                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.59.0 (13 Mar 2018)

Daniel Stenberg (13 Mar 2018)
- release: 7.59.0

Kamil Dudka (13 Mar 2018)
- tests/.../spnego.py: fix identifier typo
  
  Detected by Coverity Analysis:
  
  Error: IDENTIFIER_TYPO:
  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
  * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
  * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
  curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
  curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
  curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
  
  Closes #2379

Daniel Stenberg (13 Mar 2018)
- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
  
  Reported-by: Aron Bergman
  Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
  
  [ci skip]

- Revert "hostip: fix compiler warning: 'variable set but not used'"
  
  This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
  
  The assignment really needs to be there or we risk working with an
  uninitialized pointer.

Michael Kaufmann (12 Mar 2018)
- limit-rate: fix compiler warning
  
  follow-up to 72a0f62

Viktor Szakats (12 Mar 2018)
- checksrc.pl: add -i and -m options
  
  To sync it with changes made for the libssh2 project.
  Also cleanup some whitespace.

- curl-openssl.m4: fix spelling [ci skip]

- FAQ: fix a broken URL [ci skip]

Daniel Stenberg (12 Mar 2018)
- http2: mark the connection for close on GOAWAY
  
  ... don't consider it an error!
  
  Assisted-by: Jay Satiro
  Reported-by: Łukasz Domeradzki
  Fixes #2365
  Closes #2375

- credits: Viktor prefers without accent

- openldap: white space changes, fixed up the copyright years

- openldap: check ldap_get_attribute_ber() results for NULL before using
  
  CVE-2018-1000121
  Reported-by: Dario Weisser
  Bug: https://curl.haxx.se/docs/adv_2018-97a2.html

- FTP: reject path components with control codes
  
  Refuse to operate when given path components featuring byte values lower
  than 32.
  
  Previously, inserting a %00 sequence early in the directory part when
  using the 'singlecwd' ftp method could make curl write a zero byte
  outside of the allocated buffer.
  
  Test case 340 verifies.
  
  CVE-2018-1000120
  Reported-by: Duy Phan Thanh
  Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html

- readwrite: make sure excess reads don't go beyond buffer end
  
  CVE-2018-1000122
  Bug: https://curl.haxx.se/docs/adv_2018-b047.html
  
  Detected by OSS-fuzz

- BUGS: updated link to security process

- limit-rate: kick in even before "limit" data has been received
  
  ... and make sure to avoid integer overflows with really large values.
  
  Reported-by: 刘佩东
  Fixes #2371
  Closes #2373

- docs/SECURITY.md -> docs/SECURITY-PROCESS.md

- SECURITY.md: call it the security process

Michael Kaufmann (11 Mar 2018)
- Curl_range: fix FTP-only and FILE-only builds
  
  follow-up to e04417d

- hostip: fix compiler warning: 'variable set but not used'

Daniel Stenberg (11 Mar 2018)
- HTTP: allow "header;" to replace an internal header with a blank one
  
  Reported-by: Michael Kaufmann
  Fixes #2357
  Closes #2362

- http2: verbose output new MAX_CONCURRENT_STREAMS values
  
  ... as it is interesting for many users.

- SECURITY: distros' max embargo time is 14 days now

Patrick Monnerat (8 Mar 2018)
- curl tool: accept --compressed also if Brotli is enabled and zlib is not.

Daniel Stenberg (5 Mar 2018)
- THANKS + mailmap: remove duplicates, fixup full names

- [sergii.kavunenko brought this change]

  WolfSSL: adding TLSv1.3
  
  Closes #2349

- RELEASE-NOTES/THANKS: synced with cc1d4c505

- [Richard Alcock brought this change]

  winbuild: prefer documented zlib library names
  
  Check for existence of import and static libraries with documented names
  and use them if they do. Fallback to previous names.
  
  According to
  https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
  Windows, the names of the import library is "zdll.lib" and static
  library is "zlib.lib".
  
  closes #2354

Marcel Raad (4 Mar 2018)
- krb5: use nondeprecated functions
  
  gss_seal/gss_unseal have been deprecated in favor of
  gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
  version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
  1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
  "GSS_Unwrap() (formerly GSS_Unseal())".
  
  Use the nondeprecated functions to avoid deprecation warnings.
  
  [1] https://tools.ietf.org/html/rfc2078
  [2] https://tools.ietf.org/html/rfc1964
  
  Closes https://github.com/curl/curl/pull/2356

Daniel Stenberg (4 Mar 2018)
- curl.1: mention how to add numerical IP addresses in NO_PROXY

- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses

- NO_PROXY: fix for IPv6 numericals in the URL
  
  Added test 1265 that verifies.
  
  Reported-by: steelman on github
  Fixes #2353
  Closes #2355

- build: get CFLAGS (including -werror) used for examples and tests
  
  ... so that the CI and more detects compiler warnings/errors properly!
  
  Closes #2337

Marcel Raad (3 Mar 2018)
- curl_ctype: fix macro redefinition warnings
  
  On MinGW and Cygwin, GCC and clang have been complaining about macro
  redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
  by undefining the macros before redefining them as suggested in
  https://github.com/curl/curl/pull/2269.
  
  Suggested-by: Daniel Stenberg

Dan Fandrich (2 Mar 2018)
- unit1307: proper cleanup on OOM to fix torture tests

Marcel Raad (28 Feb 2018)
- unit1309: fix warning on Windows x64
  
  When targeting x64, MinGW-w64 complains about conversions between
  32-bit long and 64-bit pointers. Fix this by reusing the
  GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
  from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
  CURLX_INTEGER_TO_POINTER_CAST.
  
  Closes https://github.com/curl/curl/pull/2341

- travis: update compiler versions
  
  Update clang to version 3.9 and GCC to version 6.
  
  Closes https://github.com/curl/curl/pull/2345

Daniel Stenberg (26 Feb 2018)
- docs/MANUAL: formfind.pl is not accessible on the site anymore
  
  Fixes #2342

Jay Satiro (24 Feb 2018)
- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
  
  - Add OpenSSL 1.1.1 to the header/library version lists.
  
  - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
    which was added in that version.
  
  Prior to this change an erroneous header/library mismatch was caused by
  lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.

Viktor Szakats (23 Feb 2018)
- lib655: silence compiler warning
  
  Closes https://github.com/curl/curl/pull/2335

- spelling fixes
  
  Detected using the `codespell` tool.
  
  Also contains one URL protocol upgrade.
  
  Closes https://github.com/curl/curl/pull/2334

Daniel Stenberg (24 Feb 2018)
- projects/README: remove reference to dead IDN link/package
  
  Reported-by: Stefan Kanthak and Rod Widdowson
  
  Fixes #2325

Jay Satiro (23 Feb 2018)
- [Rod Widdowson brought this change]

  winbuild: Use macros for the names of some build utilities
  
  - Add macros to the top of the makefile for rc and mt utilities so that
    it is easier to change their locations.
  
  Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
  Reported-by: Stefan Kanthak
  
  Closes https://github.com/curl/curl/issues/2329

Daniel Stenberg (23 Feb 2018)
- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2

- curl_share_setopt.3: connection cache is shared within multi handles

Jay Satiro (22 Feb 2018)
- [Rod Widdowson brought this change]

  winbuild: Use CALL to run batch scripts
  
  Co-authored-by: Stefan Kanthak
  
  Closes https://github.com/curl/curl/issues/2330
  Closes https://github.com/curl/curl/pull/2331

Patrick Monnerat (22 Feb 2018)
- os400: add curl_resolver_start_callback type to ILE/RPG binding

Daniel Stenberg (22 Feb 2018)
- form.d: rephrased somewhat, added two example command lines

Jay Satiro (21 Feb 2018)
- [Francisco Sedano brought this change]

  url: Add option CURLOPT_RESOLVER_START_FUNCTION
  
  - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
    will be called every time before a new resolve request is started
    (ie before a host is resolved) with a pointer to backend-specific
    resolver data. Currently this is only useful for ares.
  
  - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
    pass to the resolver start callback.
  
  Closes https://github.com/curl/curl/pull/2311

- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
  
  - In keeping with the naming of our other connect timeout options rename
    CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
  
  This change adds the _MS suffix since the option expects milliseconds.
  This is more intuitive for our users since other connect timeout options
  that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
  CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
  
  The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
  
  Follow-up to 2427d94 which added the lib and tool option yesterday.
  
  Ref: https://github.com/curl/curl/pull/2260

Patrick Monnerat (21 Feb 2018)
- sasl: prefer PLAIN mechanism over LOGIN
  
  SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
  PLAIN should be used instead if available.

Daniel Stenberg (21 Feb 2018)
- RELEASE-NOTES: synced with 2427d94c6

Jay Satiro (20 Feb 2018)
- [Anders Bakken brought this change]

  url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
  
  - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
    eyeball timeout value.
  
  - Add new optval macro CURL_HET_DEFAULT to represent the default happy
    eyeballs timeout value (currently 200 ms).
  
  - Add new tool option --happy-eyeballs-timeout-ms to expose
    CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
    other -timeout options in the tool expect seconds not milliseconds.
  
  Closes https://github.com/curl/curl/pull/2260

- hostip: fix 'potentially uninitialized variable' warning
  
  Follow-up to 50d1b33.
  
  Caught by AppVeyor.

Daniel Stenberg (20 Feb 2018)
- TODO: warning if curl version is not in sync with libcurl version

Jay Satiro (20 Feb 2018)
- [Anders Bakken brought this change]

  CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
  
  This enables users to preresolve but still take advantage of happy
  eyeballs and trying multiple addresses if some are not connecting.
  
  Ref: https://github.com/curl/curl/pull/2260

Daniel Stenberg (20 Feb 2018)
- [Sergio Borghese brought this change]

  examples/sftpuploadresume: resume upload via CURLOPT_APPEND
  
  URL: https://curl.haxx.se/mail/lib-2018-02/0072.html

- curl --version: show PSL if the run-time lib has it enabled
  
  ... not of the #define was set at build-time!

- TODO: "Support in-memory certs/ca certs/keys"
  
  removed SSLKEYLOGFILE support (fixed)
  
  removed "consider SSL patches" (outdated)
  
  Closes #2310

- CURLOPT_HEADER.3: clarify problems with different data sizes

- test1556: verify >16KB headers to the header callback

- header callback: don't chop headers into smaller pieces
  
  Reported-by: Guido Berhoerster
  Fixes #2314
  Closes #2316

- test1154: verify that long HTTP headers get rejected

- http: fix the max header length detection logic
  
  Previously, it would only check for max length if the existing alloc
  buffer was to small to fit it, which often would make the header still
  get used.
  
  Reported-by: Guido Berhoerster
  Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
  
  Closes #2315

- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
  
  Reported-by: Erik Johansson
  Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495

- CURLOPT_HEADERFUNCTION.3: mention folded headers

- TODO: 1.1 Option to refuse usernames in URLs
  
  Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.

- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies

- ssh: add two missing state names
  
  The list of state names (used in debug builds) was out of sync in
  relation to the list of states (used in all builds).
  
  I now added an assert to make sure the sizes of the two lists match, to
  aid in detecting this mistake better in the future.
  
  Regression since c92d2e14cf, shipped in 7.58.0.
  
  Reported-by: Somnath Kundu
  
  Fixes #2312
  Closes #2313

- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
  
  This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
  
  Reported-by: Jay Satiro

Jay Satiro (15 Feb 2018)
- non-ascii: fix implicit declaration warning
  
  Follow-up to b46cfbc.
  
  Caught by Travis CI.

Daniel Stenberg (15 Feb 2018)
- travis: add build with iconv enabled
  
  ... to verify it builds and works fine.
  
  Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
  
  Closes #1872

- TODO: 18.18 retry on network is unreachable
  
  Closes #1603

- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
  
  Closes #1254

Kamil Dudka (15 Feb 2018)
- nss: use PK11_CreateManagedGenericObject() if available
  
  ... so that the memory allocated by applications using libcurl does not
  grow per each TLS connection.
  
  Bug: https://bugzilla.redhat.com/1510247
  
  Closes #2297

Daniel Stenberg (15 Feb 2018)
- [Björn Stenberg brought this change]

  TODO fixed: Detect when called from within callbacks
  
  Closes #2302

- BINDINGS: fix curb link (and remove ruby-curl-multi)
  
  Reported-by: Klaus Stein

- curl_gssapi: make sure this file too uses our *printf()

- libcurl-security.3: separate file:// section
  
  ... just to make it more apparent. Even if it repeats
  some pieces of information.

- libcurl-security.3: the http://192.168.0.1/my_router_config case
  
  Mentioned-By: Rich Moore

- libcurl-security.3: mention the URL standards problems too

- libcurl-security.3: split out from libcurl-tutorial.3
  
  To make more accessible.
  
  Merged in some new language from "URLs are dangerous things" as discussed on
  the mailing list a few days ago:
  
  Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html

- RELEASE-NOTES: synced with e551910f8

Patrick Monnerat (13 Feb 2018)
- tests: new tests for http raw mode
  
  Test 319 checks proper raw mode data with non-chunked gzip
  transfer-encoded server data.
  Test 326 checks raw mode with chunked server data.
  
  Bug: #2303
  Closes #2308

Kamil Dudka (12 Feb 2018)
- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
  
  Bug: https://bugzilla.redhat.com/1542256
  
  Closes #2306

Patrick Monnerat (12 Feb 2018)
- smtp: fix processing of initial dot in data
  
  RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
  should be taken into account when chasing the <CRLF>.<CRLF> end marker.
  Thus a leading dot character in data is also subject to escaping.
  
  Tests 911 and test server are adapted to this situation.
  New tests 951 and 952 check proper handling of initial dot in data.
  
  Closes #2304

Daniel Stenberg (12 Feb 2018)
- sha256: avoid redefine

- [Douglas Mencken brought this change]

  sha256: build with OpenSSL < 0.9.8 too
  
  support for SHA-2 was introduced in OpenSSL 0.9.8
  
  Closes #2305

- [Bruno Grasselli brought this change]

  README: language fix
  
  s/off/from
  
  Closes #2300

Patrick Monnerat (12 Feb 2018)
- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
  
  Bug: #2303
  Reported-By: Henry Roeland

Daniel Stenberg (9 Feb 2018)
- get_posix_time: only check for overflows if they can happen!

Michael Kaufmann (9 Feb 2018)
- schannel: fix "no previous prototype" compiler warning

Jay Satiro (9 Feb 2018)
- [Mohammad AlSaleh brought this change]

  content_encoding: Add "none" alias to "identity"
  
  Some servers return a "content-encoding" header with a non-standard
  "none" value.
  
  Add "none" as an alias to "identity" as a work-around, to avoid
  unrecognised content encoding type errors.
  
  Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
  
  Closes https://github.com/curl/curl/pull/2298

Steve Holme (8 Feb 2018)
- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output

- build-openssl.bat: Fixed incorrect move if destination build folder exists

Michael Kaufmann (8 Feb 2018)
- schannel: fix compiler warnings
  
  Closes #2296

Steve Holme (7 Feb 2018)
- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
  
  Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
  Added the necessary include file to curl_addrinfo.c.
  
  Note: The SDK (which is considered beta) has to be installed, VS 2017
  project file has to be re-targeted for Windows 10.0.17061 and #define
  enabled in config-win32.h.

Patrick Monnerat (7 Feb 2018)
- fnmatch: optimize processing of consecutive *s and ?s pattern characters
  
  Reported-By: Daniel Stenberg
  Fixes #2291
  Closes #2293

Steve Holme (6 Feb 2018)
- build-openssl.bat/build-wolfssl.bat: Build platform is optional
  
  Whilst the compiler parameter is mandatory, platform is optional as it
  is automatically calculated by the :configure section.
  
  This partially reverts commit 6d62d2c55d.

Daniel Stenberg (6 Feb 2018)
- [Patrick Schlangen brought this change]

  openssl: Don't add verify locations when verifypeer==0
  
  When peer verification is disabled, calling
  SSL_CTX_load_verify_locations is not necessary. Only call it when
  verification is enabled to save resources and increase performance.
  
  Closes #2290

Steve Holme (5 Feb 2018)
- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
  
  ...and not just the Community Edition.

- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
  
  ...and not just the Community Edition.

Michael Kaufmann (5 Feb 2018)
- time-cond: fix reading the file modification time on Windows
  
  On Windows, stat() may adjust the unix file time by a daylight saving time
  offset. Avoid this by calling GetFileTime() instead.
  
  Fixes #2164
  Closes #2204

Daniel Stenberg (5 Feb 2018)
- formdata: use the mime-content type function
  
  Reduce code duplication by making Curl_mime_contenttype available and
  used by the formdata function. This also makes the formdata function
  recognize a set of more file extensions by default.
  
  PR #2280 brought this to my attention.
  
  Closes #2282

- getdate: return -1 for out of range
  
  ...as that's how the function is documented to work.
  
  Reported-by: Michael Kaufmann
  Bug found in an autobuild with 32 bit time_t
  
  Closes #2278

- [Ben Greear brought this change]

  build: fix termios issue on android cross-compile
  
  Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
  Signed-off-by: Ben Greear <greearb@candelatech.com>

- time_t-fixes: remove typecasts to 'long' for info.filetime
  
  They're now wrong.
  
  Reported-by: Michael Kaufmann
  
  Closes #2277

- curl_setup: move the precautionary define of SIZEOF_TIME_T
  
  ... up to before it may be used for the TIME_T_MAX/MIN logic.
  
  Reported-by: Michael Kaufmann

- parsedate: s/#if/#ifdef
  
  Reported-by: Michael Kaufmann
  Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479

Patrick Monnerat (31 Jan 2018)
- fnmatch: pattern syntax can no longer fail
  
  Whenever an expected pattern syntax rule cannot be matched, the
  character starting the rule loses its special meaning and the parsing
  is resumed:
  - backslash at the end of pattern string matches itself.
  - Error in [:keyword:] results in set containing :\[dekorwy.
  
  Unit test 1307 updated for this new situation.
  
  Closes #2273

- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
  
  Also be more tolerant about set pattern syntax.
  Update unit test 1307 accordingly.
  
  Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html

- fnmatch: do not match the empty string with a character set

Jay Satiro (30 Jan 2018)
- build: fix windows build methods for curl_ctype.c
  
  - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
    curlx files since they are required by both src and lib.
  
  Follow-up to 4272a0b which added curl_ctype.

Daniel Stenberg (30 Jan 2018)
- progress-bar.d: update to match implementation
  
  ... since commit 993dd5651a6
  
  Reported-by: Martin Dreher
  Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
  
  Closes #2271

- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
  
  ... instead of doing it unconditionally in debug builds. It cluttered up
  the output a little too much.

- [Max Dymond brought this change]

  file: Check the return code from Curl_range and bail out on error

- [Max Dymond brought this change]

  Curl_range: add check to ensure "from <= to"

- [Max Dymond brought this change]

  Curl_range: commonize FTP and FILE range handling
  
  Closes #2205

- RELEASE-NOTES: synced with 811beab9f

- curlver: next release will be 7.59.0

- [Michał Janiszewski brought this change]

  curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
  
  Closes #2275

- time: support > year 2038 time stamps for system with 32bit long
  
  ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
  CURLINFO_FILETIME_T.
  
  Fixes #2238
  Closes #2264

- curl_easy_reset: clear digest auth state
  
  Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
  Reported-by: Ruurd Beerstra
  Fixes #2255
  Closes #2272

- [Adam Marcionek brought this change]

  winbuild: make linker generate proper PDB
  
  Link.exe requires /DEBUG to properly generate a full pdb file on release
  builds.
  
  Closes #2274

- curl: add --proxy-pinnedpubkey
  
  To verify a proxy's public key. For when using HTTPS proxies.
  
  Fixes #2192
  Closes #2268

- configure: set PATH_SEPARATOR to colon for PATH w/o separator
  
  The logic tries to figure out what the path separator in the $PATH
  variable is, but if there's only one directory in the $PATH it
  fails. This change make configure *guess* on colon instead of erroring
  out, simply because that is probably the more common character.
  
  PATH_SEPARATOR can always be set by the user to override the guessing.
  
  (tricky bug to reproduce, as in my case for example the configure script
  requires binaries in more than one directory so passing in a PATH with a
  single dir fails.)
  
  Reported-by: Earnestly on github
  Fixes #2202
  Closes #2265

- curl_ctype: private is*() type macros and functions
  
  ... since the libc provided one are locale dependent in a way we don't
  want. Also, the "native" isalnum() (for example) works differently on
  different platforms which caused test 1307 failures on macos only.
  
  Closes #2269

Marcel Raad (29 Jan 2018)
- build: open VC15 projects with VS 2017
  
  Previously, they were opened with Visual Studio 2015 by default, which
  cannot build them.

Daniel Stenberg (29 Jan 2018)
- RELEASE-NOTES: synced with 094647fca

- TODO: UTF-8 filenames in Content-Disposition
  
  Closes #1888

- KNOWN_BUGS: DICT responses show the underlying protocol
  
  Closes #1809

Jay Satiro (27 Jan 2018)
- [Alessandro Ghedini brought this change]

  docs: fix typos in man pages
  
  Closes https://github.com/curl/curl/pull/2266

Patrick Monnerat (26 Jan 2018)
- lib555: drop text conversion and encode data as ascii codes
  
  If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
  giving a result that is different from what is expected.
  This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
  to upload in ascii.
  
  Bug: https://github.com/curl/curl/pull/1872

Daniel Stenberg (26 Jan 2018)
- lib517: make variable static to avoid compiler warning
  
  ... with clang on macos

Patrick Monnerat (26 Jan 2018)
- lib544: sync ascii code data with textual data
  
  Data mismatch caused test 545 to fail when character encoding
  conversion is enabled.
  
  Bug: https://github.com/curl/curl/pull/1872

Daniel Stenberg (25 Jan 2018)
- [Travis Burtrum brought this change]

  GSKit: restore pinnedpubkey functionality
  
  inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
  
  Closes #2263

- [Dair Grant brought this change]

  darwinssl: Don't import client certificates into Keychain on macOS
  
  Closes #2085

- configure: fix the check for unsigned time_t
  
  Assign the time_t variable negative value and then check if it is
  greater than zero, which will evaluate true for unsigned time_t but
  false for signed time_t.

- parsedate: fix date parsing for systems with 32 bit long
  
  Make curl_getdate() handle dates before 1970 as well (returning negative
  values).
  
  Make test 517 test dates for 64 bit time_t.
  
  This fixes bug (3) mentioned in #2238
  
  Closes #2250

- [McDonough, Tim brought this change]

  openssl: fix pinned public key build error in FIPS mode
  
  Here is a version that should work with all versions of openssl 0.9.7
  through 1.1.0.
  
  Links to the docs:
  https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
  https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
  
  At the very bottom of the 1.1.0 documentation there is a history section
  that states, " stack allocated EVP_MD_CTXs are no longer supported."
  
  If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
  simple mapping can be used as described here:
  https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
  
  Closes #2258

- [Travis Burtrum brought this change]

  SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum

- [Travis Burtrum brought this change]

  SChannel/WinSSL: Implement public key pinning
  
  Closes #1429

- bump: towards 7.58.1

- cookies: remove verbose "cookie size:" output
  
  It was once used for some debugging/verifying logic but should never have
  ended up in git!

- TODO: hardcode the "localhost" addresses

- TODO: CURL_REFUSE_CLEARTEXT
  
  An idea that popped up in discussions on twitter.

- progress-bar: don't use stderr explicitly, use bar->out
  
  Reported-By: Gisle Vanem
  Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080

GitHub (24 Jan 2018)
- [Gisle Vanem brought this change]

  Fixes for MSDOS etc.
  
  djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
  But djgpp seems the only choice for MSDOS anyway.
  
  PellesC do have a 'F_OK' defined in it's <unistd.h>.
  
  Update year in Copyright.

- [Gisle Vanem brought this change]

  Fix small typo.

Version 7.58.0 (23 Jan 2018)

Daniel Stenberg (23 Jan 2018)
- RELEASE: 7.58.0

- [Gisle Vanem brought this change]

  progress-bar: get screen width on windows

- test1454: --connect-to with IPv6 address w/o IPv6 support!

- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
  
  Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
  Reported-by: John Hascall
  
  Closes #2257

- docs: fix man page syntax to make test 1140 OK again

- http: prevent custom Authorization headers in redirects
  
  ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
  curl already handles Authorization headers created internally.
  
  Note: this changes behavior slightly, for the sake of reducing mistakes.
  
  Added test 317 and 318 to verify.
