] = https://curl.se/bug/?i=6896
- [84] = https://curl.se/bug/?i=7208
- [85] = https://curl.se/bug/?i=7280
- [86] = https://curl.se/bug/?i=7245
- [87] = https://curl.se/bug/?i=7238
- [88] = https://curl.se/bug/?i=7248
- [89] = https://curl.se/bug/?i=7248
- [90] = https://curl.se/bug/?i=7248
- [91] = https://curl.se/bug/?i=7243
- [92] = https://curl.se/bug/?i=7239
- [93] = https://curl.se/bug/?i=7274
- [94] = https://curl.se/bug/?i=7277
- [95] = https://curl.se/bug/?i=7276
- [96] = https://curl.se/bug/?i=7293
- [97] = https://curl.se/bug/?i=7178
- [98] = https://curl.se/mail/lib-2021-06/0024.html
- [99] = https://curl.se/bug/?i=7290
- [100] = https://curl.se/bug/?i=7287
- [101] = https://curl.se/bug/?i=7296
- [102] = https://curl.se/bug/?i=7285
- [103] = https://curl.se/bug/?i=7260
- [104] = https://curl.se/bug/?i=7034
- [105] = https://curl.se/bug/?i=7265
- [106] = https://curl.se/bug/?i=7295
- [107] = https://curl.se/bug/?i=7273
- [108] = https://curl.se/bug/?i=7270
- [109] = https://curl.se/bug/?i=7272
- [110] = https://curl.se/bug/?i=7216
- [111] = https://curl.se/bug/?i=7271
- [112] = https://curl.se/bug/?i=7271
- [113] = https://curl.se/bug/?i=7266
- [114] = https://curl.se/bug/?i=7349
- [115] = https://curl.se/bug/?i=7350
- [116] = https://curl.se/bug/?i=7301
- [117] = https://curl.se/bug/?i=7228
- [118] = https://curl.se/bug/?i=7073
- [119] = https://curl.se/bug/?i=7297
- [120] = https://curl.se/bug/?i=7350
- [121] = https://curl.se/bug/?i=7348
- [122] = https://curl.se/bug/?i=7343
- [123] = https://curl.se/bug/?i=7344
- [124] = https://curl.se/bug/?i=7345
- [125] = https://curl.se/bug/?i=7341
- [126] = https://curl.se/bug/?i=7340
- [127] = https://curl.se/bug/?i=7330
- [128] = https://curl.se/bug/?i=7333
- [129] = https://curl.se/bug/?i=7333
- [130] = https://curl.se/bug/?i=7334
- [131] = https://curl.se/bug/?i=7328
- [132] = https://curl.se/bug/?i=7329
- [133] = https://curl.se/bug/?i=7326
- [134] = https://curl.se/bug/?i=7325
- [135] = https://curl.se/bug/?i=7319
- [136] = https://curl.se/bug/?i=7316
- [137] = https://curl.se/bug/?i=7327
- [138] = https://curl.se/bug/?i=7320
- [139] = https://curl.se/bug/?i=7324
- [140] = https://curl.se/bug/?i=7318
- [141] = https://curl.se/bug/?i=7311
- [142] = https://curl.se/bug/?i=7308
- [143] = https://curl.se/bug/?i=7314
- [144] = https://curl.se/bug/?i=7313
- [145] = https://curl.se/bug/?i=7342
- [146] = https://curl.se/bug/?i=7370
- [147] = https://curl.se/mail/lib-2021-07/0025.html
- [148] = https://curl.se/bug/?i=7361
- [149] = https://curl.se/bug/?i=7357
- [150] = https://curl.se/bug/?i=7360
- [151] = https://curl.se/bug/?i=7358
- [152] = https://curl.se/bug/?i=7352
- [153] = https://curl.se/bug/?i=7379
- [154] = https://curl.se/bug/?i=7380
- [155] = https://curl.se/bug/?i=7377
- [156] = https://curl.se/bug/?i=7375
- [157] = https://curl.se/bug/?i=7367
- [159] = https://curl.se/bug/?i=7391
- [160] = https://curl.se/bug/?i=7382
- [161] = https://curl.se/bug/?i=7383
- [162] = https://curl.se/bug/?i=7378
- [163] = https://curl.se/bug/?i=7397
- [164] = https://curl.se/bug/?i=7398
- [165] = https://curl.se/docs/CVE-2021-22924.html
- [166] = https://curl.se/bug/?i=7418
- [167] = https://curl.se/docs/CVE-2021-22926.html
- [168] = https://curl.se/bug/?i=7423
- [169] = https://curl.se/bug/?i=7429
- [170] = https://curl.se/docs/CVE-2021-22925.html
- [171] = https://curl.se/bug/?i=7386
- [172] = https://curl.se/bug/?i=7413
- [174] = https://curl.se/bug/?i=7446
- [175] = https://curl.se/bug/?i=7419
+ [1] = https://curl.se/bug/?i=7738
+ [2] = https://curl.se/bug/?i=7724
+ [3] = https://curl.se/bug/?i=7720
+ [4] = https://curl.se/bug/?i=7718
+ [5] = https://curl.se/bug/?i=7735
+ [6] = https://curl.se/bug/?i=7733
+ [8] = https://curl.se/bug/?i=7726
+ [9] = https://curl.se/bug/?i=7725
+ [10] = https://curl.se/bug/?i=7730

contrib/libs/curl/include/curl/curl.h

@@ -25,9 +25,6 @@
 /*
  * If you have libcurl problems, all docs and details are found here:
  *   https://curl.se/libcurl/
- *
- * curl-library mailing list subscription and unsubscription web interface:
- *   https://cool.haxx.se/mailman/listinfo/curl-library/
  */
 
 #ifdef CURL_NO_OLDIES

contrib/libs/curl/include/curl/curlver.h

@@ -30,13 +30,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.78.0"
+#define LIBCURL_VERSION "7.79.1"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 78
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_MINOR 79
+#define LIBCURL_VERSION_PATCH 1
 
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparisons by programs. The LIBCURL_VERSION_NUM define will
@@ -57,7 +57,7 @@
    CURL_VERSION_BITS() macro since curl's own configure script greps for it
    and needs it to contain the full number.
 */
-#define LIBCURL_VERSION_NUM 0x074e00
+#define LIBCURL_VERSION_NUM 0x074f01
 
 /*
  * This is the date and time when the full source package was created. The
@@ -68,7 +68,7 @@
  *
  * "2007-11-23"
  */
-#define LIBCURL_TIMESTAMP "2021-07-21"
+#define LIBCURL_TIMESTAMP "2021-09-22"
 
 #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
 #define CURL_AT_LEAST_VERSION(x,y,z) \

contrib/libs/curl/lib/asyn-ares.c

@@ -59,7 +59,6 @@
 #include "hostip.h"
 #include "hash.h"
 #include "share.h"
-#include "strerror.h"
 #include "url.h"
 #include "multiif.h"
 #include "inet_pton.h"
@@ -80,13 +79,35 @@
 #define HAVE_CARES_CALLBACK_TIMEOUTS 1
 #endif
 
+#if ARES_VERSION >= 0x010601
+/* IPv6 supported since 1.6.1 */
+#define HAVE_CARES_IPV6 1
+#endif
+
+#if ARES_VERSION >= 0x010704
+#define HAVE_CARES_SERVERS_CSV 1
+#define HAVE_CARES_LOCAL_DEV 1
+#define HAVE_CARES_SET_LOCAL 1
+#endif
+
+#if ARES_VERSION >= 0x010b00
+#define HAVE_CARES_PORTS_CSV 1
+#endif
+
+#if ARES_VERSION >= 0x011000
+/* 1.16.0 or later has ares_getaddrinfo */
+#if !__has_feature(memory_sanitizer)
+#define HAVE_CARES_GETADDRINFO 1
+#endif
+#endif
+
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
 #include "curl_memory.h"
 #include "memdebug.h"
 
 struct thread_data {
-  int num_pending; /* number of ares_gethostbyname() requests */
+  int num_pending; /* number of outstanding c-ares requests */
   struct Curl_addrinfo *temp_ai; /* intermediary result while fetching c-ares
                                     parts */
   int last_status;
@@ -490,6 +511,8 @@ CURLcode Curl_resolver_wait_resolv(struct Curl_easy *data,
   return result;
 }
 
+#ifndef HAVE_CARES_GETADDRINFO
+
 /* Connects results to the list */
 static void compound_results(struct thread_data *res,
                              struct Curl_addrinfo *ai)
@@ -620,7 +643,98 @@ static void query_completed_cb(void *arg,  /* (struct connectdata *) */
     }
   }
 }
+#else
+/* c-ares 1.16.0 or later */
+
+/*
+ * ares2addr() converts an address list provided by c-ares to an internal
+ * libcurl compatible list
+ */
+static struct Curl_addrinfo *ares2addr(struct ares_addrinfo_node *node)
+{
+  /* traverse the ares_addrinfo_node list */
+  struct ares_addrinfo_node *ai;
+  struct Curl_addrinfo *cafirst = NULL;
+  struct Curl_addrinfo *calast = NULL;
+  int error = 0;
+
+  for(ai = node; ai != NULL; ai = ai->ai_next) {
+    size_t ss_size;
+    struct Curl_addrinfo *ca;
+    /* ignore elements with unsupported address family, */
+    /* settle family-specific sockaddr structure size.  */
+    if(ai->ai_family == AF_INET)
+      ss_size = sizeof(struct sockaddr_in);
+#ifdef ENABLE_IPV6
+    else if(ai->ai_family == AF_INET6)
+      ss_size = sizeof(struct sockaddr_in6);
+#endif
+    else
+      continue;
+
+    /* ignore elements without required address info */
+    if(!ai->ai_addr || !(ai->ai_addrlen > 0))
+      continue;
+
+    /* ignore elements with bogus address size */
+    if((size_t)ai->ai_addrlen < ss_size)
+      continue;
+
+    ca = malloc(sizeof(struct Curl_addrinfo) + ss_size);
+    if(!ca) {
+      error = EAI_MEMORY;
+      break;
+    }
+
+    /* copy each structure member individually, member ordering, */
+    /* size, or padding might be different for each platform.    */
+
+    ca->ai_flags     = ai->ai_flags;
+    ca->ai_family    = ai->ai_family;
+    ca->ai_socktype  = ai->ai_socktype;
+    ca->ai_protocol  = ai->ai_protocol;
+    ca->ai_addrlen   = (curl_socklen_t)ss_size;
+    ca->ai_addr      = NULL;
+    ca->ai_canonname = NULL;
+    ca->ai_next      = NULL;
+
+    ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
+    memcpy(ca->ai_addr, ai->ai_addr, ss_size);
+
+    /* if the return list is empty, this becomes the first element */
+    if(!cafirst)
+      cafirst = ca;
+
+    /* add this element last in the return list */
+    if(calast)
+      calast->ai_next = ca;
+    calast = ca;
+  }
+
+  /* if we failed, destroy the Curl_addrinfo list */
+  if(error) {
+    Curl_freeaddrinfo(cafirst);
+    cafirst = NULL;
+  }
+
+  return cafirst;
+}
+
+static void addrinfo_cb(void *arg, int status, int timeouts,
+                        struct ares_addrinfo *result)
+{
+  struct Curl_easy *data = (struct Curl_easy *)arg;
+  struct thread_data *res = data->state.async.tdata;
+  (void)timeouts;
+  if(ARES_SUCCESS == status) {
+    res->temp_ai = ares2addr(result->nodes);
+    res->last_status = CURL_ASYNC_SUCCESS;
+    ares_freeaddrinfo(result);
+  }
+  res->num_pending--;
+}
 
+#endif
 /*
  * Curl_resolver_getaddrinfo() - when using ares
  *
@@ -658,8 +772,28 @@ struct Curl_addrinfo *Curl_resolver_getaddrinfo(struct Curl_easy *data,
     /* initial status - failed */
     res->last_status = ARES_ENOTFOUND;
 
-#if ARES_VERSION >= 0x010601
-    /* IPv6 supported by c-ares since 1.6.1 */
+#ifdef HAVE_CARES_GETADDRINFO
+    {
+      struct ares_addrinfo_hints hints;
+      char service[12];
+      int pf = PF_INET;
+      memset(&hints, 0, sizeof(hints));
+#ifdef CURLRES_IPV6
+      if(Curl_ipv6works(data))
+        /* The stack seems to be IPv6-enabled */
+        pf = PF_UNSPEC;
+#endif /* CURLRES_IPV6 */
+      hints.ai_family = pf;
+      hints.ai_socktype = (data->conn->transport == TRNSPRT_TCP)?
+        SOCK_STREAM : SOCK_DGRAM;
+      msnprintf(service, sizeof(service), "%d", port);
+      res->num_pending = 1;
+      ares_getaddrinfo((ares_channel)data->state.async.resolver, hostname,
+                       service, &hints, addrinfo_cb, data);
+    }
+#else
+
+#ifdef HAVE_CARES_IPV6
     if(Curl_ipv6works(data)) {
       /* The stack seems to be IPv6-enabled */
       res->num_pending = 2;
@@ -671,7 +805,7 @@ struct Curl_addrinfo *Curl_resolver_getaddrinfo(struct Curl_easy *data,
                           PF_INET6, query_completed_cb, data);
     }
     else
-#endif /* ARES_VERSION >= 0x010601 */
+#endif
     {
       res->num_pending = 1;
 
@@ -680,7 +814,7 @@ struct Curl_addrinfo *Curl_resolver_getaddrinfo(struct Curl_easy *data,
                          hostname, PF_INET,
                          query_completed_cb, data);
     }
-
+#endif
     *waitp = 1; /* expect asynchronous response */
   }
   return NULL; /* no struct yet */
@@ -701,8 +835,8 @@ CURLcode Curl_set_dns_servers(struct Curl_easy *data,
   if(!(servers && servers[0]))
     return CURLE_OK;
 
-#if (ARES_VERSION >= 0x010704)
-#if (ARES_VERSION >= 0x010b00)
+#ifdef HAVE_CARES_SERVERS_CSV
+#ifdef HAVE_CARES_PORTS_CSV
   ares_result = ares_set_servers_ports_csv(data->state.async.resolver,
                                            servers);
 #else
@@ -732,7 +866,7 @@ CURLcode Curl_set_dns_servers(struct Curl_easy *data,
 CURLcode Curl_set_dns_interface(struct Curl_easy *data,
                                 const char *interf)
 {
-#if (ARES_VERSION >= 0x010704)
+#ifdef HAVE_CARES_LOCAL_DEV
   if(!interf)
     interf = "";
 
@@ -749,7 +883,7 @@ CURLcode Curl_set_dns_interface(struct Curl_easy *data,
 CURLcode Curl_set_dns_local_ip4(struct Curl_easy *data,
                                 const char *local_ip4)
 {
-#if (ARES_VERSION >= 0x010704)
+#ifdef HAVE_CARES_SET_LOCAL
   struct in_addr a4;
 
   if((!local_ip4) || (local_ip4[0] == 0)) {
@@ -775,7 +909,7 @@ CURLcode Curl_set_dns_local_ip4(struct Curl_easy *data,
 CURLcode Curl_set_dns_local_ip6(struct Curl_easy *data,
                                 const char *local_ip6)
 {
-#if (ARES_VERSION >= 0x010704) && defined(ENABLE_IPV6)
+#if defined(HAVE_CARES_SET_LOCAL) && defined(ENABLE_IPV6)
   unsigned char a6[INET6_ADDRSTRLEN];
 
   if((!local_ip6) || (local_ip6[0] == 0)) {

contrib/libs/curl/lib/asyn-thread.c

@@ -68,7 +68,6 @@
 #include "hostip.h"
 #include "hash.h"
 #include "share.h"
-#include "strerror.h"
 #include "url.h"
 #include "multiif.h"
 #include "inet_ntop.h"

contrib/libs/curl/lib/c-hyper.c

@@ -176,7 +176,7 @@ static int hyper_body_chunk(void *userdata, const hyper_buf *chunk)
   size_t len = hyper_buf_len(chunk);
   struct Curl_easy *data = (struct Curl_easy *)userdata;
   struct SingleRequest *k = &data->req;
-  CURLcode result;
+  CURLcode result = CURLE_OK;
 
   if(0 == k->bodywrites++) {
     bool done = FALSE;
@@ -192,8 +192,20 @@ static int hyper_body_chunk(void *userdata, const hyper_buf *chunk)
       Curl_safefree(data->req.newurl);
     }
 #endif
-    if(data->state.hconnect &&
-       (data->req.httpcode/100 != 2)) {
+    if(data->state.expect100header) {
+      Curl_expire_done(data, EXPIRE_100_TIMEOUT);
+      if(data->req.httpcode < 400) {
+        k->exp100 = EXP100_SEND_DATA;
+        if(data->hyp.exp100_waker) {
+          hyper_waker_wake(data->hyp.exp100_waker);
+          data->hyp.exp100_waker = NULL;
+        }
+      }
+      else { /* >= 4xx */
+        k->exp100 = EXP100_FAILED;
+      }
+    }
+    if(data->state.hconnect && (data->req.httpcode/100 != 2)) {
       done = TRUE;
       result = CURLE_OK;
     }
@@ -245,6 +257,9 @@ static CURLcode status_line(struct Curl_easy *data,
   conn->httpversion =
     http_version == HYPER_HTTP_VERSION_1_1 ? 11 :
     (http_version == HYPER_HTTP_VERSION_2 ? 20 : 10);
+  if(http_version == HYPER_HTTP_VERSION_1_0)
+    data->state.httpwant = CURL_HTTP_VERSION_1_0;
+
   data->req.httpcode = http_status;
 
   result = Curl_http_statusline(data, conn);
@@ -306,8 +321,25 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data,
   const uint8_t *reasonp;
   size_t reason_len;
   CURLcode result = CURLE_OK;
+  struct SingleRequest *k = &data->req;
   (void)conn;
 
+  if(k->exp100 > EXP100_SEND_DATA) {
+    struct curltime now = Curl_now();
+    timediff_t ms = Curl_timediff(now, k->start100);
+    if(ms >= data->set.expect_100_timeout) {
+      /* we've waited long enough, continue anyway */
+      k->exp100 = EXP100_SEND_DATA;
+      k->keepon |= KEEP_SEND;
+      Curl_expire_done(data, EXPIRE_100_TIMEOUT);
+      infof(data, "Done waiting for 100-continue");
+      if(data->hyp.exp100_waker) {
+        hyper_waker_wake(data->hyp.exp100_waker);
+        data->hyp.exp100_waker = NULL;
+      }
+    }
+  }
+
   if(select_res & CURL_CSELECT_IN) {
     if(h->read_waker)
       hyper_waker_wake(h->read_waker);
@@ -341,8 +373,7 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data,
     hyper_task_free(task);
 
     if(t == HYPER_TASK_ERROR) {
-      hyper_code errnum = hyper_error_code(hypererr);
-      if(errnum == HYPERE_ABORTED_BY_CALLBACK) {
+      if(data->state.hresult) {
         /* override Hyper's view, might not even be an error */
         result = data->state.hresult;
         infof(data, "hyperstream is done (by early callback)");
@@ -352,7 +383,9 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data,
         size_t errlen = hyper_error_print(hypererr, errbuf, sizeof(errbuf));
         hyper_code code = hyper_error_code(hypererr);
         failf(data, "Hyper: [%d] %.*s", (int)code, (int)errlen, errbuf);
-        if((code == HYPERE_UNEXPECTED_EOF) && !data->req.bytecount)
+        if(code == HYPERE_ABORTED_BY_CALLBACK)
+          result = CURLE_OK;
+        else if((code == HYPERE_UNEXPECTED_EOF) && !data->req.bytecount)
           result = CURLE_GOT_NOTHING;
         else if(code == HYPERE_INVALID_PEER_MESSAGE)
           result = CURLE_UNSUPPORTED_PROTOCOL; /* maybe */
@@ -367,6 +400,11 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data,
       /* end of transfer */
       *done = TRUE;
       infof(data, "hyperstream is done!");
+      if(!k->bodywrites) {
+        /* hyper doesn't always call the body write callback */
+        bool stilldone;
+        result = Curl_http_firstwrite(data, data->conn, &stilldone);
+      }
       break;
     }
     else if(t != HYPER_TASK_RESPONSE) {
@@ -523,7 +561,7 @@ CURLcode Curl_hyper_header(struct Curl_easy *data, hyper_headers *headers,
         free(ptr);
       }
       else
-        Curl_debug(data, CURLINFO_HEADER_OUT, (char *)line, linelen);
+        Curl_debug(data, CURLINFO_HEADER_OUT, (char *)n, linelen);
     }
     numh++;
     n += linelen;
@@ -564,6 +602,16 @@ static int uploadpostfields(void *userdata, hyper_context *ctx,
 {
   struct Curl_easy *data = (struct Curl_easy *)userdata;
   (void)ctx;
+  if(data->req.exp100 > EXP100_SEND_DATA) {
+    if(data->req.exp100 == EXP100_FAILED)
+      return HYPER_POLL_ERROR;
+
+    /* still waiting confirmation */
+    if(data->hyp.exp100_waker)
+      hyper_waker_free(data->hyp.exp100_waker);
+    data->hyp.exp100_waker = hyper_context_waker(ctx);
+    return HYPER_POLL_PENDING;
+  }
   if(data->req.upload_done)
     *chunk = NULL; /* nothing more to deliver */
   else {
@@ -590,9 +638,21 @@ static int uploadstreamed(void *userdata, hyper_context *ctx,
 {
   size_t fillcount;
   struct Curl_easy *data = (struct Curl_easy *)userdata;
-  CURLcode result =
-    Curl_fillreadbuffer(data, data->set.upload_buffer_size, &fillcount);
+  CURLcode result;
   (void)ctx;
+
+  if(data->req.exp100 > EXP100_SEND_DATA) {
+    if(data->req.exp100 == EXP100_FAILED)
+      return HYPER_POLL_ERROR;
+
+    /* still waiting confirmation */
+    if(data->hyp.exp100_waker)
+      hyper_waker_free(data->hyp.exp100_waker);
+    data->hyp.exp100_waker = hyper_context_waker(ctx);
+    return HYPER_POLL_PENDING;
+  }
+
+  result = Curl_fillreadbuffer(data, data->set.upload_buffer_size, &fillcount);
   if(result) {
     data->state.hresult = result;
     return HYPER_POLL_ERROR;
@@ -627,6 +687,7 @@ static CURLcode bodysend(struct Curl_easy *data,
                          hyper_request *hyperreq,
                          Curl_HttpReq httpreq)
 {
+  struct HTTP *http = data->req.p.http;
   CURLcode result = CURLE_OK;
   struct dynbuf req;
   if((httpreq == HTTPREQ_GET) || (httpreq == HTTPREQ_HEAD))
@@ -659,6 +720,7 @@ static CURLcode bodysend(struct Curl_easy *data,
       result = CURLE_OUT_OF_MEMORY;
     }
   }
+  http->sending = HTTPSEND_BODY;
   return result;
 }
 
@@ -677,6 +739,48 @@ static CURLcode cookies(struct Curl_easy *data,
   return result;
 }
 
+/* called on 1xx responses */
+static void http1xx_cb(void *arg, struct hyper_response *resp)
+{
+  struct Curl_easy *data = (struct Curl_easy *)arg;
+  hyper_headers *headers = NULL;
+  CURLcode result = CURLE_OK;
+  uint16_t http_status;
+  int http_version;
+  const uint8_t *reasonp;
+  size_t reason_len;
+
+  infof(data, "Got HTTP 1xx informational");
+
+  http_status = hyper_response_status(resp);
+  http_version = hyper_response_version(resp);
+  reasonp = hyper_response_reason_phrase(resp);
+  reason_len = hyper_response_reason_phrase_len(resp);
+
+  result = status_line(data, data->conn,
+                       http_status, http_version, reasonp, reason_len);
+  if(!result) {
+    headers = hyper_response_headers(resp);
+    if(!headers) {
+      failf(data, "hyperstream: couldn't get 1xx response headers");
+      result = CURLE_RECV_ERROR;
+    }
+  }
+  data->state.hresult = result;
+
+  if(!result) {
+    /* the headers are already received */
+    hyper_headers_foreach(headers, hyper_each_header, data);
+    /* this callback also sets data->state.hresult on error */
+
+    if(empty_header(data))
+      result = CURLE_OUT_OF_MEMORY;
+  }
+
+  if(data->state.hresult)
+    infof(data, "ERROR in 1xx, bail out!");
+}
+
 /*
  * Curl_http() gets called from the generic multi_do() function when a HTTP
  * request is to be performed. This creates and sends a properly constructed
@@ -694,13 +798,13 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
   hyper_request *req = NULL;
   hyper_headers *headers = NULL;
   hyper_task *handshake = NULL;
-  hyper_error *hypererr = NULL;
   CURLcode result;
   const char *p_accept; /* Accept: string */
   const char *method;
   Curl_HttpReq httpreq;
   bool h2 = FALSE;
   const char *te = NULL; /* transfer-encoding */
+  hyper_code rc;
 
   /* Always consider the DO phase done after this function call, even if there
      may be parts of the request that is not yet sent, since we can deal with
@@ -804,7 +908,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
     goto error;
   }
 
-  if(data->state.httpwant == CURL_HTTP_VERSION_1_0) {
+  if(!Curl_use_http_1_1plus(data, conn)) {
     if(HYPERE_OK != hyper_request_set_version(req,
                                               HYPER_HTTP_VERSION_1_0)) {
       failf(data, "error setting HTTP version");
@@ -827,6 +931,10 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
     goto error;
   }
 
+  rc = hyper_request_on_informational(req, http1xx_cb, data);
+  if(rc)
+    return CURLE_OUT_OF_MEMORY;
+
   result = Curl_http_body(data, conn, httpreq, &te);
   if(result)
     return result;
@@ -932,24 +1040,16 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
 
   hyper_clientconn_free(client);
 
-  do {
-    task = hyper_executor_poll(h->exec);
-    if(task) {
-      bool error = hyper_task_type(task) == HYPER_TASK_ERROR;
-      if(error)
-        hypererr = hyper_task_value(task);
-      hyper_task_free(task);
-      if(error)
-        goto error;
-    }
-  } while(task);
-
   if((httpreq == HTTPREQ_GET) || (httpreq == HTTPREQ_HEAD)) {
     /* HTTP GET/HEAD download */
     Curl_pgrsSetUploadSize(data, 0); /* nothing */
     Curl_setup_transfer(data, FIRSTSOCKET, -1, TRUE, -1);
   }
   conn->datastream = Curl_hyper_stream;
+  if(data->state.expect100header)
+    /* Timeout count starts now since with Hyper we don't know exactly when
+       the full request has been sent. */
+    data->req.start100 = Curl_now();
 
   /* clear userpwd and proxyuserpwd to avoid re-using old credentials
    * from re-used connections */
@@ -967,15 +1067,6 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
   if(handshake)
     hyper_task_free(handshake);
 
-  if(hypererr) {
-    uint8_t errbuf[256];
-    size_t errlen = hyper_error_print(hypererr, errbuf, sizeof(errbuf));
-    hyper_code code = hyper_error_code(hypererr);
-    failf(data, "Hyper: [%d] %.*s", (int)code, (int)errlen, errbuf);
-    hyper_error_free(hypererr);
-    if(data->state.hresult)
-      return data->state.hresult;
-  }
   return CURLE_OUT_OF_MEMORY;
 }
 
@@ -994,6 +1085,10 @@ void Curl_hyper_done(struct Curl_easy *data)
     hyper_waker_free(h->write_waker);
     h->write_waker = NULL;
   }
+  if(h->exp100_waker) {
+    hyper_waker_free(h->exp100_waker);
+    h->exp100_waker = NULL;
+  }
 }
 
 #endif /* !defined(CURL_DISABLE_HTTP) && defined(USE_HYPER) */