                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.55.0 (9 Aug 2017)

Daniel Stenberg (9 Aug 2017)
- RELEASE-NOTES: curl 7.55.0

- THANKS: 20 new contributors in 7.55.0

- [Viktor Szakats brought this change]

  docs/comments: Update to secure URL versions
  
  Closes #1741

- configure: fix recv/send/select detection on Android
  
  ... since they now provide several functions as
  __attribute__((overloadable)), the argument detection logic need
  updates.
  
  Patched-by: destman at github
  
  Fixes #1738
  Closes #1739

Marcel Raad (8 Aug 2017)
- ax_code_coverage.m4: update to latest version
  
  This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
  from August 01, 2017. Notably, this removes the lconv version whitelist.
  
  Closes https://github.com/curl/curl/pull/1716

Daniel Stenberg (7 Aug 2017)
- test1427: verify command line parser integer overflow detection

- curl: detect and bail out early on parameter integer overflows
  
  Make the number parser aware of the maximum limit curl accepts for a
  value and return an error immediately if larger, instead of running an
  integer overflow later.
  
  Fixes #1730
  Closes #1736

- glob: do not continue parsing after a strtoul() overflow range
  
  Added test 1289 to verify.
  
  CVE-2017-1000101
  
  Bug: https://curl.haxx.se/docs/adv_20170809A.html
  Reported-by: Brian Carpenter

- tftp: reject file name lengths that don't fit
  
  ... and thereby avoid telling send() to send off more bytes than the
  size of the buffer!
  
  CVE-2017-1000100
  
  Bug: https://curl.haxx.se/docs/adv_20170809B.html
  Reported-by: Even Rouault
  
  Credit to OSS-Fuzz for the discovery

- [Even Rouault brought this change]

  file: output the correct buffer to the user
  
  Regression brought by 7c312f84ea930d8 (April 2017)
  
  CVE-2017-1000099
  
  Bug: https://curl.haxx.se/docs/adv_20170809C.html
  
  Credit to OSS-Fuzz for the discovery

- easy_events: make event data static
  
  First: this function is only used in debug-builds and not in
  release/real builds. It is used to drive tests using the event-based
  API.
  
  A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
  CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
  funtion returns, namely when curl_multi_remove_handle() is called.
  
  Reported-by: Brian Carpenter

- getparameter: avoid returning uninitialized 'usedarg'
  
  Fixes #1728

Marcel Raad (5 Aug 2017)
- [Isaac Boukris brought this change]

  gssapi: fix memory leak of output token in multi round context
  
  When multiple rounds are needed to establish a security context
  (usually ntlm), we overwrite old token with a new one without free.
  Found by proposed gss tests using stub a gss implementation (by
  valgrind error), though I have confirmed the leak with a real
  gssapi implementation as well.
  
  Closes https://github.com/curl/curl/pull/1733

- darwinssl: fix compiler warning
  
  clang complains:
  vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
  [-Werror,-Wextra-tokens]
  
  This breaks the darwinssl build on Travis. Fix it by making this token
  a comment.
  
  Closes https://github.com/curl/curl/pull/1734

- CMake: fix CURL_WERROR for MSVC
  
  When using CURL_WERROR in MSVC builds, the debug flags were overridden
  by the release flags and /WX got added twice in debug mode.
  
  Closes https://github.com/curl/curl/pull/1715

Daniel Stenberg (4 Aug 2017)
- RELEASE-NOTES: synced with 561e9217c

- test1010: verify that #1718 is fixed
  
  ... by doing two transfers in nocwd mode and check that there's no
  superfluous CWD command.

- FTP: skip unnecessary CWD when in nocwd mode
  
  ... when reusing a connection. If it didn't do any CWD previously.
  
  Fixes #1718

Marcel Raad (4 Aug 2017)
- travis: explicitly specify dist
  
  This makes the builds more reproducible as travis is currently rolling
  out trusty as default dist [1]. Specifically, this avoids coverage
  check failures when trusty is used as seen in [2] until we figure out
  what's wrong.
  
  [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
  [2] https://github.com/curl/curl/pull/1692
  
  Closes https://github.com/curl/curl/pull/1725

Daniel Stenberg (4 Aug 2017)
- travis: BUILD_TYPE => T
  
  (to make the full line appear nicer on travis web UI)

- travis: add osx build with darwinssl
  
  Closes #1706

- darwin: silence compiler warnings
  
  With a clang pragma and three type fixes
  
  Fixes #1722

- BUILD.WINDOWS: mention buildconf.bat for builds off git

- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument

- test130: verify comments in .netrc

- [Gisle Vanem brought this change]

  netrc: skip lines starting with '#'
  
  Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html

Marcel Raad (3 Aug 2017)
- CMake: set MSVC warning level to 4
  
  The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
  consistent with the Visual Studio and NMake builds. Disable level 4
  warning C4127 for the library and additionally C4306 for the test
  servers to get a clean CURL_WERROR build as that warning is raised in
  some macros in older Visual Studio versions.
  
  Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
  Closes https://github.com/curl/curl/pull/1711

Daniel Stenberg (2 Aug 2017)
- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
  
  Reported-by: Viktor Szakats

- CURLOPT_NETRC.3: mention the file name on windows
  
  ... and CURLOPT_NETRC_FILE(3).

- travis: build osx with libressl too

- travis: build osx with openssl too

- tests/server/util: fix curltime mistake from 4dee50b9c80f9

Marcel Raad (1 Aug 2017)
- curl_threads: fix MSVC compiler warning
  
  Use LongToHandle to convert from long to HANDLE in the Win32
  implementation.
  This should fix the following warning when compiling with
  MSVC 11 (2012) in 64-bit mode:
  lib\curl_threads.c(113): warning C4306:
  'type cast' : conversion from 'long' to 'HANDLE' of greater size
  
  Closes https://github.com/curl/curl/pull/1717

Daniel Stenberg (1 Aug 2017)
- BUGS: improved phrasing about security bugs
  
  Reported-by: Max Dymond

- BUGS: clarify how to report security related bugs

- [Brad Spencer brought this change]

  multi: fix request timer management
  
  There are some bugs in how timers are managed for a single easy handle
  that causes the wrong "next timeout" value to be reported to the
  application when a new minimum needs to be recomputed and that new
  minimum should be an existing timer that isn't currently set for the
  easy handle.  When the application drives a set of easy handles via the
  `curl_multi_socket_action()` API (for example), it gets told to wait the
  wrong amount of time before the next call, which causes requests to
  linger for a long time (or, it is my guess, possibly forever).
  
  Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html

Jay Satiro (1 Aug 2017)
- curl_setup: Define CURL_NO_OLDIES for building libcurl
  
  .. to catch accidental use of deprecated error codes.
  
  Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237

Daniel Stenberg (1 Aug 2017)
- [Jeremy Tan brought this change]

  configure: fix the check for IdnToUnicode
  
  Fixes #1669
  Closes #1713

- http: fix response code parser to avoid integer overflow
  
  test 1429 and 1433 were updated to work with the stricter HTTP status line
  parser.
  
  Closes #1714
  Reported-by: Brian Carpenter

Jay Satiro (31 Jul 2017)
- [Dwarakanath Yadavalli brought this change]

  libcurl: Stop using error codes defined under CURL_NO_OLDIES
  
  Fixes https://github.com/curl/curl/issues/1688
  Closes https://github.com/curl/curl/pull/1712

- include.d: clarify --include is only for response headers
  
  Follow-up to 171f8de and de6de94.
  
  Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
  Reported-by: Daniel Stenberg

Daniel Stenberg (30 Jul 2017)
- [jasjuang brought this change]

  cmake: support make uninstall
  
  Closes #1674

- RELEASE-NOTES: synced with 001701c47

Marcel Raad (29 Jul 2017)
- AppVeyor: now really use CURL_WERROR
  
  It was misspelled as CURL_ERROR in commit
  2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
  
  Closes https://github.com/curl/curl/pull/1686

Jay Satiro (29 Jul 2017)
- tool_help: clarify --include is only for response headers
  
  Follow-up to 171f8de.
  
  Ref: https://github.com/curl/curl/issues/1704

- splay: fix signed/unsigned mismatch warning
  
  Follow-up to 4dee50b.
  
  Ref: https://github.com/curl/curl/pull/1693

Daniel Stenberg (28 Jul 2017)
- include.d: clarify that it concerns the response headers
  
  Reported-by: olesteban at github
  Fixes #1704

- [Johannes Schindelin brought this change]

  curl_rtmp: fix a compiler warning
  
  The headers of librtmp declare the socket as `int`, and on Windows, that
  disagrees with curl_socket_t.
  
  Bug: #1652
  
  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

- test1323: verify curlx_tvdiff

- timeval: struct curltime is a struct timeval replacement
  
  ... to make all libcurl internals able to use the same data types for
  the struct members. The timeval struct differs subtly on several
  platforms so it makes it cumbersome to use everywhere.
  
  Ref: #1652
  Closes #1693

- darwinssl: fix variable type mistake (regression)
  
  ... which made --tlsv1.2 not work because it would blank the max tls
  version variable.
  
  Reported-by: Nick Miyake
  Bug: #1703

- multi: mention integer overflow risk if using > 500 million sockets
  
  Reported-by: ovidiu-benea@users.noreply.github.com
  
  Closes #1675
  Closes #1683

- checksrc: escape open brace in regex
  
  ... to silence warning.

Kamil Dudka (20 Jul 2017)
- nss: fix a possible use-after-free in SelectClientCert()
  
  ... causing a SIGSEGV in showit() in case the handle used to initiate
  the connection has already been freed.
  
  This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
  
  Reported-by: Rob Sanders
  Bug: https://bugzilla.redhat.com/1436158

- nss: unify the coding style of nss_send() and nss_recv()
  
  No changes in behavior intended by this commit.

Marcel Raad (18 Jul 2017)
- tests/server/resolve.c: fix deprecation warning
  
  MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
  instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
  is also consistent with what libcurl does.
  
  Closes https://github.com/curl/curl/pull/1682

Jay Satiro (17 Jul 2017)
- darwinssl: fix pinnedpubkey build error
  
  - s/SessionHandle/Curl_easy/
  
  Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
  Reported-by: Gisle Vanem

Marcel Raad (16 Jul 2017)
- rtspd: fix GCC warning after MSVC warning fix
  
  Older GCC warns:
  /tests/server/rtspd.c:1194:10: warning: missing braces around
  initializer [-Wmissing-braces]
  
  Fix this by using memset instead of an initializer.

- libtest: fix MSVC warning C4706
  
  With warning level 4, MSVC warns about assignments within conditional
  expressions. Change the while loop to a do-while loop to fix this. This
  change is also consistent with CODE_STYLE.md.

- sockfilt: suppress conversion warning with explicit cast
  
  MSVC warns when implicitly casting -1 to unsigned long.

- rtspd: fix MSVC level 4 warning
  
  warning C4701: potentially uninitialized local variable 'req' used

- winbuild: re-enable warning C4127 for curl tool
  
  Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
  be disabled for libcurl.

- winbuild: build with warning level 4
  
  This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
  changed the warning level from 3 to 4 for the Visual Studio project
  files. But disable the level 4 warning C4127 "conditional expression is
  constant", as that one is issued by older versions of the Windows SDK
  as well as curl itself under some circumstances.
  
  Closes https://github.com/curl/curl/pull/1667

Jay Satiro (12 Jul 2017)
- [Max Dymond brought this change]

  travis: install libidn2
  
  Install libidn2 to increase test coverage (IDN tests)
  
  Closes https://github.com/curl/curl/pull/1673

Marcel Raad (12 Jul 2017)
- travis: enable warnings also in release mode
  
  ... to get warnings also on Linux/GCC and OSX/clang.
  
  Closes https://github.com/curl/curl/pull/1666

Daniel Stenberg (12 Jul 2017)
- [Max Dymond brought this change]

  travis: install libssh2
  
  Install libssh2 to increase test coverage (SFTP, SCP)

Marcel Raad (12 Jul 2017)
- system.h: include winsock2.h before windows.h
  
  ... to avoid compiler warnings if the user doesn't want
  WIN32_LEAN_AND_MEAN.

- build: remove WIN32_LEAN_AND_MEAN from individual build systems
  
  It's defined for all build systems in curl_setup.h since commit
  beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
  redefinition warnings in the configure builds.
  
  Closes https://github.com/curl/curl/pull/1677

Jay Satiro (11 Jul 2017)
- ISSUE_TEMPLATE: Add a comment not to file security issues on github

Marcel Raad (11 Jul 2017)
- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
  
  Make sure to always define WIN32_LEAN_AND_MEAN before including any
  Windows headers to avoid pulling in unnecessary headers. This avoids
  unnecessary macro clashes and compiler warnings.
  
  Ref: https://github.com/curl/curl/issues/1562
  Closes https://github.com/curl/curl/pull/1672

Jay Satiro (11 Jul 2017)
- strerror: Preserve Windows error code in some functions
  
  This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
  commit was an earlier draft that I committed by mistake, which was then
  remedied by a5834e5 and e909de6, and now this commit. With this commit
  there is now no difference between the current code and the changes that
  were approved in the final draft.
  
  Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
  Ref: https://github.com/curl/curl/pull/1589

Marcel Raad (10 Jul 2017)
- [Max Dymond brought this change]

  tests: Fix up issues with errno in test files
  
  Closes https://github.com/curl/curl/pull/1671

Daniel Stenberg (10 Jul 2017)
- errno: fix non-windows builds after af0216251b94e7

- [Ryan Winograd brought this change]

  make: fix docs build on OpenBSD
  
  Ref: #1591

Marcel Raad (10 Jul 2017)
- ldap: fix MinGW compiler warning
  
  ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
  the latest original MinGW, resulting in compiler warnings since commit
  f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
  case by using ldap_simple_bind_s again instead of ldap_bind_s with
  LDAP_AUTH_SIMPLE.
  
  Closes https://github.com/curl/curl/pull/1664

- curl-compilers.m4: disable warning spam with Cygwin's clang
  
  When building with Cygwin or MinGW, libtool uses a wrapper executable
  instead of a wrapper script [1], which is written in C and throws
  missing-variable-declarations warnings. Don't enable these warnings on
  Cygwin and MinGW in order to avoid warnings for every executable built,
  which spams the test suite output when using Cygwin's clang.
  
  [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
  
  Closes https://github.com/curl/curl/pull/1665

Jay Satiro (10 Jul 2017)
- curl_setup_once: Remove ERRNO/SET_ERRNO macros
  
  Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
  for Win32 and regular errno otherwise.
  
  I reviewed the code and found no justifiable reason for conflating errno
  on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
  and any Win32 multithreaded CRT supports thread-local errno.
  
  Fixes https://github.com/curl/curl/issues/895
  Closes https://github.com/curl/curl/pull/1589

- tool_getparam: fix potentially uninitialized err

Marcel Raad (9 Jul 2017)
- smb: rename variable to fix shadowing warning
  
  GCC 4.6.3 on travis complains:
  smb.c: In function ‘get_posix_time’:
  smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
  [-Werror=shadow]
  
  Fix this by renaming the variable.

- tool_cb_wrt: fix variable shadowing warning
  
  GCC 4.4 complains:
  tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
  declaration
  /usr/include/unistd.h:782: error: shadowed declaration is here
  
  Fix this by renaming the variable.
  
  Closes https://github.com/curl/curl/pull/1661

Daniel Stenberg (8 Jul 2017)
- RELEASE-NOTES: synced with be2c999b8

- travis: install stunnel

- valgrind.supp: supress OpenSSL false positive seen on travis

- travis: detect and use valgrind for normal builds
  
  Closes #1653

- travis: add SMB, DICT, TELNET torture to coverage test

- [Paul Harris brought this change]

  cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
  
  Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
  
  Closes #1649

- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better

- [Max Dymond brought this change]

  test1452: add telnet negotiation
  
  Add a basic telnet server for negotiating some telnet options before
  echoing back any data that's sent to it.
  
  Closes #1645

- travis: do more tests in the coverage run
  
  I added a selection of torture and event tests that run "fast enough"

- curl_easy_escape.3: mention the (lack of) encoding
  
  Fixes #1612
  Reported-by: Jeroen Ooms

- [Gisle Vanem brought this change]

  memdebug: don't setbuf() if the file open failed
  
  Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151

- appveyor: enable CURL_WERROR on all builds

- cmake: add CURL_WERROR for enabling "warning as errors"

- [Hannes Magnusson brought this change]

  cmake: remove spurious "-l" from linker flags
  
  Fixes #1552

- test506: skip if threaded-resolver

- runtests: support "threaded-resolver" as a feature
  
  ... to let tests require it or skip if present

- asyn-thread.c: fix unused variable warnings on macOS

- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
  
  Make the name reflect its use better, and add a short comment describing
  what it's for.

- cmake: if inet_pton is used, bump _WIN32_WINNT
  
  ... and make sure inet_pton is always checked for when *not* using Windows,
  which is a regression from 4fc6ebe18.
  
  Idea-by: Sergei Nikulov

- select.h: avoid macro redefinition harder
  
  ... by checking the POLLIN define, as the header file checks don't work
  on Windows.

- inet_pton: fix include on windows to get prototype
  
  inet_pton() exists on Windows and gets used by our cmake builds. Make
  sure the correct header file is included to avoid compiler warnings.
  
  Closes #1639

- TODO: 1.10 auto-detect proxy
  
  Closes #1572

- TODO: HTTP proxy CONNECT is non-blocking now

- cmake: fix send/recv argument scanner for windows
  
  ... by simply trying the Windows argument types first.
  
  Fixes #1640

- RELEASE-NOTES: synced with 596cfb6c0

- [Gisle Vanem brought this change]

  smb: add support for CURLOPT_FILETIME
  
  Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
  
  Closes #1643

- travis: install nghttp2 on linux builds
  
  Closes #1642

- [Gisle Vanem brought this change]

  smb: fix build for djgpp/MSDOS
  
  bug: https://curl.haxx.se/mail/lib-2017-07/0005.html

- configure: try ldap/lber in reversed order first
  
  When scanning for which LDAP libraries to use, try the -lldap -llber
  combination before the reversed order since it has a greater chance of
  working when linking with libcurl statically.
  
  Fixes #1619
  Closes #1634
  Reported-by: David E. Narváez

- configure: remove checks for 5 functions never used
  
  fork, getprotobyname, inet_addr, perror, uname
  
  closes #1638

- dist: add SMB python deps into the tarball

- [Max Dymond brought this change]

  test1451: add SMB support to the testbed
  
  Add test 1451 which does some very basic SMB testing using the impacket
  SMB server.
  
  Closes #1630

- [Max Dymond brought this change]

  test: add impacket for SMB testing
  
  Import impacket 0.9.15 for use in SMB testing. This was generated by
  doing "pip2.7 install -t . impacket"
  
  Unnecessary files for current testing were deleted.

- travis.yml: use --enable-werror on debug builds
  
  ... to better detect and fault on compiler warnings/errors
  
  Closes #1637

- tool_sleep: typecast to avoid macos compiler warning
  
  tool_sleep.c:54:24: error: implicit conversion loses integer precision:
  'long' to '__darwin_suseconds_t' (aka 'int')
  [-Werror,-Wshorten-64-to-32]

- [Martin Kepplinger brought this change]

  timeval.c: Use long long constant type for timeval assignment
  
  On a 64 bit host, sparse says:
  
  timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
  timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
  
  so let's use long long constant types in order to prevent undesired overflow
  failures.
  
  Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
  
  Closes #1636
  
  Signed-off-by: Martin Kepplinger <martink@posteo.de>

- url: make the original string get used on subsequent transfers
  
  ... since CURLOPT_URL should follow the same rules as other options:
  they remain set until changed or cleared.
  
  Added test 1551 to verify.
  
  Fixes #1631
  Closes #1632
  Reported-by: Pavel Rochnyak

- [Johannes Schindelin brought this change]

  gtls: fix build when sizeof(long) < sizeof(void *)
  
  - Change gnutls pointer/int macros to pointer/curl_socket_t.
    Prior to this change they used long type as well.
  
  The size of the `long` data type can be shorter than that of pointer
  types. This is the case most notably on Windows.
  
  If C99 were acceptable, we could simply use `intptr_t` here. But we
  want to retain C89 compatibility.
  
  Simply use the trick of performing pointer arithmetic with the NULL
  pointer: to convert an integer `i` to a pointer, simply take the
  address of the `i`th element of a hypothetical character array
  starting at address NULL. To convert back, simply cast the pointer
  difference.
  
  Thanks to Jay Satiro for the initial modification to use curl_socket_t
  instead of int/long.
  
  Closes #1617
  
  Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

- [Ryan Winograd brought this change]

  unit1399: fix integer overflow
  
  Bug: #1616
  Closes #1633

- [Per Malmberg brought this change]

  cmake: Added compatibility options for older Windows versions
  
  CURL_STATIC_CRT and ENABLE_INET_PTON
  
  Closes #1621

- unit1399: add logging to time comparison
  
  ... to enable tracking down why autobuilds fail on this
  
  Bug: #1616

- make: build the docs subdir only from within src
  
  ... and don't build at all in include
  
  Prompted-by-work-by: Simon Warta
  Ref: #1590
  Closes #1591

- [Max Dymond brought this change]

  test1450: fix up DICT server in torture mode
  
  As per https://github.com/curl/curl/pull/1615, the DICT server is a
  little spammy in torture mode due to the sockets being torn down
  unexpectedly. Fix this by adding some error handling to the handling
  function.
  
  Closes #1629

- [Max Dymond brought this change]

  test1450: add simple testing for DICT
  
  Add a new server which provides a DICT interface. This is intended to
  begin coverage testing for lib/dict.c
  
  Closes #1615

- [Dan Fandrich brought this change]

  test1521: fix out-of-tree builds, broken with 467da3af
  
  The test.h file is no longer in the same directory as the source file,
  so that directory needs to be added to the include path.
  
  Fixes #1627
  Closes #1628

- [Max Dymond brought this change]

  http2: handle PING frames
  
  Add a connection check function to HTTP2 based off RTSP. This causes
  PINGs to be handled the next time the connection is reused.
  
  Closes #1521

- [Max Dymond brought this change]

  handler: refactor connection checking
  
  Add a new type of callback to Curl_handler which performs checks on
  the connection. Alter RTSP so that it uses this callback to do its
  own check on connection health.

- [dmitrykos brought this change]

  openssl: improve fallback seed of PRNG with a time based hash
  
  Fixes #1620

- [Ryan Winograd brought this change]

  progress: prevent resetting t_starttransfer
  
  Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
  with `TIMER_STARTTRANSFER` more than once during a single request.
  
  When a redirect occurs, this is considered a new request and
  `t_starttransfer` can be updated to reflect the `t_starttransfer` time
  of the redirect request.
  
  Closes #1616
  
  Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370

- curl_strequal.3: fix typo in SYNOPSIS
  
  Reported-by: Jesse Chisholm
  
  Fixes #1623

- RELEASE-NOTES: synced with ce2c3ebda

Kamil Dudka (28 Jun 2017)
- curl --socks5-{basic,gssapi}: control socks5 auth
  
  Closes https://github.com/curl/curl/pull/1454

- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
  
  If libcurl was built with GSS-API support, it unconditionally advertised
  GSS-API authentication while connecting to a SOCKS5 proxy.  This caused
  problems in environments with improperly configured Kerberos: a stock
  libcurl failed to connect, despite libcurl built without GSS-API
  connected fine using username and password.
  
  This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
  allowed methods for SOCKS5 authentication at run time.
  
  Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
  for compatibility reasons because the set of authentication methods
  allowed by default was different for HTTP and SOCKS5 proxies.
  
  Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
  Closes https://github.com/curl/curl/pull/1454

- socks: deduplicate the code for auth request

- socks: use proxy_user instead of proxy_name
  
  ... to make it obvious what the data is used for

Daniel Stenberg (27 Jun 2017)
- libtest/make: generate lib1521.c
  
  ... instead of having the generated code checked in. This saves space in
  the tarball but primarily automatically adapts to newly added options.
  
  Closes #1614

Jay Satiro (26 Jun 2017)
- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
  
  Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
  Reported-by: Dan Fandrich

Dan Fandrich (25 Jun 2017)
- test1537: fixed memory leak on OOM

Marcel Raad (25 Jun 2017)
- test1521: fix compiler warnings
  
  The integer literal 3123123123 doesn't fit into a 32-bit signed
  integer, so GCC with 32-bit long warns in C90 mode:
  this decimal constant is unsigned only in ISO C90 [enabled by default]
  Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
  the correct suffix to not issue any warnings.
  Also adds the missing CURLOPT_REQUEST_TARGET from commit
  9b167fd090f596eac828817d48c247eeae53407f.
  
  Closes https://github.com/curl/curl/pull/1611

Daniel Stenberg (24 Jun 2017)
- curl/system.h: add check for XTENSA for 32bit gcc
  
  Reported-by: Neil Kolban
  Fixes: 1598

- [Henrik S. Gaßmann brought this change]

  winbuild: fix boringssl build
  
  Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
  including too much clutter including `wincrypt.h` which in turn contains
  some preprocessor macros that clash with boringssl symbols.
  
  Detect boringssl by checking the existance of `is_boringssl.h` and set
  the corresponding `HAVE_BORINGSSL` for compilation which is used in
  `ldap.c` to undefine the evil macros.
  
  Closes #1610

- progress: progress.timespent needs to be us
  
  follow-up to 64ed44a815e4e to fix test 500 failures

Marcel Raad (24 Jun 2017)
- curl-compilers.m4: fix unknown-warning-option on Apple clang
  
  Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
  detect the clang version. The version number was expected to come after
  the word "version". For Apple clang, this doesn't work as it has its
  own versioning scheme.
  The version number is now first searched after the string
  "based on LLVM". This works for Apple clang before version 7, and also
  for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
  version string contains "Apple LLVM version", clang version 3.7 is
  assumed, which is the version that comes with Xcode 7. Otherwise, the
  version number is still expected after the word "version", which works
  for very old Apple clang versions.
  
  Ref: https://trac.macports.org/wiki/XcodeVersionInfo
  Fixes https://github.com/curl/curl/issues/1606
  Closes https://github.com/curl/curl/pull/1607

