Changes in 7.51.0 - November 2 2016

Changes:

• nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
• New option: CURLOPT_KEEP_SENDING_ON_ERROR

Bugfixes:

• CVE-2016-8615: cookie injection for other servers
• CVE-2016-8616: case insensitive password comparison
• CVE-2016-8617: OOB write via unchecked multiplication
• CVE-2016-8618: double-free in curl_maprintf
• CVE-2016-8619: double-free in krb5 code
• CVE-2016-8620: glob parser write/read out of bounds
• CVE-2016-8621: curl_getdate read out of bounds
• CVE-2016-8622: URL unescape heap overflow via integer truncation
• CVE-2016-8623: Use-after-free via shared cookies
• CVE-2016-8624: invalid URL parsing with '#'
• CVE-2016-8625: IDNA 2003 makes curl use wrong host
• openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
• http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
• LICENSE-MIXING.md: update with mbedTLS dual licensing
• examples/imap-append: Set size of data to be uploaded
• test2048: fix url
• darwinssl: disable RC4 cipher-suite support
• CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
• openssl: don’t call CRYTPO_cleanup_all_ex_data
• libressl: fix version output
• easy: Reset all statistical session info in curl_easy_reset
• curl_global_cleanup.3: don't unload the lib with sub threads running
• dist: add CurlSymbolHiding.cmake to the tarball
• docs: Remove that --proto is just used for initial retrieval
• configure: Fixed builds with libssh2 in a custom location
• curl.1: --trace supports % for sending to stderr!
• cookies: same domain handling changed to match browser behavior
• formpost: trying to attach a directory no longer crashes
• CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
• formpost: avoid silent snprintf() truncation
• ftp: fix Curl_ftpsendf
• mprintf: return error on too many arguments
• smb: properly check incoming packet boundaries
• GIT-INFO: remove the Mac 10.1-specific details
• resolve: add error message when resolving using SIGALRM
• cmake: add nghttp2 support
• dist: remove PDF and HTML converted docs from the releases
• configure: disable poll() in macOS builds
• vtls: only re-use session-ids using the same scheme
• pipelining: skip to-be-closed connections when pipelining
• win: fix Universal Windows Platform build
• curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
• maketgz: make it support "only" generating version info
• Curl_socket_check: add extra check to avoid integer overflow
• gopher: properly return error for poll failures
• curl: set INTERLEAVEDATA too
• polarssl: clear thread array at init
• polarssl: fix unaligned SSL session-id lock
• polarssl: reduce #ifdef madness with a macro
• curl_multi_add_handle: set timeouts in closure handles
• configure: set min version flags for builds on mac
• INSTALL: converted to markdown => INSTALL.md
• curl_multi_remove_handle: fix a double-free
• multi: fix infinite loop in curl_multi_cleanup()
• nss: fix tight loop in non-blocking TLS handhsake over proxy
• mk-ca-bundle: Change URL retrieval to HTTPS-only by default
• mbedtls: stop using deprecated include file
• docs: fix req->data in multi-uv example
• configure: Fix test syntax for monotonic clock_gettime
• CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2

Further