                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.64.1 (27 Mar 2019)

Daniel Stenberg (27 Mar 2019)
- RELEASE: 7.64.1

- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set"
  
  This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00.
  
  Fixes #3708

- [Christian Schmitz brought this change]

  ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set
  
  Closes #3704

Jay Satiro (26 Mar 2019)
- tool_cb_wrt: fix writing to Windows null device NUL
  
  - Improve console detection.
  
  Prior to this change WriteConsole could be called to write to a handle
  that may not be a console, which would cause an error. This issue is
  limited to character devices that are not also consoles such as the null
  device NUL.
  
  Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724
  Reported-by: Gisle Vanem

- CURLMOPT_PIPELINING.3: fix typo

Daniel Stenberg (25 Mar 2019)
- TODO: config file parsing
  
  Closes #3698

Jay Satiro (24 Mar 2019)
- os400: Disable Alt-Svc by default since it's experimental
  
  Follow-up to 520f0b4 which added Alt-Svc support and enabled it by
  default for OS400. Since the feature is experimental, it should be
  disabled by default.
  
  Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332
  Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html
  
  Closes https://github.com/curl/curl/pull/3688

Dan Fandrich (24 Mar 2019)
- tests: Fixed XML validation errors in some test files.

- tests: Fix some incorrect precheck error messages.
  
  [ci skip]

Daniel Stenberg (22 Mar 2019)
- curl_url.3: this is not experimental anymore

- travis: bump the used wolfSSL version to 4.0.0
  
  Test 311 is now fine, leaving only 313 (CRL) disabled.
  
  Test 313 details can be found here:
  https://github.com/wolfSSL/wolfssl/issues/1546
  
  Closes #3697

Daniel Gustafsson (22 Mar 2019)
- lib: Fix typos in comments

David Woodhouse (20 Mar 2019)
- openssl: if cert type is ENG and no key specified, key is ENG too
  
  Fixes #3692
  Closes #3692

Daniel Stenberg (20 Mar 2019)
- sectransp: tvOS 11 is required for ALPN support
  
  Reported-by: nianxuejie on github
  Assisted-by: Nick Zitzmann
  Assisted-by: Jay Satiro
  Fixes #3689
  Closes #3690

- test1541: threaded connection sharing
  
  The threaded-shared-conn.c example turned into test case. Only works if
  pthread was detected.
  
  An attempt to detect future regressions such as e3a53e3efb942a5
  
  Closes #3687

Patrick Monnerat (17 Mar 2019)
- os400: alt-svc support.
  
  Although experimental, enable it in the platform config file.
  Upgrade ILE/RPG binding.

Daniel Stenberg (17 Mar 2019)
- conncache: use conn->data to know if a transfer owns it
  
  - make sure an already "owned" connection isn't returned unless
    multiplexed.
  
  - clear ->data when returning the connection to the cache again
  
  Regression since 7.62.0 (probably in commit 1b76c38904f0)
  
  Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html
  
  Closes #3686

- RELEASE-NOTES: synced

- [Chris Young brought this change]

  configure: add --with-amissl
  
  AmiSSL is an Amiga native library which provides a wrapper over OpenSSL.
  It also requires all programs using it to use bsdsocket.library
  directly, rather than accessing socket functions through clib, which
  libcurl was not necessarily doing previously. Configure will now check
  for the headers and ensure they are included if found.
  
  Closes #3677

- [Chris Young brought this change]

  vtls: rename some of the SSL functions
  
  ... in the SSL structure as AmiSSL is using macros for the socket API
  functions.

- [Chris Young brought this change]

  tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr

- [Chris Young brought this change]

  tool_operate: build on AmigaOS

- makefile: make checksrc and hugefile commands "silent"
  
  ... to match the style already used for compiling, linking
  etc. Acknowledges 'make V=1' to enable verbose.
  
  Closes #3681

- curl.1: --user and --proxy-user are hidden from ps output
  
  Suggested-by: Eric Curtin
  Improved-by: Dan Fandrich
  Ref: #3680
  
  Closes #3683

- curl.1: mark the argument to --cookie as <data|filename>
  
  From a discussion in #3676
  
  Suggested-by: Tim Rühsen
  
  Closes #3682

Dan Fandrich (14 Mar 2019)
- fuzzer: Only clone the latest fuzzer code, for speed.

Daniel Stenberg (14 Mar 2019)
- [Dominik Hölzl brought this change]

  Negotiate: fix for HTTP POST with Negotiate
  
  * Adjusted unit tests 2056, 2057
  * do not generally close connections with CURLAUTH_NEGOTIATE after every request
  * moved negotiatedata from UrlState to connectdata
  * Added stream rewind logic for CURLAUTH_NEGOTIATE
  * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC
  * Consider authproblem state for CURLAUTH_NEGOTIATE
  * Consider reuse_forbid for CURLAUTH_NEGOTIATE
  * moved and adjusted negotiate authentication state handling from
    output_auth_headers into Curl_output_negotiate
  * Curl_output_negotiate: ensure auth done is always set
  * Curl_output_negotiate: Set auth done also if result code is
    GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may
    also indicate the last challenge request (only works with disabled
    Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1)
  * Consider "Persistent-Auth" header, detect if not present;
    Reset/Cleanup negotiate after authentication if no persistent
    authentication
  * apply changes introduced with #2546 for negotiate rewind logic
  
  Fixes #1261
  Closes #1975

- [Marc Schlatter brought this change]

  http: send payload when (proxy) authentication is done
  
  The check that prevents payload from sending in case of authentication
  doesn't check properly if the authentication is done or not.
  
  They're cases where the proxy respond "200 OK" before sending
  authentication challenge. This change takes care of that.
  
  Fixes #2431
  Closes #3669

- file: fix "Checking if unsigned variable 'readcount' is less than zero."
  
  Pointed out by codacy
  
  Closes #3672

- memdebug: log pointer before freeing its data
  
  Coverity warned for two potentional "Use after free" cases. Both are false
  positives because the memory wasn't used, it was only the actual pointer
  value that was logged.
  
  The fix still changes the order of execution to avoid the warnings.
  
  Coverity CID 1443033 and 1443034
  
  Closes #3671

- RELEASE-NOTES: synced

Marcel Raad (12 Mar 2019)
- travis: actually use updated compiler versions
  
  For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the
  new GCC versions were only used for the coverage build and for building
  nghttp2, while the new clang version was not used at all.
  
  BoringSSL needs to use the default GCC as it respects CC, but not CXX,
  so it would otherwise pass gcc 8 options to g++ 4.8 and fail.
  
  Also remove GCC 7, it's not needed anymore.
  
  Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning
  
  Closes https://github.com/curl/curl/pull/3670

- travis: update clang to version 7
  
  Closes https://github.com/curl/curl/pull/3670

Jay Satiro (11 Mar 2019)
- [Andre Guibert de Bruet brought this change]

  examples/externalsocket: add missing close socket calls
  
  .. and for Windows also call WSACleanup since we call WSAStartup.
  
  The example is to demonstrate handling the socket independently of
  libcurl. In this case libcurl is not responsible for creating, opening
  or closing the socket, it is handled by the application (our example).
  
  Fixes https://github.com/curl/curl/pull/3663

Daniel Stenberg (11 Mar 2019)
- multi: removed unused code for request retries
  
  This code was once used for the non multi-interface using code path, but
  ever since easy_perform was turned into a wrapper around the multi
  interface, this code path never runs.
  
  Closes #3666

Jay Satiro (11 Mar 2019)
- doh: inherit some SSL options from user's easy handle
  
  - Inherit SSL options for the doh handle but not SSL client certs,
    SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert,
    SSL pinned public key, SSL ciphers, SSL id cache setting,
    SSL kerberos or SSL gss-api settings.
  
  - Fix inheritance of verbose setting.
  
  - Inherit NOSIGNAL.
  
  There is no way for the user to set options for the doh (DNS-over-HTTPS)
  handles and instead we inherit some options from the user's easy handle.
  
  My thinking for the SSL options not inherited is they are most likely
  not intended by the user for the DOH transfer. I did inherit insecure
  because I think that should still be in control of the user.
  
  Prior to this change doh did not work for me because CAINFO was not
  inherited. Also verbose was set always which AFAICT was a bug (#3660).
  
  Fixes https://github.com/curl/curl/issues/3660
  Closes https://github.com/curl/curl/pull/3661

Daniel Stenberg (9 Mar 2019)
- test331: verify set-cookie for dotless host name
  
  Reproduced bug #3649
  Closes #3659

- Revert "cookies: extend domain checks to non psl builds"
  
  This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0.
  
  Regression shipped in 7.64.0
  Fixes #3649

- memdebug: make debug-specific functions use curl_dbg_ prefix
  
  To not "collide" or use up the regular curl_ name space. Also makes them
  easier to detect in helper scripts.
  
  Closes #3656

- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
  
  Clarify the language and simplify.
  
  Reported-by: Daniel Lublin
  Closes #3658

- KNOWN_BUGS: Client cert (MTLS) issues with Schannel
  
  Closes #3145

- ROADMAP: updated to some more current things to work on

- tests: fix multiple may be used uninitialized warnings

- RELEASE-NOTES: synced

- source: fix two 'nread' may be used uninitialized warnings
  
  Both seem to be false positives but we don't like warnings.
  
  Closes #3646

- gopher: remove check for path == NULL
  
  Since it can't be NULL and it makes Coverity believe we lack proper NULL
  checks. Verified by test 659, landed in commit 15401fa886b.
  
  Pointed out by Coverity CID 1442746.
  
  Assisted-by: Dan Fandrich
  Fixes #3617
  Closes #3642

- examples: only include <curl/curl.h>
  
  That's the only public curl header we should encourage use of.
  
  Reviewed-by: Marcel Raad
  Closes #3645

- ssh: loop the state machine if not done and not blocking
  
  If the state machine isn't complete, didn't fail and it didn't return
  due to blocking it can just as well loop again.
  
  This addresses the problem with SFTP directory listings where we would
  otherwise return back to the parent and as the multi state machine
  doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the
  doing phase isn't complete, it would return out when in reality there
  was more data to deal with.
  
  Fixes #3506
  Closes #3644

Jay Satiro (5 Mar 2019)
- multi: support verbose conncache closure handle
  
  - Change closure handle to receive verbose setting from the easy handle
    most recently added via curl_multi_add_handle.
  
  The closure handle is a special easy handle used for closing cached
  connections. It receives limited settings from the easy handle most
  recently added to the multi handle. Prior to this change that did not
  include verbose which was a problem because on connection shutdown
  verbose mode was not acknowledged.
  
  Ref: https://github.com/curl/curl/pull/3598
  
  Co-authored-by: Daniel Stenberg
  
  Closes https://github.com/curl/curl/pull/3618

Daniel Stenberg (4 Mar 2019)
- CURLU: fix NULL dereference when used over proxy
  
  Test 659 verifies
  
  Also fixed the test 658 name
  
  Closes #3641

- altsvc_out: check the return code from Curl_gmtime
  
  Pointed out by Coverity, CID 1442956.
  
  Closes #3640

- docs/ALTSVC.md: docs describing the approach
  
  Closes #3498

- alt-svc: add a travis build

- alt-svc: add test 355 and 356 to verify with command line curl

- alt-svc: the curl command line bits

- alt-svc: the libcurl bits

- travis: add build using gnutls
  
  Closes #3637

- RELEASE-NOTES: synced

- [Simon Legner brought this change]

  scripts/completion.pl: also generate fish completion file
  
  This is the renamed script formerly known as zsh.pl
  
  Closes #3545

- gnutls: remove call to deprecated gnutls_compression_get_name
  
  It has been deprecated by GnuTLS since a year ago and now causes build
  warnings.
  
  Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f
  Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html
  
  Closes #3636

Jay Satiro (2 Mar 2019)
- system_win32: move win32_init here from easy.c
  
  .. since system_win32 is a more appropriate location for the functions
  and to extern the globals.
  
  Ref: https://github.com/curl/curl/commit/ca597ad#r32446578
  Reported-by: Gisle Vanem
  
  Closes https://github.com/curl/curl/pull/3625

Daniel Stenberg (1 Mar 2019)
- curl_easy_duphandle.3: clarify that a duped handle has no shares
  
  Reported-by: Sara Golemon
  
  Fixes #3592
  Closes #3634

- 10-at-a-time.c: fix too long line

- [Arnaud Rebillout brought this change]

  examples: various fixes in ephiperfifo.c
  
  The main change here is the timer value that was wrong, it was given in
  usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 *
  1000). This resulted in the callback being invoked WAY TOO OFTEN.
  
  As a quick check you can run this command before and after applying this
  commit:
  
      # shell 1
      ./ephiperfifo 2>&1 | tee ephiperfifo.log
      # shell 2
      echo http://hacking.elboulangero.com > hiper.fifo
  
  Then just compare the size of the logs files.
  
  Closes #3633
  Fixes #3632
  Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>

- urldata: simplify bytecounters
  
  - no need to have them protocol specific
  
  - no need to set pointers to them with the Curl_setup_transfer() call
  
  - make Curl_setup_transfer() operate on a transfer pointer, not
    connection
  
  - switch some counters from long to the more proper curl_off_t type
  
  Closes #3627

- examples/10-at-a-time.c: improve readability and simplify
  
   - use better variable names to explain their purposes
   - convert logic to curl_multi_wait()

- threaded-resolver: shutdown the resolver thread without error message
  
  When a transfer is done, the resolver thread will be brought down. That
  could accidentally generate an error message in the error buffer even
  though this is not an error situationand the transfer would still return
  OK.  An application that still reads the error buffer could find a
  "Could not resolve host: [host name]" message there and get confused.
  
  Reported-by: Michael Schmid
  Fixes #3629
  Closes #3630

- [Ԝеѕ brought this change]

  docs: update max-redirs.d phrasing
  
  clarify redir - "in absurdum" doesn't seem to make sense in this context
  
  Closes #3631

- ssh: fix Condition '!status' is always true
  
  in the same sftp_done function in both SSH backends. Simplify them
  somewhat.
  
  Pointed out by Codacy.
  
  Closes #3628

- test578: make it read data from the correct test

- Curl_easy: remove req.maxfd - never used!
  
  Introduced in 8b6314ccfb, but not used anymore in current code. Unclear
  since when.
  
  Closes #3626

- http: set state.infilesize when sending formposts
  
  Without it set, we would unwillingly triger the "HTTP error before end
  of send, stop sending" condition even if the entire POST body had been
  sent (since it wouldn't know the expected size) which would
  unnecessarily log that message and close the connection when it didn't
  have to.
  
  Reported-by: Matt McClure
  Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html
  Closes #3624

- INSTALL: refer to the current TLS library names and configure options

- FAQ: minor updates and spelling fixes

- GOVERNANCE.md: minor spelling fixes

- Secure Transport: no more "darwinssl"
  
  Everyone calls it Secure Transport, now we do too.
  
  Reviewed-by: Nick Zitzmann
  
  Closes #3619

Marcel Raad (27 Feb 2019)
- AppVeyor: add classic MinGW build
  
  But use the MSYS2 shell rather than the default MSYS shell because of
  POSIX path conversion issues. Classic MinGW is only available on the
  Visual Studio 2015 image.
  
  Closes https://github.com/curl/curl/pull/3623

- AppVeyor: add MinGW-w64 build
  
  Add a MinGW-w64 build using CMake's MSYS Makefiles generator.
  Use the Visual Studio 2015 image as it has GCC 8, while the
  Visual Studio 2017 image only has GCC 7.2.
  
  Closes https://github.com/curl/curl/pull/3623

Daniel Stenberg (27 Feb 2019)
- cookies: only save the cookie file if the engine is enabled
  
  Follow-up to 8eddb8f4259.
  
  If the cookieinfo pointer is NULL there really is nothing to save.
  
  Without this fix, we got a problem when a handle was using shared object
  with cookies and is told to "FLUSH" it to file (which worked) and then
  the share object was removed and when the easy handle was closed just
  afterwards it has no cookieinfo and no cookies so it decided to save an
  empty jar (overwriting the file just flushed).
  
  Test 1905 now verifies that this works.
  
  Assisted-by: Michael Wallner
  Assisted-by: Marcel Raad
  
  Closes #3621

- [DaVieS brought this change]

  cacertinmem.c: use multiple certificates for loading CA-chain
  
  Closes #3421

- urldata: convert bools to bitfields and move to end
  
  This allows the compiler to pack and align the structs better in
  memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2
  makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000.
  
  Removed an unused struct field.
  
  No functionality changes.
  
  Closes #3610

- [Don J Olmstead brought this change]

  curl.h: use __has_declspec_attribute for shared builds
  
  Closes #3616

- curl: display --version features sorted alphabetically
  
  Closes #3611

- runtests: detect "schannel" as an alias for "winssl"
  
  Follow-up to 180501cb02
  
  Reported-by: Marcel Raad
  Fixes #3609
  Closes #3620

Marcel Raad (26 Feb 2019)
- AppVeyor: update to Visual Studio 2017
  
  Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a
  moving target anymore as the last update, Update 9, has been released.
  
  Closes https://github.com/curl/curl/pull/3606

- AppVeyor: switch VS 2015 builds to VS 2017 image
  
  The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed.
  
  Closes https://github.com/curl/curl/pull/3606

- AppVeyor: explicitly select worker image
  
  Currently, we're using the default Visual Studio 2015 image for
  everything.
  
  Closes https://github.com/curl/curl/pull/3606

Daniel Stenberg (26 Feb 2019)
- strerror: make the strerror function use local buffers
  
  Instead of using a fixed 256 byte buffer in the connectdata struct.
  
  In my build, this reduces the size of the connectdata struct by 11.8%,
  from 2160 to 1904 bytes with no functionality or performance loss.
  
  This also fixes a bug in schannel's Curl_verify_certificate where it
  called Curl_sspi_strerror when it should have called Curl_strerror for
  string from GetLastError. the only effect would have been no text or the
  wrong text being shown for the error.
  
  Co-authored-by: Jay Satiro
  
  Closes #3612

- [Michael Wallner brought this change]

  cookies: fix NULL dereference if flushing cookies with no CookieInfo set
  
  Regression brought by a52e46f3900fb0 (shipped in 7.63.0)
  
  Closes #3613

Marcel Raad (26 Feb 2019)
- AppVeyor: re-enable test 500
  
  It's passing now.
  
  Closes https://github.com/curl/curl/pull/3615

- AppVeyor: remove redundant builds
  
  Remove the Visual Studio 2012 and 2013 builds as they add little value.
  
  Ref: https://github.com/curl/curl/pull/3606
  Closes https://github.com/curl/curl/pull/3614

Daniel Stenberg (25 Feb 2019)
- RELEASE-NOTES: synced

- [Bernd Mueller brought this change]

  OpenSSL: add support for TLS ASYNC state
  
  Closes #3591

Jay Satiro (25 Feb 2019)
- [Michael Felt brought this change]

  acinclude: add additional libraries to check for LDAP support
  
  - Add an additional check for LDAP that also checks for OpenSSL since
    on AIX those libraries may be required to link LDAP properly.
  
  Fixes https://github.com/curl/curl/issues/3595
  Closes https://github.com/curl/curl/pull/3596

- [georgeok brought this change]

  schannel: support CALG_ECDH_EPHEM algorithm
  
  Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
  algorithm option when selecting ciphers. This became available on the
  Win10 SDK.
  
  Closes https://github.com/curl/curl/pull/3608

Daniel Stenberg (24 Feb 2019)
- multi: call multi_done on connect timeouts
  
  Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get
  updated correctly and could end up getting reported to the application
  completely wrong (way too small).
  
  Reported-by: accountantM on github
  Fixes #3602
  Closes #3605

- examples: remove recursive calls to curl_multi_socket_action
  
  From within the timer callbacks. Recursive is problematic for several
  reasons. They should still work, but this way the examples and the
  documentation becomes simpler. I don't think we need to encourage
  recursive calls.
  
  Discussed in #3537
  Closes #3601

Marcel Raad (23 Feb 2019)
- configure: remove CURL_CHECK_FUNC_FDOPEN call
  
  The macro itself has been removed in commit
  11974ac859c5d82def59e837e0db56fef7f6794e.
  
  Closes https://github.com/curl/curl/pull/3604

Daniel Stenberg (23 Feb 2019)
- wolfssl: stop custom-adding curves
  
  since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in
  wolfSSL 3.10.2 and later) it sends these curves by default already.
  
  Pointed-out-by: David Garske
  
  Closes #3599

- configure: remove the unused fdopen macro
  
  and the two remaining #ifdefs for it
  
  Closes #3600

Jay Satiro (22 Feb 2019)
- url: change conn shutdown order to unlink data as last step
  
  - Split off connection shutdown procedure from Curl_disconnect into new
    function conn_shutdown.
  
  - Change the shutdown procedure to close the sockets before
    disassociating the transfer.
  
  Prior to this change the sockets were closed after disassociating the
  transfer so SOCKETFUNCTION wasn't called since the transfer was already
  disassociated. That likely came about from recent work started in
  Jan 2019 (#3442) to separate transfers from connections.
  
  Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html
  Reported-by: Pavel Löbl
  
  Closes https://github.com/curl/curl/issues/3597
  Closes https://github.com/curl/curl/pull/3598

Marcel Raad (22 Feb 2019)
- Fix strict-prototypes GCC warning
  
  As seen in the MinGW autobuilds. Caused by commit
  f26bc29cfec0be84c67cf74065cf8e5e78fd68b7.

Dan Fandrich (21 Feb 2019)
- tests: Fixed XML validation errors in some test files.

Daniel Stenberg (20 Feb 2019)
- TODO: Allow SAN names in HTTP/2 server push
  
  Suggested-by: Nicolas Grekas

- RELEASE-NOTES: synced

- curl: remove MANUAL from -M output
  
  ... and remove it from the dist tarball. It has served its time, it
  barely gets updated anymore and "everything curl" is now convering all
  this document once tried to include, and does it more and better.
  
  In the compressed scenario, this removes ~15K data from the binary,
  which is 25% of the -M output.
  
  It remains in the git repo for now for as long as the web site builds a
  page using that as source. It renders poorly on the site (especially for
  mobile users) so its not even good there.
  
  Closes #3587

- http2: verify :athority in push promise requests
  
  RFC 7540 says we should verify that the push is for an "authoritative"
  server. We make sure of this by only allowing push with an :athority
  header that matches the host that was asked for in the URL.
  
  Fixes #3577
  Reported-by: Nicolas Grekas
  Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html
  Closes #3581

- singlesocket: fix the 'sincebefore' placement
  
  The variable wasn't properly reset within the loop and thus could remain
  set for sockets that hadn't been set before and miss notifying the app.
  
  This is a follow-up to 4c35574 (shipped in curl 7.64.0)
  
  Reported-by: buzo-ffm on github
  Detected-by: Jan Alexander Steffens
  Fixes #3585
  Closes #3589

- connection: never reuse CONNECT_ONLY conections
  
  and make CONNECT_ONLY conections never reuse any existing ones either.
  
  Reported-by: Pavel Löbl
  Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html
  Closes #3586

Patrick Monnerat (19 Feb 2019)
- cli tool: fix mime post with --disable-libcurl-option configure option
  
  Reported-by: Marcel Raad
  Fixes #3576
  Closes #3583

Daniel Stenberg (19 Feb 2019)
- x509asn1: cleanup and unify code layout
  
  - rename 'n' to buflen in functions, and use size_t for them. Don't pass
    in negative buffer lengths.
  
  - move most function comments to above the function starts like we use
    to
  
  - remove several unnecessary typecasts (especially of NULL)
  
  Reviewed-by: Patrick Monnerat
  Closes #3582

- curl_multi_remove_handle.3: use at any time, just not from within callbacks
  
  [ci skip]

- http: make adding a blank header thread-safe
  
  Previously the function would edit the provided header in-place when a
  semicolon is used to signify an empty header. This made it impossible to
  use the same set of custom headers in multiple threads simultaneously.
  
  This approach now makes a local copy when it needs to edit the string.
  
  Reported-by: d912e3 on github
  Fixes #3578
  Closes #3579

- unit1651: survive curl_easy_init() fails

- [Frank Gevaerts brought this change]

  rand: Fix a mismatch between comments in source and header.
  
  Reported-by: Björn Stenberg <bjorn@haxx.se>
  Closes #3584

Patrick Monnerat (18 Feb 2019)
- x509asn1: replace single char with an array
  
  Although safe in this context, using a single char as an array may
  cause invalid accesses to adjacent memory locations.
  
  Detected by Coverity.

Daniel Stenberg (18 Feb 2019)
- examples/http2-serverpush: add some sensible error checks
  
  To avoid NULL pointer dereferences etc in the case of problems.
  
  Closes #3580

Jay Satiro (18 Feb 2019)
- easy: fix win32 init to work without CURL_GLOBAL_WIN32
  
  - Change the behavior of win32_init so that the required initialization
    procedures are not affected by CURL_GLOBAL_WIN32 flag.
  
  libcurl via curl_global_init supports initializing for win32 with an
  optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop
  Winsock initialization. It did so internally by skipping win32_init()
  when that flag was set. Since then win32_init() has been expanded to
  include required initialization routines that are separate from
  Winsock and therefore must be called in all cases. This commit fixes
  it so that CURL_GLOBAL_WIN32 only controls the optional win32
  initialization (which is Winsock initialization, according to our doc).
  
  The only users affected by this change are those that don't pass
  CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the
  risk of a potential crash.
  
  Ref: https://github.com/curl/curl/pull/3573
  
  Fixes https://github.com/curl/curl/issues/3313
  Closes https://github.com/curl/curl/pull/3575

Daniel Gustafsson (17 Feb 2019)
- cookie: Add support for cookie prefixes
  
  The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
  and how they should affect cookie initialization, which has been
  adopted by the major browsers. This adds support for the two prefixes
  defined, __Host- and __Secure, and updates the testcase with the
  supplied examples from the draft.
  
  Closes #3554
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- mbedtls: release sessionid resources on error
  
  If mbedtls_ssl_get_session() fails, it may still have allocated
  memory that needs to be freed to avoid leaking. Call the library
  API function to release session resources on this errorpath as
  well as on Curl_ssl_addsessionid() errors.
  
  Closes: #3574
  Reported-by: Michał Antoniak <M.Antoniak@posnet.com>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Patrick Monnerat (16 Feb 2019)
- cli tool: refactor encoding conversion sequence for switch case fallthrough.

- version.c: silent scan-build even when librtmp is not enabled

Daniel Stenberg (15 Feb 2019)
- RELEASE-NOTES: synced

- Curl_now: figure out windows version in win32_init
  
  ... and avoid use of static variables that aren't thread safe.
  
  Fixes regression from e9ababd4f5a (present in the 7.64.0 release)
  
  Reported-by: Paul Groke
  Fixes #3572
  Closes #3573

Marcel Raad (15 Feb 2019)
- unit1307: just fail without FTP support
  
  I missed to check this in with commit
  71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test.
  This fixes the actual linker error.
  
  Closes https://github.com/curl/curl/pull/3568

Daniel Stenberg (15 Feb 2019)
