                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.57.0 (29 Nov 2017)

Daniel Stenberg (29 Nov 2017)
- RELEASE-NOTES: curl 7.57.0

- THANKS: added contributors from 7.57.0 release

- openssl: fix boringssl build again
  
  commit d3ab7c5a21e broke the boringssl build since it doesn't have
  RSA_flags(), so we disable that code block for boringssl builds.
  
  Reported-by: W. Mark Kubacki
  Fixes #2117

- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided

- libcurl-share.3: the connection cache is shareable now

- global_init: ignore CURL_GLOBAL_SSL's absense
  
  This bit is no longer used. It is not clear what it meant for users to
  "init the TLS" in a world with different TLS backends and since the
  introduction of multissl, libcurl didn't properly work if inited without
  this bit set.
  
  Not a single user responded to the call for users of it:
  https://curl.haxx.se/mail/lib-2017-11/0072.html
  
  Reported-by: Evgeny Grin
  Assisted-by: Jay Satiro
  
  Fixes #2089
  Fixes #2083
  Closes #2107

- ntlm: avoid integer overflow for malloc size
  
  Reported-by: Alex Nichols
  Assisted-by: Kamil Dudka and Max Dymond
  
  CVE-2017-8816
  
  Bug: https://curl.haxx.se/docs/adv_2017-11e7.html

- wildcardmatch: fix heap buffer overflow in setcharset
  
  The code would previous read beyond the end of the pattern string if the
  match pattern ends with an open bracket when the default pattern
  matching function is used.
  
  Detected by OSS-Fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
  
  CVE-2017-8817
  
  Bug: https://curl.haxx.se/docs/adv_2017-ae72.html

- [Jay Satiro brought this change]

  url: fix alignment of ssl_backend_data struct
  
  - Align the array of ssl_backend_data on a max 32 byte boundary.
  
  8 is likely to be ok but I went with 32 for posterity should one of
  the ssl_backend_data structs change to contain a larger sized variable
  in the future.
  
  Prior to this change (since dev 70f1db3, release 7.56) the connectdata
  structure was undersized by 4 bytes in 32-bit builds with ssl enabled
  because long long * was mistakenly used for alignment instead of
  long long, with the intention being an 8 byte boundary. Also long long
  may not be an available type.
  
  The undersized connectdata could lead to oob read/write past the end in
  what was expected to be the last 4 bytes of the connection's secondary
  socket https proxy ssl_backend_data struct (the secondary socket in a
  connection is used by ftp, others?).
  
  Closes https://github.com/curl/curl/issues/2093
  
  CVE-2017-8818
  
  Bug: https://curl.haxx.se/docs/adv_2017-af0a.html

- ssh: remove check for a NULL pointer (!)
  
  With this check present, scan-build warns that we might dereference this
  point in other places where it isn't first checked for NULL. Thus, if it
  *can* be NULL we have a problem on a few places. However, this pointer
  should not be possible to be NULL here so I remove the check and thus
  also three different scan-build warnings.
  
  Closes #2111

- [Matthew Kerwin brought this change]

  test: add test for bad UNC/SMB path in file: URL

- [Matthew Kerwin brought this change]

  test: add tests to ensure basic file: URLs

- [Matthew Kerwin brought this change]

  URL: update "file:" URL handling
  
  * LOTS of comment updates
  * explicit error for SMB shares (e.g. "file:////share/path/file")
  * more strict handling of authority (i.e. "//localhost/")
  * now accepts dodgy old "C:|" drive letters
  * more precise handling of drive letters in and out of Windows
    (especially recognising both "file:c:/" and "file:/c:/")
  
  Closes #2110

- metalink: fix memory-leak and NULL pointer dereference
  
  Reported by scan-build
  
  Closes #2109

- [Alessandro Ghedini brought this change]

  connect: add support for new TCP Fast Open API on Linux
  
  The new API added in Linux 4.11 only requires setting a socket option
  before connecting, without the whole sento() machinery.
  
  Notably, this makes it possible to use TFO with SSL connections on Linux
  as well, without the need to mess around with OpenSSL (or whatever other
  SSL library) internals.
  
  Closes #2056

- make: fix "make distclean"
  
  Fixes #2097
  Closes #2108

- RELEASE-NOTES: synced with 31f18d272

Jay Satiro (23 Nov 2017)
- connect: improve the bind error message
  
  eg consider a non-existent interface eth8, curl --interface eth8
  
  Before: curl: (45) Could not resolve host: eth8
  After: curl: (45) Couldn't bind to 'eth8'
  
  Bug: https://github.com/curl/curl/issues/2104
  Reported-by: Alfonso Martone

Daniel Stenberg (23 Nov 2017)
- examples/rtsp: clear RANGE again after use
  
  Fixes #2106
  Reported-by: youngchopin on github

- [Michael Kaufmann brought this change]

  test1264: verify URL with space in host name being rejected

- url: reject ASCII control characters and space in host names
  
  Host names like "127.0.0.1 moo" would otherwise be accepted by some
  getaddrinfo() implementations.
  
  Updated test 1034 and 1035 accordingly.
  
  Fixes #2073
  Closes #2092

- Curl_open: fix OOM return error correctly
  
  Closes #2098

- http2: fix "Value stored to 'end' is never read" scan-build error

- http2: fix "Value stored to 'hdbuf' is never read" scan-build error

- openssl: fix "Value stored to 'rc' is never read" scan-build error

- mime: fix "Value stored to 'sz' is never read" scan-build error

- Curl_llist_remove: fix potential NULL pointer deref
  
  Fixes a scan-build warning.

- ntlm: remove unnecessary NULL-check to please scan-build

- BUGS: spellchecked

Jay Satiro (18 Nov 2017)
- [fmmedeiros brought this change]

  examples/curlx: Fix code style
  
  - Add braces around multi-line if statement.
  
  Closes https://github.com/curl/curl/pull/2096

Daniel Stenberg (17 Nov 2017)
- resolve: allow IP address within [] brackets
  
  ... so that IPv6 addresses can be passed like they can for connect-to
  and how they're used in URLs.
  
  Added test 1324 to verify
  Reported-by: Alex Malinovich
  
  Fixes #2087
  Closes #2091

- [Pavol Markovic brought this change]

  macOS: Fix missing connectx function with Xcode version older than 9.0
  
  The previous fix https://github.com/curl/curl/pull/1788 worked just for
  Xcode 9. This commit extends the fix to older Xcode versions effectively
  by not using connectx function.
  
  Fixes https://github.com/curl/curl/issues/1330
  Fixes https://github.com/curl/curl/issues/2080
  Closes https://github.com/curl/curl/pull/1336
  Closes #2082

- [Dirk Feytons brought this change]

  openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
  
  Fixes #2079
  Closes #2081

- TODO: ignore private IP addresses in PASV response
  
  Closes #1455

- RELEASE-NOTES: synced with ae7369b6d

Michael Kaufmann (14 Nov 2017)
- URL: return error on malformed URLs with junk after IPv6 bracket
  
  Follow-up to aadb7c7. Verified by new test 1263.
  
  Closes #2072

Daniel Stenberg (14 Nov 2017)
- INTERNALS: we may use libidn2 now, not libidn

Patrick Monnerat (13 Nov 2017)
- zlib/brotli: only include header files in modules needing them
  
  There is a conflict on symbol 'free_func' between openssl/crypto.h and
  zlib.h on AIX. This is an attempt to resolve it.
  
  Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
  Reported-By: Michael Felt

Daniel Stenberg (13 Nov 2017)
- SMB: fix uninitialized local variable
  
  Reported-by: Brian Carpenter

- [Orgad Shaneh brought this change]

  connect.c: remove executable bit on file
  
  Closes #2071

- [hsiao yi brought this change]

  README.md: fixed layout
  
  Closes #2069

- setopt: split out curl_easy_setopt() to its own file
  
  ... to make url.c smaller.
  
  Closes #1944

Jay Satiro (10 Nov 2017)
- [John Starks brought this change]

  cmake: Add missing setmode check
  
  Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
  curl will corrupt binary files when writing them to stdout on Windows.
  
  Closes https://github.com/curl/curl/pull/2067

Daniel Stenberg (10 Nov 2017)
- curl_share_setopt: va_end was not called if conncache errors
  
  CID 984459, detected by Coverity

Sergei Nikulov (10 Nov 2017)
- [John Starks brought this change]

  cmake: Correctly include curl.rc in Windows builds (#2064)
  
  Update CMakeLists.txt to add curl.rc to the correct list.

Daniel Stenberg (9 Nov 2017)
- RELEASE-NOTES: synced with 32828cc4f

- [Luca Boccassi brought this change]

  --interface: add support for Linux VRF
  
  The --interface command (CURLOPT_INTERFACE option) already uses
  SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
  address first, which fails in case the user passes a VRF.
  
  Try to use the socket option immediately and parse it as a fallback
  instead.  Update the documentation to mention this feature, and that it
  requires the binary to be ran by root or with CAP_NET_RAW capabilities
  for this to work.
  
  Closes #2024

- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
  
  Closes #2043

- examples: add shared-connection-cache

- test1554: verify connection cache sharing

- share: add support for sharing the connection cache

- imap: deal with commands case insensitively
  
  As documented in RFC 3501 section 9:
  https://tools.ietf.org/html/rfc3501#section-9
  
  Closes #2061

- connect: store IPv6 connection status after valid connection
  
  ... previously it would store it already in the happy eyeballs stage
  which could lead to the IPv6 bit being set for an IPv4 connection,
  leading to curl not wanting to do EPSV=>PASV for FTP transfers.
  
  Closes #2053

- curl_multi_fdset.3: emphasize curl_multi_timeout
  
  ... even when there's no socket to wait for, the timeout can still be
  very short.

Jay Satiro (9 Nov 2017)
- content_encoding: fix inflate_stream for no bytes available
  
  - Don't call zlib's inflate() when avail_in stream bytes is 0.
  
  This is a follow up to the parent commit 19e66e5. Prior to that change
  libcurl's inflate_stream could call zlib's inflate even when no bytes
  were available, causing inflate to return Z_BUF_ERROR, and then
  inflate_stream would treat that as a hard error and return
  CURLE_BAD_CONTENT_ENCODING.
  
  According to the zlib FAQ, Z_BUF_ERROR is not fatal.
  
  This bug would happen randomly since packet sizes are arbitrary. A test
  of 10,000 transfers had 55 fail (ie 0.55%).
  
  Ref: https://zlib.net/zlib_faq.html#faq05
  
  Closes https://github.com/curl/curl/pull/2060

Patrick Monnerat (7 Nov 2017)
- content_encoding: do not write 0 length data

Daniel Stenberg (6 Nov 2017)
- fnmatch: remove dead code
  
  There was a duplicate check for backslashes in the setcharset()
  function.
  
  Coverity CID 1420611

- url: remove unncessary NULL-check
  
  Since 'conn' won't be NULL in there and we also access the pointer in
  there without the check.
  
  Coverity CID 1420610

Viktor Szakats (6 Nov 2017)
- src/Makefile.m32: fix typo in brotli lib customization
  
  Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31

- Makefile.m32: allow to customize brotli libs
  
  It adds the ability to link against static brotli libs.
  
  Also fix brotli include path.

Patrick Monnerat (5 Nov 2017)
- travis: add a job with brotli enabled

- [Viktor Szakats brought this change]

  Makefile.m32: add brotli support

- HTTP: implement Brotli content encoding
  
  This uses the brotli external library (https://github.com/google/brotli).
  Brotli becomes a feature: additional curl_version_info() bit and
  structure fields are provided for it and CURLVERSION_NOW bumped.
  
  Tests 314 and 315 check Brotli content unencoding with correct and
  erroneous data.
  
  Some tests are updated to accomodate with the now configuration dependent
  parameters of the Accept-Encoding header.

- HTTP: support multiple Content-Encodings
  
  This is implemented as an output streaming stack of unencoders, the last
  calling the client write procedure.
  
  New test 230 checks this feature.
  
  Bug: https://github.com/curl/curl/pull/2002
  Reported-By: Daniel Bankhead

Jay Satiro (4 Nov 2017)
- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
  
  Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
  check on this option is incorrect; we have to accept any value.
  
  Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
  erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
  
  Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120

Daniel Stenberg (4 Nov 2017)
- ntlm: avoid malloc(0) for zero length passwords
  
  It triggers an assert() when built with memdebug since malloc(0) may
  return NULL *or* a valid pointer.
  
  Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
  
  Assisted-by: Max Dymond
  Closes #2054

- RELEASE-NOTES: synced with ee8016b3d

- curl: speed up handling of many URLs
  
  By properly keeping track of the last entry in the list of URLs/uploads
  to handle, curl now avoids many meaningless traverses of the list which
  speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
  URLs).
  
  Added test 1291, to verify that it doesn't take ages - but we don't have
  any detection of "too slow" command in the test suite.
  
  Reported-by: arainchik on github
  Fixes #1959
  Closes #2052

- curl: pass through [] in URLs instead of calling globbing error
  
  Assisted-by: Per Lundberg
  Fixes #2044
  Closes #2046
  Closes #2048

- CURLOPT_INFILESIZE: accept -1
  
  Regression since f121575
  
  Reported-by: Petr Voytsik
  Fixes #2047

Jay Satiro (2 Nov 2017)
- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
  
  Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
  erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.

Dan Fandrich (1 Nov 2017)
- http2: Fixed OOM handling in upgrade request
  
  This caused the torture tests on test 1800 to fail.

- tests: Fixed torture tests on tests 556 and 650
  
  Test cleanup after OOM wasn't being consistently performed.

Daniel Stenberg (1 Nov 2017)
- CURLOPT_MAXREDIRS: allow -1 as a value
  
  ... which is valid according to documentation. Regression since
  f121575c0b5f.
  
  Verified now in test 501.
  
  Reported-by: cbartl on github
  Fixes #2038
  Closes #2039

- include: remove conncache.h inclusion from where its not needed

Jay Satiro (1 Nov 2017)
- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
  
  .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
  
  Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
  erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
  
  Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
  Reported-by: Andrew Lambert

Daniel Stenberg (31 Oct 2017)
- cookie: avoid NULL dereference
  
  ... when expiring old cookies.
  
  Reported-by: Pavel Gushchin
  Fixes #2032
  Closes #2035

Marcel Raad (30 Oct 2017)
- memdebug: use send/recv signature for curl_dosend/curl_dorecv
  
  This avoids build errors and warnings caused by implicit casts.
  
  Closes https://github.com/curl/curl/pull/2031

Daniel Stenberg (30 Oct 2017)
- [Juro Bystricky brought this change]

  mkhelp.pl: support reproducible build
  
  Do not generate line with the current date, such as:
  
  * Generation time: Tue Oct-24 18:01:41 2017
  
  This will improve reproducibility. The generated string is only
  part of a comment, so there should be no adverse consequences.
  
  Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
  
  closes #2026

Dan Fandrich (30 Oct 2017)
- runtests.pl: Fixed typo in message

Daniel Stenberg (30 Oct 2017)
- curlx: the timeval functions are no longer provided as curlx_*
  
  Pointed-out-by: Dmitri Tikhonov
  Bug: #2034

- select: update comments
  
  s/curlx_tvnow/Curl_now

- INTERNALS: remove curlx_tv* functions no longer provided

- [Dmitri Tikhonov brought this change]

  timeval: use mach time on MacOS
  
  If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
  
  closes #2033

monnerat (29 Oct 2017)
- [Patrick Monnerat brought this change]

  cli tool: improve ";type=" handling in -F option arguments

- [Patrick Monnerat brought this change]

  cli tool: in -F option arg, comma is a delimiter for files only
  
  Also upgrade test 1133 to cover this case and clarify man page about
  form data quoting.
  
  Bug: https://github.com/curl/curl/issues/2022
  Reported-By: omau on github

Daniel Stenberg (29 Oct 2017)
- timeleft: made two more users of Curl_timeleft use timediff_t

Jakub Zakrzewski (28 Oct 2017)
- cmake: Export libcurl and curl targets to use by other cmake projects
  
  The config files define curl and libcurl targets as imported targets
  CURL::curl and CURL::libcurl. For backward compatibility with CMake-
  provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
  also set.
  
  Closes #1879

Daniel Stenberg (28 Oct 2017)
- RELEASE-NOTES: synced with f20cbac97

- [Florin brought this change]

  auth: Added test cases for RFC7616
  
  Updated docs to include support for RFC7616
  
  Signed-off-by: Florin <petriuc.florin@gmail.com>
  
  Closes #1934

- [Florin brought this change]

  auth: add support for RFC7616 - HTTP Digest access authentication
  
  Signed-off-by: Florin <petriuc.florin@gmail.com>

- [Daniel Bankhead brought this change]

  TODO: support multiple Content-Encodings
  
  Closes #2002

- ROADMAP: cleanup
  
  Removed done stuff. Removed entries no longer considered for the near
  term.

- [Magicansk brought this change]

  ROADMAP.md: spelling fixes
  
  Closes #2028

- Curl_timeleft: change return type to timediff_t
  
  returning 'time_t' is problematic when that type is unsigned and we
  return values less than zero to signal "already expired", used in
  several places in the code.
  
  Closes #2021

- appveyor: add a win32 build

- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
  
  Regression since f121575c0b5f
  
  Reported-by: Rob Cotrone

Marcel Raad (27 Oct 2017)
- resolvers: only include anything if needed
  
  This avoids warnings about unused stuff.
  
  Closes https://github.com/curl/curl/pull/2023

Daniel Stenberg (27 Oct 2017)
- HELP-US: rename the subtitle too since the label is changed
  
  "PR-welcome" was the former name.

- curl_setup.h: oops, shorten the too long line

- [Martin Storsjo brought this change]

  curl_setup: Improve detection of CURL_WINDOWS_APP
  
  If WINAPI_FAMILY is defined, it should be safe to try to include
  winapifamily.h to check what the define evaluates to.
  
  This should fix detection of CURL_WINDOWS_APP if building with
  _WIN32_WINNT set to 0x0600.
  
  Closes #2025

Jay Satiro (26 Oct 2017)
- transfer: Fix chunked-encoding upload bug
  
  - When uploading via chunked-encoding don't compare file size to bytes
    sent to determine whether the upload has finished.
  
  Chunked-encoding adds its own overhead which why the bytes sent is not
  equal to the file size. Prior to this change if a file was uploaded in
  chunked-encoding and its size was known it was possible that the upload
  could end prematurely without sending the final few chunks. That would
  result in a server hang waiting for the remaining data, likely followed
  by a disconnect.
  
  The scope of this bug is limited to some arbitrary file sizes which have
  not been determined. One size that triggers the bug is 475020.
  
  Bug: https://github.com/curl/curl/issues/2001
  Reported-by: moohoorama@users.noreply.github.com
  
  Closes https://github.com/curl/curl/pull/2010

Daniel Stenberg (26 Oct 2017)
- timeval: make timediff_t also work on 32bit windows
  
  ... by using curl_off_t for the typedef if time_t is larger than 4
  bytes.
  
  Reported-by: Gisle Vanem
  Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
  mmitcomment-25205058
  Closes #2019

- curl_fnmatch: return error on illegal wildcard pattern
  
  ... instead of doing an infinite loop!
  
  Added test 1162 to verify.
  
  Reported-by: Max Dymond
  Fixes #2015
  Closes #2017

- [Max Dymond brought this change]

  wildcards: don't use with non-supported protocols
  
  Fixes timeouts in the fuzzing tests for non-FTP protocols.
  
  Closes #2016

- [Max Dymond brought this change]

  multi: allow table handle sizes to be overridden
  
  Allow users to specify their own hash define for
  CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
  
  Closes #1982

- time: rename Curl_tvnow to Curl_now
  
  ... since the 'tv' stood for timeval and this function does not return a
  timeval struct anymore.
  
  Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
  clean up the descriptive comments.
  
  Closes #2011

- ftplistparser: follow-up cleanup to remove PL_ERROR()

- [Max Dymond brought this change]

  ftplistparser: free off temporary memory always
  
  When using the FTP list parser, ensure that the memory that's
  allocated is always freed.
  
  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
  Closes #2013

- timediff: return timediff_t from the time diff functions
  
  ... to cater for systems with unsigned time_t variables.
  
  - Renamed the functions to curlx_timediff and Curl_timediff_us.
  
  - Added overflow protection for both of them in either direction for
    both 32 bit and 64 bit time_ts
  
  - Reprefixed the curlx_time functions to use Curl_*
  
  Reported-by: Peter Piekarski
  Fixes #2004
  Closes #2005

- [Paul Howarth brought this change]

  libtest: Add required test libraries for lib1552 and lib1553
  
  They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
  
  This fixes build failures on Fedora 13.
  
  Closes #2006

- [Alessandro Ghedini brought this change]

  libcurl-tutorial.3: fix typo
  
  closes #2008

Alessandro Ghedini (23 Oct 2017)
- curl_mime_filedata.3: fix typos

Daniel Stenberg (23 Oct 2017)
- RELEASE-NOTES: clean slate towards 7.57.0

- [Max Dymond brought this change]

  travis: exit if any steps fail
  
  We don't expect any steps to fail in travis. Exit the script if they do.
  
  Closes #1966

Version 7.56.1 (23 Oct 2017)

Daniel Stenberg (23 Oct 2017)
- RELEASE-NOTES: 7.56.1

- THANKS: update at 7.56.1 release time

- [Jon DeVree brought this change]

  mk-ca-bundle: Remove URL for aurora
  
  Aurora is no longer used by Mozilla
  https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/

- [Jon DeVree brought this change]

  mk-ca-bundle: Fix URL for NSS
  
  The 'tip' is the most recent branch committed to, this should be
  'default' like the URLs for the browser are.
  
  Closes #1998

- imap: if a FETCH response has no size, don't call write callback
  
  CVE-2017-1000257
  
  Reported-by: Brian Carpenter and 0xd34db347
  Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586

- ftp: reject illegal IP/port in PASV 227 response
  
  ... by using range checks. Among other things, this avoids an undefined
  behavior for a left shift that could happen on negative or very large
  values.
  
  Closes #1997
  
  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694

Patrick Monnerat (20 Oct 2017)
- test653: check reuse of easy handle after mime data change
  
  See issue #1999

- mime: do not reuse previously computed multipart size
  
  The contents might have changed: size must be recomputed.
  
  Reported-by: moteus on github
  Fixes #1999

- test308: disable if MultiSSL feature enabled
  
  Even if OpenSSL is enabled, it might not be the default backend when
  multi-ssl is enabled, causing the test to fail.

- runtests: support MultiSSL client feature

- vtls: change struct Curl_ssl `close' field name to `close_one'.
  
  On OS/400, `close' is an ASCII system macro that corrupts the code if
  not used in a context not targetting the close() system API.

- os400: add missing symbols in config file.
  
  Also adjust makefile to renamed files and warn about installation dirs mix-up.

- test652: curl_mime_data + base64 encoder with large contents

- mime: limit bas64-encoded lines length to 76 characters

Daniel Stenberg (16 Oct 2017)
- RELEASE-NOTES: synced with f121575c0

- setopt: range check most long options
  
  ... filter early instead of risking "funny values" having to be dealt
  with elsewhere.

- setopt: avoid integer overflows when setting millsecond values
  
  ... that are multiplied by 1000 when stored.
  
  For 32 bit long systems, the max value accepted (2147483 seconds) is >
  596 hours which is unlikely to ever be set by a legitimate application -
  and previously it didn't work either, it just caused undefined behavior.
  
  Also updated the man pages for these timeout options to mention the
  return code.
  
  Closes #1938

Viktor Szakats (15 Oct 2017)
- makefile.m32: allow to override gcc, ar and ranlib
  
  Allow to ovverride certain build tools, making it possible to
  use LLVM/Clang to build curl. The default behavior is unchanged.
  To build with clang (as offered by MSYS2), these settings can
  be used:
  
  CURL_CC=clang
  CURL_AR=llvm-ar
  CURL_RANLIB=llvm-ranlib
  
  Closes https://github.com/curl/curl/pull/1993

- ldap: silence clang warning
  
  Use memset() to initialize a structure to avoid LLVM/Clang warning:
  ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
  
  Closes https://github.com/curl/curl/pull/1992

Daniel Stenberg (14 Oct 2017)
- runtests: use valgrind for torture as well
  
  NOTE: it makes them terribly slow. I recommend only using valgrind for
  specific torture tests or using lots of patience.

- memdebug: trace send, recv and socket
  
  ... to allow them to be included in torture tests too.
  
  closes #1980

- configure: remove the C++ compiler check
  
  ... we used it only for the fuzzer, which we now have in a separate git
  repo.
  
  Closes #1990

Patrick Monnerat (13 Oct 2017)
- mime: do not call failf() if easy handle is NULL.

Daniel Stenberg (13 Oct 2017)
- test651: curl_formadd with huge COPYCONTENTS

- mime: fix the content reader to handle >16K data properly
  
  Reported-by: Jeroen Ooms
  Closes #1988

Patrick Monnerat (12 Oct 2017)
- mime: keep "text/plain" content type if user-specified.
  
  Include test cases in 554, 587, 650.
  
  Fixes https://github.com/curl/curl/issues/1986

- cli tool: use file2memory() to buffer stdin in -F option.
  
  Closes PR https://github.com/curl/curl/pull/1985

- cli tool: reimplement stdin buffering in -F option.
  
  If stdin is not a regular file, its content is memory-buffered to enable
  a possible data "rewind".
  In all cases, stdin data size is determined before real use to avoid
  having an unknown part's size.
  
  --libcurl generated code is left as an unbuffered stdin fread/fseek callback
  part with unknown data size.
  
  Buffering is not supported in deprecated curl_formadd() API.

Daniel Stenberg (12 Oct 2017)
- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2

- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
  
  following the new github "standard"

- RELEASE-NOTES: synced with 5505df7d2

Jay Satiro (11 Oct 2017)
- [Artak Galoyan brought this change]

  url: Update current connection SSL verify params in setopt
  
  Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
  connection updates the current connection's (i.e.'connectdata'
