                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.50.3 (14 Sep 2016)

Daniel Stenberg (14 Sep 2016)
- THANKS: updated with curl 7.50.3 contributors

- RELEASE-NOTES: curl 7.50.3

- test1605: verify negative input lengths to (un)escape functions

- curl_easy_unescape: deny negative string lengths as input
  
  CVE-2016-7167
  
  Bug: https://curl.haxx.se/docs/adv_20160914.html

- curl_easy_escape: deny negative string lengths as input
  
  CVE-2016-7167
  
  Bug: https://curl.haxx.se/docs/adv_20160914.html

- curl: make --create-dirs on windows grok both forward and backward slashes
  
  Reported-by: Ryan Scott
  
  Fixes #1007

- RELEASE-NOTES: synced with 665694979b6

- [Tony Kelman brought this change]

  mbedtls: switch off NTLM in build if md4 isn't available
  
  NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
  is built with the MD4 functions available, which it isn't in default
  builds. This now adapts if the funtion isn't there and builds libcurl
  without NTLM support if so.
  
  Fixes #1004

Jay Satiro (12 Sep 2016)
- CODE_STYLE: fix long-line guideline
  
  - Change maximum allowed line length from 80 to 79.

- CODE_STYLE: add column alignment section
  
  Note that since the added examples are for column alignment I had to
  encapsulate with ~~~c markdown to preserve their alignment.

Peter Wu (11 Sep 2016)
- cmake: fix curl-config --static-libs
  
  The `curl-config --static-libs` command should not output paths like
  -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
  
  This also removes the confusing message "Static linking is broken" which
  was printed because curl-config --static-libs was disfunctional even
  though the static libcurl.a library works properly.
  
  Fixes https://github.com/curl/curl/issues/841

Daniel Stenberg (11 Sep 2016)
- http: refuse to pass on response body with NO_NODY was set
  
  ... like when a HTTP/0.9 response comes back without any headers at all
  and just a body this now prevents that body from being sent to the
  callback etc.
  
  Adapted test 1144 to verify.
  
  Fixes #973
  
  Assisted-by: Ray Satiro

- RELEASE-NOTES: synced with 257bf3ac67eb6

Jakub Zakrzewski (10 Sep 2016)
- CMake: Don't build unit tests if private symbols are hidden
  
  This only excludes building unit tests from default build ( 'all' Make
  target or "Build Solution" in VisualStudio). The projects and Make
  targets will still be generated and shown in supporting IDEs.
  
  Fixes https://github.com/curl/curl/issues/981
  Reported-by: Randy Armstrong
  
  Closes https://github.com/curl/curl/pull/990

- CMake: Try to (un-)hide private library symbols
  
  Detect support for compiler symbol visibility flags and apply those
  according to CURL_HIDDEN_SYMBOLS option.
  It should work true to the autotools build except it tries to unhide
  symbols on Windows when requested and prints warning if it fails.
  
  Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
  Reported-by: Daniel Stenberg

Daniel Stenberg (9 Sep 2016)
- openssl: fix bad memory free (regression)
  
  ... by partially reverting f975f06033b1. The allocation could be made by
  OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
  
  Reported-by: Harold Stuart
  Fixes #1005

- http2: support > 64bit sized uploads
  
  ... by making sure we don't count down the "upload left" counter when the
  uploaded size is unknown and then it can be allowed to continue forever.
  
  Fixes #996

Jay Satiro (7 Sep 2016)
- errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
  
  Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
  more of a generic "failed to parse" introduce an alias without FTP in
  the name.
  
  Closes https://github.com/curl/curl/pull/975

Daniel Stenberg (7 Sep 2016)
- bump: toward 7.51.0

- HISTORY: remove ascii logo to render nicer on web

- curl: whitelist use of strtok() in non-threaded context

- checksrc: detect strtok() use
  
  ... as that function slipped through once before.

GitHub (7 Sep 2016)
- [Viktor Szakats brought this change]

  mk-ca-bundle.pl: use SHA256 instead of SHA1
  
  This hash is used to verify the original downloaded certificate bundle
  and also included in the generated bundle's comment header. Also
  rename related internal symbols to algorithm-agnostic names.

Version 7.50.2 (7 Sep 2016)

Daniel Stenberg (7 Sep 2016)
- RELEASE-NOTES: curl 7.50.2 release

- THANKS: updated for 7.50.2

Jay Satiro (6 Sep 2016)
- [Gaurav Malhotra brought this change]

  openssl: fix CURLINFO_SSL_VERIFYRESULT
  
  CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
  result when SSL_connect fails because of a certificate verification
  error.
  
  This fix saves the result of SSL_get_verify_result so that it is
  returned by CURLINFO_SSL_VERIFYRESULT.
  
  Closes https://github.com/curl/curl/pull/995

Daniel Stenberg (6 Sep 2016)
- [Daniel Gustafsson brought this change]

  darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
  
  While noErr and errSecSuccess are defined as the same value, the API
  documentation states that SecPKCS12Import() returns errSecSuccess if
  there were no errors in importing. Ensure that a future change of the
  defined value doesn't break (however unlikely) and be consistent with
  the API docs.

- [Daniel Gustafsson brought this change]

  docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)

- [Marcel Raad brought this change]

  openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
  
  With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
  functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
  replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
  OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
  now called OpenSSL_version_num().
  
  [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
  [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
  
  Closes #992

- RELEASE-NOTES: synced with 3d4c0c8b9bc1d

- http2: return EOF when done uploading without known size
  
  Fixes #982

- http2: skip the content-length parsing, detect unknown size

- http2: minor white space edit

- http2: use named define instead of magic constant in read callback

- [Craig Davison brought this change]

  configure: make the cpp -P detection not clobber CPPFLAGS
  
  CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
  
  Fixes #958

- [Olivier Brunel brought this change]

  speed caps: not based on average speeds anymore
  
  Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
  CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
  with the cumulative average speed of the entire transfer; While this
  might work at times with good/constant connections, in other cases it
  can result to the limits simply being "ignored" for more than "short
  bursts" (as told in man page).
  
  Consider a download that goes on much slower than the limit for some
  time (because bandwidth is used elsewhere, server is slow, whatever the
  reason), then once things get better, curl would simply ignore the limit
  up until the average speed (since the beginning of the transfer) reached
  the limit.  This could prove the limit useless to effectively avoid
  using the entire bandwidth (at least for quite some time).
  
  So instead, we now use a "moving starting point" as reference, and every
  time at least as much as the limit as been transferred, we can reset
  this starting point to the current position. This gets a good limiting
  effect that applies to the "current speed" with instant reactivity (in
  case of sudden speed burst).
  
  Closes #971

- HISTORY.md: the multi socket was put in the wrong year!

- [Mark Hamilton brought this change]

  tool_helpers.c: fix comment typo (#989)

- [Mark Hamilton brought this change]

  libtest/test.h: fix typo (#988)

- CURLMOPT_PIPELINING.3: language

- CURLMOPT_PIPELINING.3: extended and clarified
  
  Especially in regards to the multiplexing part.

Steve Holme (31 Aug 2016)
- curl_sspi.c: Updated function description comments
  
  * Added description to Curl_sspi_free_identity()
  * Added parameter and return explanations to Curl_sspi_global_init()
  * Added parameter explaination to Curl_sspi_global_cleanup()

- README: Corrected the supported Visual Studio versions
  
  Missed from commit 8356022d17.

- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README

- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
  
  ...and discuss a possible solution.

Daniel Stenberg (30 Aug 2016)
- connect: fix #ifdefs for debug versions of conn/streamclose() macros
  
  CURLDEBUG is for the memory debugging
  
  DEBUGBUILD is for the extra debug stuff
  
  Pointed-out-by: Steve Holme

- KNOWN_BUGS: mention some cmake "support gaps"

Nick Zitzmann (28 Aug 2016)
- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
  
  In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.

Daniel Stenberg (28 Aug 2016)
- http2: return CURLE_HTTP2_STREAM for unexpected stream close
  
  Follow-up to c3e906e9cd0f, seems like a more appropriate error code
  
  Suggested-by: Jay Satiro

- [Tatsuhiro Tsujikawa brought this change]

  http2: handle closed streams when uploading
  
  Fixes #986

- http2: make sure stream errors don't needlessly close the connection
  
  With HTTP/2 each transfer is made in an indivial logical stream over the
  connection, making most previous errors that caused the connection to get
  forced-closed now instead just kill the stream and not the connection.
  
  Fixes #941

- Curl_verify_windows_version: minor edit to avoid compiler warnings
  
  ... instead of if() before the switch(), add a default to the switch so
  that the compilers don't warn on "warning: enumeration value
  'PLATFORM_DONT_CARE' not handled in switch" anymore.

Steve Holme (27 Aug 2016)
- RELEASE-NOTES: Added missing fix from commit 15592143f

Jay Satiro (26 Aug 2016)
- schannel: Disable ALPN for Wine since it is causing problems
  
  - Disable ALPN on Wine.
  
  - Don't pass input secbuffer when ALPN is disabled.
  
  When ALPN support was added a change was made to pass an input secbuffer
  to initialize the context. When ALPN is enabled the buffer contains the
  ALPN information, and when it's disabled the buffer is empty. In either
  case this input buffer caused problems with Wine and connections would
  not complete.
  
  Bug: https://github.com/curl/curl/issues/983
  Reported-by: Christian Fillion

Kamil Dudka (26 Aug 2016)
- [Peter Wang brought this change]

  nss: work around race condition in PK11_FindSlotByName()
  
  Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
  a multi-threaded environment. The underlying cause is a race condition
  in nssSlot_IsTokenPresent().
  
  Bug: https://bugzilla.mozilla.org/1297397
  
  Closes #985

- nss: refuse previously loaded certificate from file
  
  ... when we are not asked to use a certificate from file

Daniel Stenberg (26 Aug 2016)
- ftp_done: remove dead code

- TLS: random file/egd doesn't have to match for conn reuse

- test161: add comment for the exit code

Dan Fandrich (26 Aug 2016)
- test219: Add http as a required feature

Daniel Stenberg (25 Aug 2016)
- [Michael Kaufmann brought this change]

  HTTP: stop parsing headers when switching to unknown protocols
  
  - unknown protocols probably won't send more headers (e.g. WebSocket)
  - improved comments and moved them to the correct case statements
  
  Closes #899

- openssl: make build with 1.1.0 again
  
  synced with OpenSSL git master commit cc06906707

- INTERNALS: fix title

- configure: detect zlib with our pkg-config macros
  
  ... instead of relying on the pkg-config autoconf macros to be present.
  
  Fixes #972 (again...)

Jay Satiro (25 Aug 2016)
- http2: Remove incorrect comments
  
  .. also remove same from scp

Daniel Stenberg (23 Aug 2016)
- [Ales Novak brought this change]

  ftp: fix wrong poll on the secondary socket
  
  When we're uploading using FTP and the server issues a tiny pause
  between opening the connection to the client's secondary socket, the
  client's initial poll() times out, which leads to second poll() which
  does not wait for POLLIN on the secondary socket. So that poll() also
  has to time out, creating a long (200ms) pause.
  
  This patch adds the correct flag to the secondary socket, making the
  second poll() correctly wait for the connection there too.
  
  Signed-off-by: Ales Novak <alnovak@suse.cz>
  
  Closes #978

- RELEASE-NOTES: synced with 95ded2c56

- configure: make it work without PKG_CHECK_MODULES
  
  With commit c2f9b78 we added a new dependency on pkg-config for
  developers which may be unwanted. This change make the configure script
  still work as before if pkg-config isn't installed, it'll just use the
  old zlib detection logic without pkg-config.
  
  Reported-by: Marc Hörsken
  
  Fixes #972

Marc Hoersken (21 Aug 2016)
- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
  
  This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
  
  As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.

Daniel Stenberg (21 Aug 2016)
- [Marco Deckel brought this change]

  win: Basic support for Universal Windows Platform apps
  
  Closes #820

Steve Holme (21 Aug 2016)
- sasl: Don't use GSSAPI authentication when domain name not specified
  
  Only choose the GSSAPI authentication mechanism when the user name
  contains a Windows domain name or the user is a valid UPN.
  
  Fixes #718

- vauth: Added check for supported SSPI based authentication mechanisms
  
  Completing commit 00417fd66c and 2708d4259b.

- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
  
  From commit 2708d4259b.

Marc Hoersken (20 Aug 2016)
- socks.c: display the hostname returned by the SOCKS5 proxy server
  
  Instead of displaying the requested hostname the one returned
  by the SOCKS5 proxy server is used in case of connection error.
  The requested hostname is displayed earlier in the connection sequence.
  
  The upper-value of the port is moved to a temporary variable and
  replaced with a 0-byte to make sure the hostname is 0-terminated.

Steve Holme (20 Aug 2016)
- urldata.h: Corrected comment for httpcode which is also populated by SMTP
  
  As of 7.25.0 and commit 5430007222.

Marc Hoersken (20 Aug 2016)
- socks.c: use Curl_printable_address in SOCKS5 connection sequence
  
  Replace custom string formatting with Curl_printable_address.
  Add additional debug and error output in case of failures.

- socks.c: align SOCKS4 connection sequence with SOCKS5
  
  Calling sscanf is not required since the raw IPv4 address is
  available and the protocol can be detected using ai_family.

Steve Holme (20 Aug 2016)
- http.c: Corrected indentation change from commit 2708d4259b
  
  Made by Visual Studio's auto-correct feature and missed by me in my own
  code reviews!

- http: Added calls to Curl_auth_is_<mechansism>_supported()
  
  Hooked up the HTTP authentication layer to query the new 'is mechanism
  supported' functions when deciding what mechanism to use.
  
  As per commit 00417fd66c existing functionality is maintained for now.

Marc Hoersken (20 Aug 2016)
- socks.c: improve verbose output of SOCKS5 connection sequence

- configure.ac: add missing quotes to PKG_CHECK_MODULES

Steve Holme (20 Aug 2016)
- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
  
  Hooked up the SASL authentication layer to query the new 'is mechanism
  supported' functions when deciding what mechanism to use.
  
  For now existing functionality is maintained.

Daniel Stenberg (19 Aug 2016)
- [Miroslav Franc brought this change]

  spnego_sspi: fix memory leak in case *outlen is zero (#970)

- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex

Steve Holme (18 Aug 2016)
- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
  
  As Windows SSPI authentication calls fail when a particular mechanism
  isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
  and Negotiate to allow both HTTP and SASL authentication the opportunity
  to query support for a supported mechanism before selecting it.
  
  For now each function returns TRUE to maintain compatability with the
  existing code when called.

Daniel Stenberg (18 Aug 2016)
- test1144: verify HEAD with body-only response

Steve Holme (17 Aug 2016)
- RELEASE-PROCEDURE: Added some more future release dates
  
  ...and removed some old ones

Daniel Stenberg (17 Aug 2016)
- [David Woodhouse brought this change]

  curl: allow "pkcs11:" prefix for client certificates
  
  RFC7512 provides a standard method to reference certificates in PKCS#11
  tokens, by means of a URI starting 'pkcs11:'.
  
  We're working on fixing various applications so that whenever they would
  have been able to use certificates from a file, users can simply insert
  a PKCS#11 URI instead and expect it to work. This expectation is now a
  part of the Fedora packaging guidelines, for example.
  
  This doesn't work with cURL because of the way that the colon is used
  to separate the certificate argument from the passphrase. So instead of
  
     curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
  
  I instead need to invoke cURL with the colon escaped, like this:
  
     curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
  
  This is suboptimal because we want *consistency* — the URI should be
  usable in place of a filename anywhere, without having strange
  differences for different applications.
  
  This patch therefore disables the processing in parse_cert_parameter()
  when the string starts with 'pkcs11:'. It means you can't pass a
  passphrase with an unescaped PKCS#11 URI, but there's no need to do so
  because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
  the URI itself.
  
  Also, if users are already using RFC7512 URIs with the colon escaped as
  in the above example — even providing a passphrase for cURL to handling
  instead of using a pin-value attribute, that will continue to work
  because their string will start 'pkcs11\:' and won't match the check.
  
  What *does* break with this patch is the extremely unlikely case that a
  user has a file which is in the local directory and literally named
  just "pkcs11", and they have a passphrase on it. If that ever happened,
  the user would need to refer to it as './pkcs11:<passphrase>' instead.

- nss: make the global variables static

- openssl: use regular malloc instead of OPENSSL_malloc
  
  This allows for better memmory debugging and torture tests.

- proxy: fix tests as follow-up to 93b0d907d5
  
  This fixes tests that were added after 113f04e664b as the tests would
  fail otherwise.
  
  We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
  regressions with old and stupid proxies, but we could possibly switch to
  using it only for CONNECT or only for NTLM in a future if we want to
  gradually reduce it.
  
  Fixes #954
  
  Reported-by: János Fekete

- Revert "Proxy-Connection: stop sending this header by default"
  
  This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.

- CURLOPT_PROXY.3: unsupported schemes cause errors now
  
  Follow-up to a96319ebb9 (document the new behavior)

- tests/README: mention nghttpx for HTTP/2 tests

- README.md: add our CII Best Practices badge

- proxy: polished the error message for unsupported schemes
  
  Follow up to a96319ebb93

- test219: verify unsupported scheme for proxies get rejected

- proxy: reject attempts to use unsupported proxy schemes
  
  I discovered some people have been using "https://example.com" style
  strings as proxy and it "works" (curl doesn't complain) because curl
  ignores unknown schemes and then assumes plain HTTP instead.
  
  I think this misleads users into believing curl uses HTTPS to proxies
  when it doesn't. Now curl rejects proxy strings using unsupported
  schemes instead of just ignoring and defaulting to HTTP.

- RELEASE-NOTES: synced with b7ee5316c2fd5b

Marc Hoersken (14 Aug 2016)
- socks.c: Correctly calculate position of port in response packet
  
  Third commit to fix issue #944 regarding SOCKS5 error handling.
  
  Reported-by: David Kalnischkies

- socks.c: Do not modify and invalidate calculated response length
  
  Second commit to fix issue #944 regarding SOCKS5 error handling.
  
  Reported-by: David Kalnischkies

- socks.c: Move error output after reading the whole response packet
  
  First commit to fix issue #944 regarding SOCKS5 error handling.
  
  Reported-by: David Kalnischkies

Daniel Stenberg (13 Aug 2016)
- [Ronnie Mose brought this change]

  MANUAL: Remove invalid link to LDAP documentation (#962)
  
  The server developer.netscape.com does not resolve into any
  ip address and can be removed.

Jay Satiro (13 Aug 2016)
- openssl: accept subjectAltName iPAddress if no dNSName match
  
  Undo change introduced in d4643d6 which caused iPAddress match to be
  ignored if dNSName was present but did not match.
  
  Also, if iPAddress is present but does not match, and dNSName is not
  present, fail as no-match. Prior to this change in such a case the CN
  would be checked for a match.
  
  Bug: https://github.com/curl/curl/issues/959
  Reported-by: wmsch@users.noreply.github.com

Daniel Stenberg (12 Aug 2016)
- [Dambaev Alexander brought this change]

  configure.ac: add zlib search with pkg-config
  
  Closes #956

- rtsp: ignore whitespace in session id
  
  Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
  whitespace as well.
  
  Help-by: Erik Janssen

- HTTP: retry failed HEAD requests too
  
  Mark's new document about HTTP Retries
  (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
  spotted that we don't retry failed HEAD requests which seems totally
  inconsistent and I can't see any reason for that separate treatment.
  
  So, no separate treatment for HEAD starting now. A HTTP request sent
  over a reused connection that gets cut off before a single byte is
  received will be retried on a fresh connection.
  
  Made-aware-by: Mark Nottingham

- mk-ca-bundle.1: document -m, added in 1.26

- RELEASE-NOTES: synced with e577c43bb5

- [Erik Janssen brought this change]

  rtsp: accept any RTSP session id
  
  Makes libcurl work in communication with gstreamer-based RTSP
  servers. The original code validates the session id to be in accordance
  with the RFC. I think it is better not to do that:
  
  - For curl the actual content is a don't care.
  
  - The clarity of the RFC is debatable, is $ allowed or only as \$, that
    is imho not clear
  
  - Gstreamer seems to url-encode the session id but % is not allowed by
  the RFC
  
  - less code
  
  With this patch curl will correctly handle real-life lines like:
  Session: biTN4Kc.8%2B1w-AF.; timeout=60
  
  Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html

- symbols-in-versions: add CURL_STRICTER
  
  Added in 5fce88aa8c12564

- [Simon Warta brought this change]

  winbuild: Allow changing C compiler via environment variable CC (#952)
  
  This makes it possible to use specific compilers or a cache.
  
  Sample use for clcache:
  set CC=clcache.bat
  nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no

- LICENSE-MIXING.md: switched to markdown

- docs-make: have markdown files use .md

- curl.h: make CURL_NO_OLDIES define CURL_STRICTER

- HISTORY.md: use markdown extension

- SSLCERTS.md: renamed to markdown extension

- INTERNALS.md: use markdown extension for markdown content

- CONTRIBUTE.md: markdown extension

- CONTRIBUTE: changed to markdown

- CONTRIBUTE: refreshed

- TODO: added an SSH section and two SFTP things to do

- TODO: remove the 1.22 duplicated item

- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section

- TODO: API for URL parsing/splitting

- TODO: move QUIC to the HTTP section

- [Simon Warta brought this change]

  winbuild: Free name $(CC) in Makefile (#950)
  
  In the old line number 290, CC and CURL_CC had the same value. After
  that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
  
  This gets rid of the CC variable entirely. It is a first step to make it
  possible to manualyl set a CC variable in order to be able to change the
  compiler.

- TODO: Use huge HTTP/2 windows

- [Simon Warta brought this change]

  winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
  
  $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
  all arguments in CURL_CFLAGS have been added twice.

Jay Satiro (8 Aug 2016)
- cmake: Enable win32 threaded resolver by default
  
  - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
  
  This change is similar to what we already do in the autotools build.

- cmake: Enable win32 large file support by default
  
  All compilers used by cmake in Windows should support large files.
  
  - Add test SIZEOF_OFF_T
  - Remove outdated test SIZEOF_CURL_OFF_T
  - Turn on USE_WIN32_LARGE_FILES in Windows
  - Check for 'Largefile' during the features output

Daniel Stenberg (7 Aug 2016)
- TODO: added several ideas, removed SPDY

- http2: always wait for readable socket
  
  Since the server can at any time send a HTTP/2 frame to us, we need to
  wait for the socket to be readable during all transfers so that we can
  act on incoming frames even when uploading etc.
  
  Reminded-by: Tatsuhiro Tsujikawa

- RELEASE-NOTES: synced with 7b4bf37a44791

- [Thomas Glanzmann brought this change]

  mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
  
  In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
  to 0.  This patch also adds a comment how mbedtls must be compiled in
  order to make debugging work, and explains the possible debug levels.

- CURLOPT_TCP_NODELAY: now enabled by default
  
  After a few wasted hours hunting down the reason for slowness during a
  TLS handshake that turned out to be because of TCP_NODELAY not being
  set, I think we have enough motivation to toggle the default for this
  option. We now enable TCP_NODELAY by default and allow applications to
  switch it off.
  
  This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
  used to disable it.
  
  Thanks-to: Tim Rühsen
  Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html

- [Serj Kalichev brought this change]

  TFTP: Fix upload problem with piped input
  
  When input stream for curl is stdin and input stream is not a file but
  generated by a script then curl can truncate data transfer to arbitrary
  size since a partial packet is treated as end of transfer by TFTP.
  
  Fixes #857

- mk-ca-bundle.pl: -m keeps ca cert meta data in output
  
  Makes the script pass on comments holding meta data to the output
  file. Like fingerprinters, issuer, date ranges etc.
  
  Closes #937

- multi: make Curl_expire() work with 0 ms timeouts
  
  Previously, passing a timeout of zero to Curl_expire() was a magic code
  for clearing all timeouts for the handle. That is now instead made with
  the new Curl_expire_clear() function and thus a 0 timeout is fine to set
  and will trigger a timeout ASAP.
  
  This will help removing short delays, in particular notable when doing
  HTTP/2.

- transfer: return without select when the read loop reached maxcount
  
  Regression added in 790d6de48515. The was then added to avoid one
  particular transfer to starve out others. But when aborting due to
  reading the maxcount, the connection must be marked to be read from
  again without first doing a select as for some protocols (like SFTP/SCP)
  the data may already have been read off the socket.
  
  Reported-by: Dan Donahue
  Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html

Steve Holme (3 Aug 2016)
- [Bill Nagel brought this change]

  mbedtls: Added support for NTLM

Daniel Stenberg (3 Aug 2016)
- [Sergei Nikulov brought this change]

  travis: removed option to rebuild autotool from source
  
  Fixes #943

- bump: start working toward 7.50.2

Version 7.50.1 (3 Aug 2016)

Daniel Stenberg (3 Aug 2016)
- THANKS: 7 new contributors from the 7.50.1 release

- RELEASE-NOTES: 7.50.1

- TLS: only reuse connections with the same client cert
  
  CVE-2016-5420
  Bug: https://curl.haxx.se/docs/adv_20160803B.html

- TLS: switch off SSL session id when client cert is used
  
  CVE-2016-5419
  Bug: https://curl.haxx.se/docs/adv_20160803A.html
  Reported-by: Bru Rom
  Contributions-by: Eric Rescorla and Ray Satiro

- curl_multi_cleanup: clear connection pointer for easy handles
  
  CVE-2016-5421
  Bug: https://curl.haxx.se/docs/adv_20160803C.html
  Reported-by: Marcelo Echeverria and Fernando Muñoz

- KNOWN_BUGS: SOCKS proxy not working via IPv6
  
  Closes #835

- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
  
  Closes #768

- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
  
  Closes #662

- TODO: Provide cmake config-file
  
  Closes #885

Patrick Monnerat (2 Aug 2016)
- os400: define BUILDING_LIBCURL in make script.

Daniel Stenberg (1 Aug 2016)
- RELEASE-NOTES: synced with aa9f536a18b

Jay Satiro (1 Aug 2016)
- [Thomas Glanzmann brought this change]

  mbedtls: Fix debug function name
  
  This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
  defined.
  
  Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html

Daniel Stenberg (1 Aug 2016)
- [Sergei Nikulov brought this change]

  travis: fix OSX build by re-installing libtool
  
  Apparently due to a broken homebrew install
  
  fixes #934
  Closes #939

- [Martin Vejnár brought this change]

  win32: fix a potential memory leak in Curl_load_library
  
  If a call to GetSystemDirectory fails, the `path` pointer that was
  previously allocated would be leaked. This makes sure that `path` is
  always freed.
  
  Closes #938

- include: revert 9adf3c4 and make public types void * again
  
  Many applications assume the actual contents of the public types and use
  that do for example forward declarations (saving them from including our
  public header) which then breaks when we switch from void * to a struct
  *.
  
  I'm not convinced we were wrong, but since this practise seems
  widespread enough I'm willing to (partly) step down.
  
  Now libcurl uses the struct itself when it is built and it allows
  applications to use the struct type if CURL_STRICTER is defined at the
  time of the #include.
  
  Reported-by: Peter Frühberger
  Fixes #926

Jay Satiro (28 Jul 2016)
- [Yonggang Luo brought this change]

  cmake: Fix for schannel support
  
  The check_library_exists_concat do not check crypt32 library properly.
  So include it directly.
  
  Bug: https://github.com/curl/curl/pull/917
  Reported-by: Yonggang Luo
  
  Bug: https://github.com/curl/curl/issues/935
  Reported-by: Alain Danteny

- Revert "travis: Install libtool for OS X builds"
  
  Didn't work.
  
