Changes in 7.64.0 - February 6 2019

Changes:

• cookies: leave secure cookies alone
• hostip: support wildcard hosts
• http: Implement trailing headers for chunked transfers
• http: added options for allowing HTTP/0.9 responses
• timeval: Use high resolution timestamps on Windows

Bugfixes:

• CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
• CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
• CVE-2019-3823: SMTP end-of-response out-of-bounds read
• FAQ: remove mention of sourceforge for github
• OS400: handle memory error in list conversion
• OS400: upgrade ILE/RPG binding.
• README: add codacy code quality badge
• Revert http_negotiate: do not close connection
• THANKS: added several missing names from year <= 2000
• build: make 'tidy' target work for metalink builds
• cmake: added checks for variadic macros
• cmake: updated check for HAVE_POLL_FINE to match autotools
• cmake: use lowercase for function name like the rest of the code
• configure: detect xlclang separately from clang
• configure: fix recv/send/select detection on Android
• configure: rewrite --enable-code-coverage
• conncache_unlock: avoid indirection by changing input argument type
• cookie: fix comment typo
• cookies: allow secure override when done over HTTPS
• cookies: extend domain checks to non psl builds
• cookies: skip custom cookies when redirecting cross-site
• curl --xattr: strip credentials from any URL that is stored
• curl -J: refuse to append to the destination file
• curl/urlapi.h: include "curl.h" first
• curl_multi_remove_handle() don't block terminating c-ares requests
• darwinssl: accept setting max-tls with default min-tls
• disconnect: separate connections and easy handles better
• disconnect: set conn->data for protocol disconnect
• docs/version.d: mention MultiSSL
• docs: fix the --tls-max description
• docs: use $(INSTALL_DATA) to install manpage
• docs: use meaningless port number in CURLOPT_LOCALPORT example
• gopher: always include the entire gopher-path in request
• http2: clear pause stream id if it gets closed
• if2ip: remove unused function Curl_if_is_interface_name
• libssh: do not let libssh create socket
• libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
• libssh: free sftp_canonicalize_path() data correctly
• libtest/stub_gssapi: use "real" snprintf
• mbedtls: use VERIFYHOST
• multi: multiplexing improvements
• multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
• ntlm: fix NTMLv2 compliance
• ntlm_sspi: add support for channel binding
• openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
• openssl: fix the SSL_get_tlsext_status_ocsp_resp call
• openvms: fix OpenSSL discovery on VAX
• openvms: fix typos in documentation
• os400: add a missing closing bracket
• os400: fix extra parameter syntax error
• pingpong: change default response timeout to 120 seconds
• pingpong: ignore regular timeout in disconnect phase
• printf: fix format specifiers
• runtests.pl: Fix perl call to include srcdir
• schannel: fix compiler warning
• schannel: preserve original certificate path parameter
• schannel: stop calling it "winssl"
• sigpipe: if mbedTLS is used, ignore SIGPIPE
• smb: fix incorrect path in request if connection reused
• ssh: log the libssh2 error message when ssh session startup fails
• test1558: verify CURLINFO_PROTOCOL on file:// transfer
• test1561: improve test name
• test1653: make it survive torture tests
• tests: allow tests to pass by 2037-02-12
• tests: move objnames-* from lib into tests
• timediff: fix math for unsigned time_t
• timeval: Disable MSVC Analyzer GetTickCount warning
• tool_cb_prg: avoid integer overflow
• travis: added cmake build for osx
• urlapi: Fix port parsing of eol colon
• urlapi: distinguish possibly empty query
• urlapi: fix parsing ipv6 with zone index
• urldata: rename easy_conn to just conn
• winbuild: conditionally use /DZLIB_WINAPI
• wolfssl: fix memory-leak in threaded use
• spnego_sspi: add support for channel binding

Further