                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.71.0 (23 Jun 2020)

Daniel Stenberg (23 Jun 2020)
- RELEASE-NOTES: curl 7.71.0 release

- THANKS: curl 7.71.0 additions

- url: make sure pushed streams get an allocated download buffer
  
  Follow-up to c4e6968127e876b0
  
  When a new transfer is created, as a resuly of an acknowledged push,
  that transfer needs a download buffer allocated.
  
  Closes #5590

Jay Satiro (22 Jun 2020)
- openssl: Don't ignore CA paths when using Windows CA store
  
  This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
  not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
  locations. Instead the CA store can now be used at the same time.
  
  The change is due to the impending release. The issue is still being
  discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
  is now documented as experimental.
  
  Ref: bc052cc (parent commit)
  Ref: https://github.com/curl/curl/issues/5585

- tool_operate: Don't use Windows CA store as a fallback
  
  Background:
  
  148534d added CURLSSLOPT_NATIVE_CA to use the Windows OS certificate
  store in libcurl w/ OpenSSL on Windows. CURLSSLOPT_NATIVE_CA overrides
  CURLOPT_CAINFO if both are set. The curl tool will fall back to
  CURLSSLOPT_NATIVE_CA if it could not find a certificate bundle to set
  via CURLOPT_CAINFO.
  
  Problem:
  
  libcurl may be built with hardcoded paths to a certificate bundle or
  directory, and if CURLSSLOPT_NATIVE_CA is used then those paths are
  ignored.
  
  Solution:
  
  A solution is still being discussed but since there's an impending
  release this commit removes using CURLSSLOPT_NATIVE_CA in the curl tool.
  
  Ref: https://github.com/curl/curl/issues/5585

- openssl: Fix CA fallback logic for OpenSSL 3.0 build
  
  Prior to this change I assume a build error would occur when
  CURL_CA_FALLBACK was used.
  
  Closes https://github.com/curl/curl/pull/5587

Daniel Stenberg (22 Jun 2020)
- copyright: update mismatched copyright years

- test1460: verify that -Ji is not ok

- tool_getparam: -i is not OK if -J is used
  
  Reported-by: sn on hackerone
  Bug: https://curl.haxx.se/docs/CVE-2020-8177.html

- [Peter Wu brought this change]

  CMake: ignore INTERFACE_LIBRARY targets for pkg-config file
  
  Reviewed-by: Marcel Raad
  Fixes #5512
  Closes #5517

- [Valentyn Korniienko brought this change]

  multibyte: Fixed access-> waccess to file for Windows Plarform
  
  Reviewed-by: Marcel Raad
  Closes #5580

- altsvc: bump to h3-29
  
  Closes #5584

- urlglob: treat literal IPv6 addresses with zone IDs as a host name
  
  ... and not as a "glob". Now done by passing the supposed host to the
  URL parser which supposedly will do a better job at identifying "real"
  numerical IPv6 addresses.
  
  Reported-by: puckipedia on github
  Fixes #5576
  Closes #5579

- test1179: verify error message for non-existing cmdline option

- tool_getparam: repair the error message for unknown flag
  
  Follow-up to 9e5669f3880674
  Detected by Coverity CID 1464582 ("Logically dead code")
  
  Closes #5577

- FILEFORMAT: describe verify/stderr

- connect: improve happy eyeballs handling
  
  For QUIC but also for regular TCP when the second family runs out of IPs
  with a failure while the first family is still trying to connect.
  
  Separated the timeout handling for IPv4 and IPv6 connections when they
  both have a number of addresses to iterate over.

- ngtcp2: never call fprintf() in lib code in release version

- ngtcp2: fix happy eyeballs quic connect crash
  
  Reported-by: Peter Wu
  Fixes #5565
  Closes #5568

- select: remove the unused ELAPSED_MS() macro
  
  Closes #5573

Marc Hoersken (17 Jun 2020)
- [rcombs brought this change]

  multi: implement wait using winsock events
  
  This avoids using a pair of TCP ports to provide wakeup functionality
  for every multi instance on Windows, where socketpair() is emulated
  using a TCP socket on loopback which could in turn lead to socket
  resource exhaustion.
  
  Reviewed-by: Gergely Nagy
  Reviewed-by: Marc Hörsken
  
  Closes #5397

Daniel Stenberg (17 Jun 2020)
- manpage: add three missing environment variables
  
  CURL_SSL_BACKEND, QLOGDIR and SSLKEYLOGFILE
  
  Closes #5571

- RELEASE-NOTES: synced

- configure: for wolfSSL, check for the DES func needed for NTLM
  
  Also adds pkg-config support for the wolfSSL detection.

- [Ruurd Beerstra brought this change]

  ntlm: enable NTLM support with wolfSSL
  
  When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
  functions that OpenSSL has. This change take advantage of that.
  
  Co-authored-by: Daniel Stenberg
  Closes #5556
  Fixes #5548

- http: move header storage to Curl_easy from connectdata
  
  Since the connection can be used by many independent requests (using
  HTTP/2 or HTTP/3), things like user-agent and other transfer-specific
  data MUST NOT be kept connection oriented as it could lead to requests
  getting the wrong string for their requests. This struct data was
  lingering like this due to old HTTP1 legacy thinking where it didn't
  mattered..
  
  Fixes #5566
  Closes #5567

- CODE_REVIEW.md: how to do code reviews in curl
  
  Assisted-by: Daniel Gustafsson
  Assisted-by: Rich Salz
  Assisted-by: Hugo van Kemenade
  Assisted-by: James Fuller
  Assisted-by: Marc Hörsken
  Assisted-by: Jay Satiro
  
  Closes #5555

- altsvc: remove the num field from the altsvc struct
  
  It was superfluous since we have the list.size alredy
  
  Reported-by: Jay Satiro
  Fixes #5553
  Closes #5563

- version.d: expanded and alpha-sorted
  
  Added a few missing features not previously mentioned. Ordered them
  alphabetically.
  
  Closes #5558

- ABI.md: rename to .md and polish the markdown
  
  Closes #5562

- HELP-US: add a section for "smaller tasks"
  
  The point of this section is to meet the CII Best Practices gold level
  critera:
  
   "The project MUST clearly identify small tasks that can be performed by
    new or casual contributors"
  
  Closes #5560

- TODO: retry on the redirected-to URL
  
  Closes #5462

- mailmap: Nicolas Sterchele

- [Nicolas Sterchele brought this change]

  TODO: remove 19.3 section title
  
  Follow-up to ad6416986755e417c66e2c6, which caused wrong formatting on
  curl documentation website
  
  Closes #5561

- [Martin V brought this change]

  test1560: avoid possibly negative association in wording
  
  Closes #5549

- share: don't set the share flag it something fails
  
  When asking for a specific feature to be shared in the share object,
  that bit was previously set unconditionally even if the shared feature
  failed or otherwise wouldn't work.
  
  Closes #5554

- buildconf: remove -print from the find command that removes files
  
  It's just too annoying and unnecessary to get a long list of files shown

- RELEASE-NOTES: synced

- wording: avoid blacklist/whitelist stereotypes
  
  Instead of discussing if there's value or meaning (implied or not) in
  the colors, let's use words without the same possibly negative
  associations.
  
  Closes #5546

Jay Satiro (9 Jun 2020)
- tool_getparam: fix memory leak in parse_args
  
  Prior to this change in Windows Unicode builds most parsed options would
  not be freed.
  
  Found using _CrtDumpMemoryLeaks().
  
  Ref: https://github.com/curl/curl/issues/5545

Daniel Stenberg (8 Jun 2020)
- socks: detect connection close during handshake
  
  The SOCKS4/5 state machines weren't properly terminated when the proxy
  connection got closed, leading to a busy-loop.
  
  Reported-By: zloi-user on github
  Fixes #5532
  Closes #5542

- [James Fuller brought this change]

  multi: add defensive check on data->multi->num_alive
  
  Closes #5540

- Curl_addrinfo: use one malloc instead of three
  
  To reduce the amount of allocations needed for creating a Curl_addrinfo
  struct, make a single larger malloc instead of three separate smaller
  ones.
  
  Closes #5533

- [Alessandro Ghedini brought this change]

  quiche: update SSLKEYLOGFILE support
  
  quiche now requires the application to explicitly set the keylog path
  for each connection, rather than reading the environment variable
  itself.
  
  Closes #5541

- tests: add two simple tests for --login-options
  
  Test 895 and 896 - as a follow-up to a3e972313b
  
  Closes #5539

- ngtcp2: update with recent API changes
  
  Syncs with ngtcp2 commit 7e9a917d386d98 merged June 7 2020.
  
  Assisted-by: Tatsuhiro Tsujikawa
  Closes #5538

- [James Fuller brought this change]

  socks: remove unreachable breaks in socks.c and mime.c
  
  Closes #5537

- tool_cfgable: free login_options at exit
  
  Memory leak
  Reported-by: Geeknik Labs
  Fixes #5535
  Closes #5536

- libssh2: keep sftp errors as 'unsigned long'
  
  Remove weird work-around for storing the SFTP errors as int instead of
  the "unsigned long" that libssh2 actually returns for SFTP errors.
  
  Closes #5534

Marc Hoersken (6 Jun 2020)
- timeouts: move ms timeouts to timediff_t from int and long
  
  Now that all functions in select.[ch] take timediff_t instead
  of the limited int or long, we can remove type conversions
  and related preprocessor checks to silence compiler warnings.
  
  Avoiding conversions from time_t was already done in 842f73de.
  
  Based upon #5262
  Supersedes #5214, #5220 and #5221
  Follow up to #5343 and #5479
  Closes #5490

Daniel Stenberg (6 Jun 2020)
- [François Rigault brought this change]

  openssl: set FLAG_TRUSTED_FIRST unconditionally
  
  On some systems, openssl 1.0.x is still the default, but it has been
  patched to contain all the recent security fixes. As a result of this
  patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
  defined, while the previous behavior of openssl to not look at trusted
  chains first, remains.
  
  Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
  probe for the behavior of openssl based on the existence ofmacros.
  
  Closes #5530

- server/util: fix logmsg format using curl_off_t argument
  
  ... this caused segfaults on armv7.
  
  Regression added in dd0365d560aea5a (7.70.0)
  
  Reviewed-by: Jay Satiro
  Closes #5529

- RELEASE-NOTES: synced

- [Cherish98 brought this change]

  socks: fix expected length of SOCKS5 reply
  
  Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the
  reply ATYP is X'01'. This resulted in erroneously expecting more bytes
  when the request length is greater than the reply length (e.g., when
  remotely resolving the hostname).
  
  Closes #5527

Marc Hoersken (5 Jun 2020)
- .gitignore: add directory containing the stats repo
  
  Since the new curl/stats repository is designed to be
  checked out into the curl repository working tree as stats/
  it should be on the ignore list to aid in commit staging.

Daniel Stenberg (5 Jun 2020)
- [Adnan Khan brought this change]

  HTTP3.md: clarify cargo build directory
  
  Cargo needs to be called from within the 'quiche' directory.
  
  Closes #5522

- user-agent.d: spell out what happens given a blank argument
  
  Closes #5525

- trailers: switch h1-trailer logic to use dynbuf
  
  In the continued effort to remove "manual" realloc schemes.
  
  Closes #5524

- CURLINFO_ACTIVESOCKET.3: clarify the description
  
  Reported-by: Jay Satiro
  Fixes #5299
  Closes #5520

- mailmap: Don J Olmstead

- configure: only strip first -L from LDFLAGS
  
  In the logic that works out if a given OpenSSL path works, it stripped
  off a possibly leading -L flag using an incorrect sed pattern which
  would remove all instances of -L in the string, including if the path
  itself contained that two-letter sequence!
  
  The same pattern was used and is now updated in multiple places. Now it
  only removes -L if it starts the strings.
  
  Reported-by: Mohamed Osama
  Fixes #5519
  Closes #5521

Peter Wu (4 Jun 2020)
- quiche: advertise draft 28 support
  
  Fix the verbose message while at it, quiche currently supports draft
  27 and draft 28 simultaneously.
  
  Closes #5518

Daniel Stenberg (4 Jun 2020)
- KNOWN_BUGS: RTSP authentication breaks without redirect support
  
  Closes #4750

Jay Satiro (4 Jun 2020)
- projects: Add crypt32.lib to dependencies for all OpenSSL configs
  
  Windows project configurations that use OpenSSL with USE_WIN32_CRYPTO
  need crypt32.
  
  Follow-up to 148534d which added CURLSSLOPT_NATIVE_CA for 7.71.0.
  
  The changes that are in this commit were made by script.
  
  Ref: https://gist.github.com/jay/a1861b50ecce2b32931237180f856e28
  
  Closes https://github.com/curl/curl/pull/5516

Marc Hoersken (3 Jun 2020)
- CI/macos: fix 'is already installed' errors by using bundle
  
  Avoid failing CI builds due to nghttp2 being already installed.
  
  Closes #5513

Daniel Stenberg (3 Jun 2020)
- altsvc: fix 'dsthost' may be used uninitialized in this function

- RELEASE-NOTES: synced

- urldata: let the HTTP method be in the set.* struct
  
  When the method is updated inside libcurl we must still not change the
  method as set by the user as then repeated transfers with that same
  handle might not execute the same operation anymore!
  
  This fixes the libcurl part of #5462
  
  Test 1633 added to verify.
  
  Closes #5499

- hostip: fix the memory-leak introduced in 67d2802
  
  Fixes #5503
  Closes #5504

- test970: make it require proxy support
  
  This test verifies the -w %json output and the test case includes a full
  generated "blob". If there's no proxy support built into libcurl, it
  will return an error for proxy related info variables and they will not
  be included in the json, thus causing a mismatch and this test fails.
  
  Reported-by: Marc Hörsken
  Fixes #5501
  Closes #5502

- [Radoslav Georgiev brought this change]

  examples/http2-down/upload: add error checks
  
  If `index.html` does not exist in the directory from which the example
  is invoked, the fopen(upload, "rb") invocation in `setup` would fail,
  returning NULL.  This value is subsequently passed as the FILE* argument
  of the `fread` invocation in the `read_callback` function, which is the
  actual cause of the crash (apparently `fread` assumes that argument to
  be non-null).
  
  In addition, mitigate some possible crashes of similar origin.
  
  Closes #5463

- [kotoriのねこ brought this change]

  examples/ephiperfifo: turn off interval when setting timerfd
  
  Reported-by: therealhirudo on github
  Fixes #5485
  Closes #5497

- [Saleem Abdulrasool brought this change]

  vtls: repair the build with `CURL_DISABLE_PROXY`
  
  `http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY`
  is enabled.  Repair the build with that configuration.
  
  Follow-up to f3d501dc67
  
  Closes #5498

- transfer: remove k->str NULL check
  
  "Null-checking k->str suggests that it may be null, but it has already
  been dereferenced on all paths leading to the check" - and it can't
  legally be NULL at this point. Remove check.
  
  Detected by Coverity CID 1463884
  
  Closes #5495

Marc Hoersken (1 Jun 2020)
- select: always use Sleep in Curl_wait_ms on Win32
  
  Since Win32 almost always will also have USE_WINSOCK,
  we can reduce complexity and always use Sleep there.
  
  Assisted-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  
  Follow up to #5343
  Closes #5489

Daniel Stenberg (31 May 2020)
- conncache: download buffer needs +1 size for trailing zero
  
  Follow-up to c4e6968127e
  Detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5727799779524608

Marc Hoersken (31 May 2020)
- azure: use matrix strategy to avoid configuration redundancy
  
  This also includes the following changes:
  
  - Use the same timeout for all jobs on Linux (60 minutes)
    and Windows (90 minutes)
  - Use CLI stable apt-get install -y instead of apt install
    which warns about that and run apt-get update first
  - Enable MQTT for Windows msys2 builds instead of
    legacy msys1 builds
  - Add ./configure --prefix parameter to the msys2 builds
  - The MSYSTEM environment variable is now preset inside
    the container images for the msys2 builds
  
  Note: on Azure Pipelines the matrix strategy is basically
  just a simple list of job copies and not really a matrix.
  
  Closes #5468

Daniel Stenberg (30 May 2020)
- build: disable more code/data when built without proxy support
  
  Added build to travis to verify
  
  Closes #5466

- url: alloc the download buffer at transfer start
  
  ... and free it as soon as the transfer is done. It removes the extra
  alloc when a new size is set with setopt() and reduces memory for unused
  easy handles.
  
  In addition: the closure_handle now doesn't use an allocated buffer at
  all but the smallest supported size as a stack based one.
  
  Closes #5472

- timeouts: change millisecond timeouts to timediff_t from time_t
  
  For millisecond timers we like timediff_t better. Also, time_t can be
  unsigned so returning a negative value doesn't work then.
  
  Closes #5479

Marc Hoersken (30 May 2020)
- select: add overflow checks for timeval conversions
  
  Using time_t and suseconds_t if suseconds_t is available,
  long on Windows (maybe others in the future) and int elsewhere.
  
  Also handle case of ULONG_MAX being greater or equal to INFINITE.
  
  Assisted-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  
  Part of #5343

- select: use timediff_t instead of time_t and int for timeout_ms
  
  Make all functions in select.[ch] take timeout_ms as timediff_t
  which should always be large enough and signed on all platforms
  to take all possible timeout values and avoid type conversions.
  
  Reviewed-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  
  Replaces #5107 and partially #5262
  Related to #5240 and #5286
  Closes #5343

- unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
  
  GCC 10 warns about this with warning: implicit conversion
    from 'SANITIZEcode' to 'CURLcode' [-Wenum-conversion]
  
  Since 'expected_result' is not really of type 'CURLcode' and
  it is not exposed in any way, we can just use 'SANITIZEcode'.
  
  Reviewed-by: Daniel Stenberg
  Reviewed-by: Marcel Raad
  
  Closes #5476

- tests/libtest: fix undefined reference to 'curlx_win32_fopen'
  
  Since curl_setup.h now makes use of curlx_win32_fopen for Win32
  builds with USE_WIN32_LARGE_FILES or USE_WIN32_SMALL_FILES defined,
  we need to include the relevant files for tests using fopen,
  because the libtest sources are also including curl_setup.h
  
  Reviewed-by: Marcel Raad
  Reviewed-by: Daniel Stenberg
  
  Follow up to #3784 (ffdddb45d9)
  Closes #5475

- appveyor: add non-debug plain autotools-based build
  
  This should enable us to catch linking issues with the
  testsuite early, like the one described/fixed in #5475.
  
  Reviewed-by: Daniel Stenberg
  Reviewed-by: Marcel Raad
  
  Closes #5477

Daniel Stenberg (29 May 2020)
- RELEASE-NOTES: synced

- Revert "buildconf: use find -execdir"
  
  This partially reverts commit c712009838f44211958854de431315586995bc61.
  
  Keep the ares_ files removed but bring back the older way to run find,
  to make it work with busybox's find, as apparently that's being used.
  
  Reported-by: Max Peal
  Fixes #5483
  Closes #5484

- server/sws: fix asan warning on use of uninitialized variable

- libssh2: improved error output for wrong quote syntax
  
  Reported-by: Werner Stolz
  
  Closes #5474

- mk-lib1521: generate code for testing BLOB options as well
  
  Follow-up to cac5374298b3
  
  Closes #5478

- configure: repair the check if argv can be written to
  
  Due to bad escaping of the test code, the test wouldn't build and thus
  result in a negative test result, which would lead to the unconditional
  assumption that overwriting the arguments doesn't work and thus curl
  would never hide credentials given in the command line, even when it
  would otherwise be possible.
  
  Regression from commit 2d4c2152c (7.60.0)
  
  Reported-by: huzunhao on github
  Fixes #5470
  Closes #5471

Peter Wu (28 May 2020)
- CMake: rebuild Makefile.inc.cmake when Makefile.inc changes
  
  Otherwise the build might fail due to missing source files, as
  demonstrated by the recent keylog.c addition on an existing build dir.
  
  Closes #5469

Daniel Stenberg (28 May 2020)
- urldata: fix comments: Curl_done() is called multi_done() now
  
  ... since 575e885db

Peter Wu (27 May 2020)
- ngtcp2: use common key log routine for better thread-safety
  
  Tested with ngtcp2 built against the OpenSSL library. Additionally
  tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC).
  
  The TLS backend (independent of QUIC) may or may not already have opened
  the keylog file before. Therefore Curl_tls_keylog_open is always called
  to ensure the file is open.

- wolfssl: add SSLKEYLOGFILE support
  
  Tested following the same curl and tshark commands as in commit
  "vtls: Extract and simplify key log file handling from OpenSSL" using
  WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
  `./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.
  
  Full support for this feature requires certain wolfSSL build options,
  see "Availability note" in lib/vtls/wolfssl.c for details.
  
  Closes #5327

- vtls: Extract and simplify key log file handling from OpenSSL
  
  Create a set of routines for TLS key log file handling to enable reuse
  with other TLS backends. Simplify the OpenSSL backend as follows:
  
   - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
   - Do not perform dynamic memory allocation when preparing a log entry.
     Unless the TLS specifications change we can suffice with a reasonable
     fixed-size buffer.
   - Simplify state tracking when SSL_CTX_set_keylog_callback is
     unavailable. My original sslkeylog.c code included this tracking in
     order to handle multiple calls to SSL_connect and detect new keys
     after renegotiation (via SSL_read/SSL_write). For curl however we can
     be sure that a single master secret eventually becomes available
     after SSL_connect, so a simple flag is sufficient. An alternative to
     the flag is examining SSL_state(), but this seems more complex and is
     not pursued. Capturing keys after server renegotiation was already
     unsupported in curl and remains unsupported.
  
  Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
  (`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
  against an OpenSSL 1.1.1f server configured with:
  
      # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
      openssl s_server -www -tls1
      # Likewise, but fail the server handshake.
      openssl s_server -www -tls1 -Verify 2
      # TLS 1.3 test. No need to test the failing server handshake.
      openssl s_server -www -tls1_3
  
  Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
  written using Wireshark. For the first and third case, expect four
  matches per connection (decrypted Server Finished, Client Finished, HTTP
  Request, HTTP Response). For the second case where the handshake fails,
  expect a decrypted Server Finished only.
  
      tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
          -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
          -dtls.port==4433,http -ohttp.desegment_body:FALSE \
          -Y 'tls.handshake.verify_data or http'
  
  A single connection can easily be identified via the `tcp.stream` field.

Daniel Stenberg (27 May 2020)
- FILEFORMAT: add more features that tests can depend on

- [Michael Kaufmann brought this change]

  transfer: close connection after excess data has been read
  
  For HTTP 1.x, it's a protocol error when the server sends more bytes
  than announced. If this happens, don't reuse the connection, because the
  start position of the next response is undefined.
  
  Closes #5440

- [Estanislau Augé-Pujadas brought this change]

  Revert "ssh: ignore timeouts during disconnect"
  
  This reverts commit f31760e63b4e9ef1eb25f8f211390f8239388515. Shipped in
  curl 7.54.1.
  
  Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html
  Closes #5465

- urldata: connect related booleans live in struct ConnectBits
  
  And remove a few unused booleans!
  
  Closes #5461

- hostip: on macOS avoid DoH when given a numerical IP address
  
  When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that
  numerical IP addresses still need to get "resolved" - but not with DoH.
  
  Reported-by: Viktor Szakats
  Fixes #5454
  Closes #5459

- ngtcp2: cleanup memory when failing to connect
  
  Reported-by: Peter Wu
  Fixes #5447 (the ngtcp2 side of it)
  Closes #5451

- quiche: clean up memory properly when failing to connect
  
  Addresses the quiche side of #5447
  Reported-by: Peter Wu
  Closes #5450

- cleanup: use a single space after equals sign in assignments

- url: accept "any length" credentials for proxy auth
  
  They're only limited to the maximum string input restrictions, not to
  256 bytes.
  
  Added test 1178 to verify
  
  Reported-by: Will Roberts
  Fixes #5448
  Closes #5449

- [Maksim Stsepanenka brought this change]

  test1167: fixes in badsymbols.pl
  
  Closes #5442

- altsvc: fix parser for lines ending with CRLF
  
  Fixed the alt-svc parser to treat a newline as end of line.
  
  The unit tests in test 1654 were done without CRLF and thus didn't quite
  match the real world. Now they use CRLF as well.
  
  Reported-by: Peter Wu
  Assisted-by: Peter Wu
  Assisted-by: Jay Satiro
  Fixes #5445
  Closes #5446

Viktor Szakats (25 May 2020)
- all: fix codespell errors
  
  Reviewed-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  Closes https://github.com/curl/curl/pull/5452

Peter Wu (25 May 2020)
- ngtcp2: fix build with current ngtcp2 master implementing draft 28
  
  Based on client.cc changes from ngtcp2. Tested with current git master,
  ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380.
  
  Fixes #5444
  Closes #5443

Daniel Stenberg (25 May 2020)
- RELEASE-NOTES: synced
  
  moved the new setopts up to a "change"

- RELEASE-NOTES: synced

- copyright: updated year ranges out of sync
  
  ... and whitelisted a few more files in the the copyright.pl script.

- [Gilles Vollant brought this change]

  setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
  
  Closes #5431

- curl: remove -J "informational" written on stdout
  
  curl would previously show "curl: Saved to filename 'name from header'"
  if -J was used and a name was picked from the Content-Disposition
  header. That output could interfer with other stdout output, such as -w.
  
  This commit removes that output line.
  Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html
  Reported-by: Коваленко Анатолий Викторович
  Closes #5435

Peter Wu (22 May 2020)
- travis: simplify quiche build instructions wrt boringssl
  
  quiche builds boringssl as static library, reuse that instead of
  building another shared library.
  
  Closes #5438

- configure: fix pthread check with static boringssl
  
  A shared boringssl/OpenSSL library requires -lcrypto only for linking.
  A static build additionally requires `-ldl -lpthread`. In the latter
  case `-lpthread` is added to LIBS which prevented `-pthread` from being
  added to CFLAGS. Clear LIBS to fix linking failures for libtest tests.

Daniel Stenberg (22 May 2020)
- Revert "sendf: make failf() use the mvsnprintf() return code"
  
  This reverts commit 74623551f306990e70c7c5515b88972005604a74.
  
  Instead mark the function call with (void). Getting the return code and
  using it instead triggered Coverity warning CID 1463596 because
  snprintf() can return a negative value...
  
  Closes #5441

- typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
  
  Reported-by: Billyzou0741326 on github
  Fixes #5432
  Closes #5436

- tests/server/util.h: add extern to silence compiler warning
  
  Follow-up from a3b0699d5c1

- typecheck-gcc.h: fix the OFF_T check
  
  The option number also needs to be less than CURLOPTTYPE_BLOB.
  
  Follow-up to cac5374298
  Reported-by: Jeroen Ooms
  Bug: https://github.com/curl/curl/pull/5365#issuecomment-631084114

- TODO: --dry-run
  
  Closes #5426

- TODO: Ratelimit or wait between serial requests
  
  Closes #5406

- tool_paramhlp: fixup C89 mistake
  
  Follow-up to c5f0a9db22.

- [Siva Sivaraman brought this change]

  tool_paramhlp: fixed potentially uninitialized strtol() variable
  
  Seems highly unlikely to actually be possible, but better safe than
  sorry.
  
  Closes #5417

- [Siva Sivaraman brought this change]

  tool_operate: fixed potentially uninitialized variables
  
