                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.83.1 (11 May 2022)

Daniel Stenberg (11 May 2022)
- RELEASE-NOTES: synced
  
  curl 7.83.1 release

- THANKS: added contributors from 7.83.1

- zuul: fix the ngtcp2-gnutls build
  
  Add packages and tweak the configure options.
  
  Use the GnuTLS 3.7.4 branch (not main).
  
  Closes #8829

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: add ca-fallback support for OpenSSL backend
  
  Closes #8828

- url: check SSH config match on connection reuse
  
  CVE-2022-27782
  
  Reported-by: Harry Sintonen
  Bug: https://curl.se/docs/CVE-2022-27782.html
  Closes #8825

- tls: check more TLS details for connection reuse
  
  CVE-2022-27782
  
  Reported-by: Harry Sintonen
  Bug: https://curl.se/docs/CVE-2022-27782.html
  Closes #8825

- cookies: make bad_domain() not consider a trailing dot fine
  
  The check for a dot in the domain must not consider a single trailing
  dot to be fine, as then TLD + trailing dot is fine and curl will accept
  setting cookies for it.
  
  CVE-2022-27779
  
  Reported-by: Axel Chong
  Bug: https://curl.se/docs/CVE-2022-27779.html
  Closes #8820

- test977: reproduce ability to set cookie on TLD
  
  When PSL is not enabled

- scripts/contributors.sh: correct the copyright range

- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates

- test379: verify --remove-on-error with --no-clobber

- post_per_transfer: remove the updated file name
  
  When --remove-on-error is used with --no-clobber, it might have an
  updated file name to remove.
  
  Bug: https://curl.se/docs/CVE-2022-27778.html
  
  CVE-2022-27778
  
  Reported-by: Harry Sintonen
  
  Closes #8824

- hsts: ignore trailing dots when comparing hosts names
  
  CVE-2022-30115
  
  Reported-by: Axel Chong
  Bug: https://curl.se/docs/CVE-2022-30115.html
  Closes #8821

- test440/441: verify HSTS with trailing dots

- libtest/lib1560: verify the host name percent decode fix

- urlapi: reject percent-decoding host name into separator bytes
  
  CVE-2022-27780
  
  Reported-by: Axel Chong
  Bug: https://curl.se/docs/CVE-2022-27780.html
  Closes #8826

- nss: return error if seemingly stuck in a cert loop
  
  CVE-2022-27781
  
  Reported-by: Florian Kohnhäuser
  Bug: https://curl.se/docs/CVE-2022-27781.html
  Closes #8822

- test412/413: verify alt-svc with trailing dots

- altsvc: fix host name matching for trailing dots
  
  Closes #8819

- [Garrett Squire brought this change]

  hyper: fix test 357
  
  This change fixes the hyper API such that PUT requests that receive a
  417 response can retry without the Expect header.
  
  Closes #8811

- [Harry Sintonen brought this change]

  sectransp: bail out if SSLSetPeerDomainName fails
  
  Before the code would just warn about SSLSetPeerDomainName() errors.
  
  Closes #8798

- http_proxy/hyper: handle closed connections
  
  Enable test 1021 for hyper builds.
  
  Patched-by: Prithvi MK
  Fixes #8700
  Closes #8806

- KNOWN_BUGS: timeout when reusing a http3 connection
  
  Closes #8764

- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3
  
  Closes #8696

- [Ryan Schmidt brought this change]

  Makefile: fix "make ca-firefox"
  
  Closes #8804

Daniel Gustafsson (5 May 2022)
- tests: fix markdown formatting in README
  
  The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be
  escaped to not mean start of italic formatting. This is consistent
  with docs/RELEASE-PROCEDURE.md.
  
  Closes: #8802
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (5 May 2022)
- TODO: expand on "Expose tried IP addresses that failed"
  
  Ref: #8794

Daniel Gustafsson (5 May 2022)
- [Fabian Keil brought this change]

  tests/server: declare variable 'reqlogfile' static
  
  Silences the warning:
  
       CC       socksd-socksd.o
     socksd.c:143:13: warning: no previous extern declaration for
      non-static variable 'reqlogfile' [-Wmissing-variable-declarations]
     const char *reqlogfile = DEFAULT_REQFILE;
                 ^
     socksd.c:143:7: note: declare 'static' if the variable is not
      intended to be used outside of this translation unit
     const char *reqlogfile = DEFAULT_REQFILE;
           ^
     1 warning generated.
  
  ... when compiling with clang 13.
  
  Closes: #8799
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
  
  Commit 980a47b42 added support for ignoring session cookies, but it
  was never added to the documentation.
  
  Closes: #8795
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (5 May 2022)
- docs/THANKS: remove name duplicate

- [Philip H brought this change]

  .mailmap: update
  
  Closes #8800

Jay Satiro (5 May 2022)
- mbedtls: fix some error messages
  
  Prior to this change some of the error messages misidentified the
  function that failed.

Daniel Stenberg (5 May 2022)
- RELEASE-NOTES: synced

- [Sergey Markelov brought this change]

  x509asn1: make do_pubkey handle EC public keys
  
  Closes #8757

- [Harry Sintonen brought this change]

  mbedtls: bail out if rng init fails
  
  There was a failf() call but no actual error return.
  
  Closes #8796

- [Sergey Markelov brought this change]

  urlapi: address (harmless) UndefinedBehavior sanitizer warning
  
  `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1
  cannot be represented in type 'size_t' (aka 'unsigned long')
  
  Closes #8797

- [Fabian Keil brought this change]

  test{898,974,976}: add 'HTTP proxy' keywords
  
  ... so the tests can be automatically skipped when
  testing external HTTP proxies like Privoxy.
  
  Closes #8791

- [Harry Sintonen brought this change]

  gskit_connect_step1: fixed bogus setsockopt calls
  
  setsockopt takes a reference to value, not value. With the current
  code this just leads to -1 return value with errno EFAULT.
  
  Closes #8793

- CURLOPT_SSH_AUTH_TYPES.3: fix the default
  
  The default is all possible methods.
  
  Closes #8792

- CURLOPT_DOH_URL.3: mention the known bug
  
  It is mostly duplicating info from KNOWN_BUGS but make it easier to find
  for users of this option.
  
  Closes #8790

- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
  
  Reviewed-By: Daniel Gustafsson
  Closes #8788

- docs/SECURITY-PROCESS.md: "Visible command line arguments"

- SECURITY-PROCESS: mention "URL inconsistencies"
  
  ... as common problems that are *not* vulns.

Daniel Gustafsson (2 May 2022)
- contributors: strip off final comma
  
  The final row of contributors should not end with a comma as it's the
  end of the list.
  
  Closes: #8785
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (2 May 2022)
- [Philip H brought this change]

  misc: use "autoreconf -fi" instead buildconf
  
  Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
  Closes #8777

Daniel Gustafsson (2 May 2022)
- [Philip H brought this change]

  cirrus: Use pip for Python packages on FreeBSD
  
  Using pip instead of easy_install is more in line with how other
  CI images are being maintained.
  
  Closes: #8783
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

- [Philip H brought this change]

  cirrus: Update to FreeBSD 12.3
  
  Closes: #8783
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

- tool_getparam: simplify conditional statement
  
  param_place cannot be NULL here since we immediately efter this block
  perform arithmetic on it (and use it in order to get here) so there is
  little reason to check.
  
  Closes: #8786
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- RELEASE-NOTES: synced

- gskit: remove unused function set_callback
  
  This function has been unused since the initial commit of the GSKit
  backend in 0eba02fd4.  The motivation for the code was getting the
  whole certificate chain: the only place where the latter is available
  is as a callback parameter.  Unfortunately it is not possible to pass
  a user pointer to this callback, which precludes the possibility to
  associate the cert chain with a data/conn structure.
  
  For further information, search for pgsk_cert_validation_callback on:
  https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm
  
  As the upstream library never added a parameter like that to the API,
  we give up the wait and remove the dead code.
  
  Closes: #8782
  Reviewed-by: Patrick Monnerat <patrick@monnerat.net>

- curl: free resource in error path
  
  If the new filename cannot be generated due to memory pressure, free
  the allocated aname on the way out to avoid a small leak.
  
  Closes: #8770
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- curl: guard against size_t wraparound in no-clobber code
  
  When generating the new filename, make sure we aren't overflowing the
  size_t limit when calculating the new length. This is mostly academic
  but good code hygeine nonetheless.
  
  Closes: #8771
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (30 Apr 2022)
- gha: build msh3
  
  Closes #8779

- scripts/cijobs.pl: try "current branch" first then "master"

- [Yusuke Nakamura brought this change]

  msh3: get msh3 version from MsH3Version
  
  Closes #8762

- [Yusuke Nakamura brought this change]

  msh3: psss remote_port to MsH3ConnectionOpen
  
  MsH3 supported additional "Port" parameter to connect not hosted on
  443 port QUIC website.
  
  * https://github.com/nibanks/msh3/releases/tag/v0.3.0
  * https://github.com/nibanks/msh3/pull/37
  
  Closes #8762

- [Christian Weisgerber brought this change]

  openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
  
  SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3,
  released five years ago.
  
  Bug: https://curl.se/mail/lib-2022-04/0059.html
  Closes #8773

- http: move Curl_allow_auth_to_host()
  
  It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
  
  Reported-by: Michael Olbrich
  Fixes #8772
  Closes #8775

Daniel Gustafsson (29 Apr 2022)
- msh3: print boolean value as text representation
  
  Print the boolean value as its string representation instead of with
  %hhu which isn't a format we typically use.
  
  Closes: #8763
  Reviewed-by: Nick Banks <nibanks@microsoft.com>

Daniel Stenberg (29 Apr 2022)
- data/test376: set a proper name

- GHA/mbedtls: enabled nghttp2 in the build
  
  Closes #8767

- mbedtls: fix compile when h2-enabled
  
  Fixes #8766
  Reported-by: LigH-de on github
  Closes #8768

- RELEASE-NOTES: synced
  
  bumped curlver to 7.83.1-dev

- SECURITY-PROCESS: extended
  
  Also clarify BUG-BOUNTY.md with IBB details.
  
  Closes #8754

- [Adam Rosenfield brought this change]

  conn: fix typo 'connnection' -> 'connection' in two function names
  
  Closes #8759

Version 7.83.0 (27 Apr 2022)

Daniel Stenberg (27 Apr 2022)
- RELEASE-NOTES: synced
  
  The 7.83.0 release

- docs/THANKS: contributors from 7.83.0

- test 898/974/976: require proxy to run
  
  Fixes #8755
  Reported-by: Marc Hörsken
  Closes #8756

- gnutls: don't leak the SRP credentials in redirects
  
  Follow-up to 620ea21410030 and 139a54ed0a172a
  
  Reported-by: Harry Sintonen
  Closes #8752

- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS
  
  Closes #8753

- openssl: don't leak the SRP credentials in redirects either
  
  Follow-up to 620ea21410030
  
  Reported-by: Harry Sintonen
  Closes #8751

- [Liam Warfield brought this change]

  hyper: fix tests 580 and 581 for hyper
  
  Hyper now has the ability to preserve header order. This commit adds a
  few lines setting the connection options for this feature.
  
  Related to issue #8617
  Closes #8707

- conncache: remove name arg from Curl_conncache_find_bundle
  
  To simplify, and also since the returned name is not the full actual
  name used for the check. The port number and zone id is also involved,
  so just showing the name is misleading.
  
  Closes #8750

- tests: verify the fix for CVE-2022-27774
  
   - Test 973 redirects from HTTP to FTP, clear auth
   - Test 974 redirects from HTTP to HTTP different port, clear auth
   - Test 975 redirects from HTTP to FTP, permitted to keep auth
   - Test 976 redirects from HTTP to HTTP different port, permitted to keep
     auth

- transfer: redirects to other protocols or ports clear auth
  
  ... unless explicitly permitted.
  
  Bug: https://curl.se/docs/CVE-2022-27774.html
  Reported-by: Harry Sintonen
  Closes #8748

- connect: store "conn_remote_port" in the info struct
  
  To make it available after the connection ended.

- cookie.d: clarify when cookies are always sent

- test898: verify the fix for CVE-2022-27776
  
  Do not pass on Authorization headers on redirects to another port

- http: avoid auth/cookie on redirects same host diff port
  
  CVE-2022-27776
  
  Reported-by: Harry Sintonen
  Bug: https://curl.se/docs/CVE-2022-27776.html
  Closes #8749

- libssh2: make the md5 comparison fail if wrong length
  
  Making it just skip the check unless exactly 32 is too brittle. Even if
  the docs says it needs to be exactly 32, it is be safer to make the
  comparison fail here instead.
  
  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1549461
  Closes #8745

- conncache: include the zone id in the "bundle" hashkey
  
  Make connections to two separate IPv6 zone ids create separate
  connections.
  
  Reported-by: Harry Sintonen
  Bug: https://curl.se/docs/CVE-2022-27775.html
  Closes #8747

- [Patrick Monnerat brought this change]

  url: check sasl additional parameters for connection reuse.
  
  Also move static function safecmp() as non-static Curl_safecmp() since
  its purpose is needed at several places.
  
  Bug: https://curl.se/docs/CVE-2022-22576.html
  
  CVE-2022-22576
  
  Closes #8746

- libssh2: compare sha256 strings case sensitively
  
  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1549435
  Closes #8744

- tool_getparam: error out on missing -K file
  
  Add test 411 to verify.
  
  Reported-by: Median Median Stride
  Bug: https://hackerone.com/reports/1542881
  Closes #8731

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: deal with sub-millisecond timeout
  
  Closes #8738

- misc: update copyright year ranges

- c_escape: escape '?' in generated --libcurl code
  
  In order to avoid the risk of it being used in an accidental trigraph in
  the generated code.
  
  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1548535
  Closes #8742

- [Philip H brought this change]

  mlc: curl.zuul.vexxhost.dev is reachable again
  
  remove it from ignorelist for linkcheck
  
  Closes #8736

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: avoid busy loop in low CWND situation
  
  Closes #8739

- TODO: telnet - exit immediately upon connection if stdin is /dev/null
  
  Suggested-by: Robin A. Meade
  URL: https://curl.se/mail/archive-2022-04/0027.html

- [Kushal Das brought this change]

  docs: updates spellings with full words
  
  Closes #8730

- tests/FILEFORMAT.md: spellfix

Daniel Gustafsson (21 Apr 2022)
- misc: fix typos
  
  Fix a few random typos is comments and workflow names.

- macos: fix .plist installation into framework
  
  The copy command introduced in e498a9b1f had leftover '>' from the
  previous sed command it replaced, which broke its syntax.  Fix by
  removing.
  
  Reported-by: Emanuele Torre <torreemanuele6@gmail.com>

Daniel Stenberg (21 Apr 2022)
- [Christopher Degawa brought this change]

  Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved
  
  The script was moved in 8e22fc68e7dda43e9f but the lines that called it
  was not changed to reflect it's new position
  
  Signed-off-by: Christopher Degawa <ccom@randomderp.com>
  
  Closes #8728

Daniel Gustafsson (20 Apr 2022)
- macos: set .plist version in autoconf
  
  Set the libcurl version in libcurl.plist like how libcurl.vers is
  created.
  
  Closes: #8692
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Nick Zitzmann <nickzman@gmail.com>

- cookies: Improve errorhandling for reading cookiefile
  
  The existing programming had some issues with errorhandling for reading
  the cookie file. If the file failed to open, we would silently ignore it
  and continue as if there was no file (or stdin) passed. In this case, we
  would also call fclose() on the NULL FILE pointer, which is undefined
  behavior. Fix by ensuring that the FILE pointer is set before calling
  fclose on it, and issue a warning in case the file cannot be opened.
  Erroring out on nonexisting file would break backwards compatibility of
  very old behavior so we can't really go there.
  
  Closes: #8699
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>

Daniel Stenberg (20 Apr 2022)
- libcurl-tutorial.3: spellfix and minor polish

- CURLINFO_PRIMARY_PORT.3: spellfix
  
  Reported-by: Patrick Monnerat

- [Jay Dommaschk brought this change]

  libssh: fix double close
  
  libssh closes the socket in ssh_diconnect() so make sure that libcurl
  does not also close it.
  
  Fixes #8708
  Closes #8718

Jay Satiro (20 Apr 2022)
- [Gisle Vanem brought this change]

  unit1620: call global_init before calling Curl_open
  
  Curl_open calls the resolver init and on Windows if the resolver backend
  is c-ares then the Windows sockets library (winsock) must already have
  been initialized (via global init).
  
  Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800
  
  Closes https://github.com/curl/curl/pull/8719

Daniel Stenberg (19 Apr 2022)
- CURLINFO_PRIMARY_PORT.3: clarify which port this is
  
  As it was not entirely clear previously.
  
  Closes #8725

- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
  
  Include details about Authentication headers.
  
  Reported-by: Brad Spencer
  Fixes #8724
  Closes #8726

- .github/workflows/macos.yml: add a libssh job with c-ares
  
  ... to enable the memdebug system
  
  Closes #8720

- RELEASE-NOTES: synced

Jay Satiro (17 Apr 2022)
- [Gisle Vanem brought this change]

  docs/HTTP3.md: fix typo
  
  also fix msh3 section formatting
  
  Ref: https://github.com/curl/curl/commit/37492ebb#r70980087

Marc Hoersken (17 Apr 2022)
- timediff.[ch]: add curlx helper functions for timeval conversions
  
  Also move timediff_t definitions from timeval.h to timediff.h and
  then make timeval.h include the new standalone-capable timediff.h.
  
  Reviewed-by: Jay Satiro
  Reviewed-by: Daniel Stenberg
  
  Supersedes #5888
  Closes #8595

Daniel Stenberg (17 Apr 2022)
- [Balakrishnan Balasubramanian brought this change]

  tests: refactor server/socksd.c to support --unix-socket
  
  Closes #8687

- [Emanuele Torre brought this change]

  tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
  
  This loop was using the number of bytes read from the file as condition
  to keep reading.
  
  From Linux's fread(3) man page:
  > On success, fread() and fwrite() return the number of items read or
  > written. This number equals the number of bytes transferred only when
  > size is 1. If an error occurs, or the end of the file is reached, the
  > return value is a short item count (or zero).
  >
  > The file position indicator for the stream is advanced by the number
  > of bytes successfully read or written.
  >
  > fread() does not distinguish between end-of-file and error, and
  > callers must use feof(3) and ferror(3) to determine which occurred.
  
  This means that nread!=0 doesn't make much sense as an end condition for
  the loop: nread==0 doesn't necessarily mean that EOF has been reached or
  an error has occured (but that is usually the case) and nread!=0 doesn't
  necessarily mean that EOF has not been reached or that no read errors
  have occured. feof(3) and ferror(3) should be uses when using fread(3).
  
  Currently curl has to performs an extra fread(3) call to get a return
  value equal to 0 to stop looping.
  
  This usually "works" (even though nread==0 shouldn't be interpreted as
  EOF) if stdin is a pipe because EOF usually marks the "real" end of the
  stream, so the extra fread(3) call will return immediately and the extra
  read syscall won't be noticeable:
  
      bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 |
      > tail -n 5
      read(0, "a\n", 4096)                    = 2
      read(0, "", 4096)                       = 0
      read(0, "", 4096)                       = 0
      http://0x0.st/oRs.txt
      +++ exited with 0 +++
      bash-5.1$
  
  But this doesn't work if curl is reading from stdin, stdin is a
  terminal, and the EOF is being emulated using a shell with ^D. Two
  consecutive ^D will be required in this case to actually make curl stop
  reading:
  
      bash-5.1$ curl -F file=@- 0x0.st
      a
      ^D^D
      http://0x0.st/oRs.txt
      bash-5.1$
  
  A possible workaround to this issue is to use a program that handles EOF
  correctly to indirectly send data to curl's stdin:
  
      bash-5.1$ cat - | curl -F file=@- 0x0.st
      a
      ^D
      http://0x0.st/oRs.txt
      bash-5.1$
  
  This patch makes curl handle EOF properly when using fread(3) in
  file2memory() so that the workaround is not necessary.
  
  Since curl was previously ignoring read errors caused by this fread(3),
  ferror(3) is also used in the condition of the loop: read errors and EOF
  will have the same meaning; this is done to somewhat preserve the old
  behaviour instead of making the command fail when a read error occurs.
  
  Closes #8701

- gen.pl: change wording for mutexed options
  
  Instead of saying "This option overrides NNN", now say "This option is
  mutually exclusive to NNN" in the generated man page ouput, as the
  option does not in all cases actually override the others but they are
  always mutually exclusive.
  
  Ref: #8704
  Closes #8716

- curl: error out if -T and -d are used for the same URL
  
  As one implies PUT and the other POST, both cannot be used
  simultaneously.
  
  Add test 378 to verify.
  
  Reported-by: Boris Verkhovskiy
  Fixes #8704
  Closes #8715

- lib: remove exclamation marks
  
  ... from infof() and failf() calls. Make them less attention seeking.
  
  Closes #8713

- fail.d: tweak the description
  
  Reviewed-by: Daniel Gustafsson
  Suggested-by: Robert Charles Muir
  Ref: https://twitter.com/rcmuir/status/1514915401574010887
  
  Closes #8714

Daniel Gustafsson (15 Apr 2022)
- docs: Fix missing semicolon in example code
  
  Multiple share examples were missing a semicolon on the line defining
  the CURLSHcode variable.
  
  Closes: #8697
  Reported-by: Michael Kaufmann <mail@michael-kaufmann.ch>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- infof: consistent capitalization of warning messages
  
  Ensure that all infof calls with a warning message are capitalized
  in the same way.  At some point we should probably set up a style-
  guide for infof but until then let's aim for a little consistenncy
  where we can.
  
  Closes: #8711
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- RELEASE-NOTES: synced

- [Matteo Baccan brought this change]

  perl: removed a double semicolon at end of line
  
  Remove double semicolons at end of line in Perl code.
  
  Closes: #8709
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

- curl_easy_header: fix typos in documentation
  
  Closes: #8694
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Marcel Raad (11 Apr 2022)
- appveyor: add Cygwin build
  
  Closes https://github.com/curl/curl/pull/8693

- appveyor: only add MSYS2 to PATH where required
  
  Closes https://github.com/curl/curl/pull/8693

Daniel Stenberg (10 Apr 2022)
- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: fix memory leak
  
  Closes #8691

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: remove remote_addr which is not used in a meaningful way
  
  Closes #8689

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: enlarge H3_SEND_SIZE
  
  Make h3_SEND_SIZE larger because current value (20KiB) is too small
  for the high latency environment.
  
  Closes #8690

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: fix HTTP/3 upload stall and avoid busy loop
  
  This commit fixes HTTP/3 upload stall if upload data is larger than
  H3_SEND_SIZE.  Only check writability of socket if a stream is
  writable to avoid busy loop when QUIC flow control window is filled
  up, or upload buffer is full.
  
  Closes #8688

- [Nick Banks brought this change]

  msh3: add support for QUIC and HTTP/3 using msh3
  
  Considered experimental, as the other HTTP/3 backends.
  
  Closes #8517

- TODO: "SFTP with SCP://"

- GHA: move bearssl jobs over from zuul
  
  Closes #8684

- data/DISABLED: disable test 313 on bearssl builds
  
  Closes #8684

- runtests: add 'bearssl' as testable feature
  
  Closes #8684

- GHA: add openssl3 jobs moved over from zuul
  
  Closes #8683

- schannel: remove dead code that will never run
  
  As the condition can't ever evaluate true
  
  Reported-by: Andrey Alifanov
  Ref: #8675
  Closes #8677

- connecache: remove duplicate connc->closure_handle check
  
  The superfluous extra check could cause analyzer false positives
  and doesn't serve any purpose.
  
  Closes #8676

- [Michał Antoniak brought this change]

  mbedtls: remove server_fd from backend
  
  Closes #8682

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: use token when detecting :status header field
  
  Closes #8679

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: make curl 1ms faster
  
  Pass 0 for an already expired timer.
  
  Closes #8678

- [Tatsuhiro Tsujikawa brought this change]

