RELEASE-NOTES: synced

RELEASE-NOTES

@@ -4,7 +4,7 @@ curl and libcurl 8.6.0
  Command line options:         258
  curl_easy_setopt() options:   304
  Public functions in libcurl:  93
- Contributors:                 3073
+ Contributors:                 3078
 
 This release includes the following changes:
 
@@ -13,6 +13,8 @@ This release includes the following changes:
  o add CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add [39]
  o asyn-thread: use GetAddrInfoExW on >= Windows 8 [55]
  o configure: make libpsl detection failure cause error [109]
+ o docs/cmdline: change to .md for cmdline docs [77]
+ o docs: introduce "curldown" for libcurl man page format [102]
  o runtests: support -gl. Like -g but for lldb. [47]
 
 This release includes the following bugfixes:
@@ -30,15 +32,17 @@ This release includes the following bugfixes:
  o cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper [133]
  o cf-socket: show errno in tcpkeepalive error messages [120]
  o CI/distcheck: run full tests [31]
+ o CI: remove unnecessary OpenSSL 3 option `enable-tls1_3` [168]
  o cmake: add option to disable building docs
  o cmake: fix generation for system name iOS [53]
  o cmake: fix typo [5]
  o cmake: prefill/cache `HAVE_STRUCT_SOCKADDR_STORAGE` [45]
+ o cmake: rework options to enable curl and libcurl docs [161]
  o cmake: when USE_MANUAL=YES, build the curl.1 man page [113]
- o cmdline-docs: use .IP consistently [13]
  o cmdline-opts/write-out.d: remove spurious double quotes
  o cmdline-opts: update availability for the *-ca-native options [66]
  o cmdline/gen: fix the sorting of the man page options [33]
+ o configure: add libngtcp2_crypto_boringssl detection [155]
  o configure: fix no default int compile error in ipv6 detection [69]
  o configure: when enabling QUIC, check that TLS supports QUIC [87]
  o connect: remove margin from eyeballer alloc [79]
@@ -54,18 +58,22 @@ This release includes the following bugfixes:
  o CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example [27]
  o CURLOPT_SSH_*_KEYFILE: clarify [57]
  o dist: add tests/errorcodes.pl to the tarball [6]
- o docs/cmdline: change to .md for cmdline docs [77]
  o docs: clean up Protocols: for cmdline options [32]
  o docs: describe and highlight super cookies [80]
- o docs: introduce "curldown" for libcurl man page format [102]
+ o docs: do not start lines/sentences with So, But nor And [140]
+ o docs: install curl.1 with cmake as well [166]
  o docs: mention env vars not used by schannel [124]
  o doh: remove unused local variable [34]
  o examples: add four new examples [99]
+ o file+ftp: use stack buffers instead of data->state.buffer [138]
  o ftp: handle the PORT parsing without allocation [44]
  o ftp: use dynbuf to store entrypath [83]
  o ftp: use memdup0 to store the OS from a SYST 215 response [82]
+ o ftpserver.pl: send 213 SIZE response without spurious newline
  o gen.pl: support ## for doing .IP in table-like lists [105]
  o gen: do italics/bold for a range of letters, not just single word [78]
+ o GHA: add a job scanning for "bad words" in markdown [164]
+ o GHA: bump ngtcp2, gnutls, mod_h2, quiche [158]
  o gnutls: fix build with --disable-verbose [3]
  o haproxy-clientip.d: document the arg [68]
  o headers: make sure the trailing newline is not stored [97]
@@ -76,8 +84,13 @@ This release includes the following bugfixes:
  o http3/quiche: fix result code on a stream reset [91]
  o http3: initial support for OpenSSL 3.2 QUIC stack [110]
  o http: adjust_pollset fix [85]
+ o http: check for "Host:" case insensitively [154]
  o http: fix off-by-one error in request method length check [14]
+ o http: only act on 101 responses when they are HTTP/1.1 [98]
+ o http: remove comment reference to a removed solution [156]
+ o http: use stack scratch buffer [150]
  o http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT [90]
+ o krb5: add prototype to silence clang warnings on mvsnprintf() [119]
  o lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT [62]
  o lib: fix variable undeclared error caused by `infof` changes [2]
  o lib: reduce use of strncpy [30]
@@ -94,30 +107,40 @@ This release includes the following bugfixes:
  o mime: use memdup0 instead of malloc + memcpy [63]
  o mksymbolsmanpage.pl: provide references to where the symbol is used
  o mprintf: overhaul and bugfixes [52]
+ o mqtt: use stack scratch buffer for recv+publish [148]
  o multi: remove total timer reset in file_do() while fetching file:// [89]
  o ngtcp2: put h3 at the front of alpn [58]
+ o ntlm_wb: do not use data->state.buffer any longer [151]
  o openldap: fix an LDAP crash [75]
  o openldap: fix STARTTLS [67]
  o openssl: re-match LibreSSL deinit with init [17]
  o openssl: when verifystatus fails, remove session id from cache [100]
+ o pingpong: stop using the download buffer [159]
  o pop3: replace calloc + memcpy with memdup0 [60]
+ o pytest: scorecard tracking CPU and RSS [157]
  o quiche: return CURLE_HTTP3 on send to invalid stream [65]
  o readwrite_data: loop less [21]
  o Revert "urldata: move async resolver state from easy handle to connectdata" [16]
  o rtsp: deal with borked server responses [129]
  o runtests: for mode="text" on <stdout>, fix newlines on both parts [64]
+ o sasl: make login option string override http auth [142]
  o schannel: fix `-Warith-conversion` gcc 13 warning [28]
  o sectransp: do verify_cert without memdup for blobs [93]
  o sectransp_ make TLSCipherNameForNumber() available in non-verbose config [1]
  o sendf: fix compiler warning with CURL_DISABLE_HEADERS_API [38]
  o setopt: clear mimepost when formp is freed [92]
  o setopt: use memdup0 when cloning COPYPOSTFIELDS [107]
+ o socks: fix generic output string to say SOCKS instead of SOCKS4 [144]
+ o socks: use own buffer instead of data->state.buffer [143]
  o ssh: fix namespace of two local macros [51]
+ o ssh: use stack scratch buffer for seeks [146]
  o strerror: repair get_winsock_error() [56]
  o system.h: sync mingw `CURL_TYPEOF_CURL_SOCKLEN_T` with other compilers [9]
  o system_win32: fix a function pointer assignment warning [71]
  o telnet: use dynbuf instad of malloc for escape buffer [108]
+ o telnet: use stack scratch buffer for do [149]
  o tests/server: delete workaround for old-mingw [25]
+ o tests: avoid int/size_t conversion size/sign warnings [163]
  o tests: respect $TMPDIR when creating unix domain sockets [50]
  o tool: make parser reject blank arguments if not supported [86]
  o tool: prepend output_dir in header callback [95]
@@ -133,16 +156,20 @@ This release includes the following bugfixes:
  o transfer: remove warning: Value stored to 'blen' is never read [136]
  o url: don't set default CA paths for Secure Transport backend [126]
  o url: for disabled protocols, mention if found in redirect [7]
+ o urlapi: remove assert [162]
  o verify-examples.pl: fail verification on unescaped backslash [72]
  o version: show only the libpsl version, not its dependencies [130]
  o vquic: extract TLS setup into own source [88]
  o vtls: fix missing multissl version info [73]
+ o vtls: receive max buffer [139]
  o vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY [41]
  o websockets: check for negative payload lengths [123]
  o websockets: refactor decode chain [122]
  o windows: delete redundant headers [43]
  o windows: simplify detecting and using system headers [10]
  o wolfssl: load certificate *chain* for PEM client certs [84]
+ o x509asn1: remove code for WANT_VERIFYHOST [132]
+ o x509asn1: switch from malloc to dynbuf [112]
 
 This release includes the following known bugs:
 
@@ -161,16 +188,17 @@ advice from friends like these:
   bubbleguuum on github, Cajus Pollmeier, calvin2021y on github, Chara White,
   Chris Sauer, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
   dependabot[bot], Dmitry Karpov, Gabe, Geeknik Labs, Gisle Vanem,
-  Hans-Christian Egtvedt, Harry Sintonen, Haydar Alaidrus, hgdagon on github,
-  Hiroki Kurosawa, iAroc on github, ivanfywang, janko-js on github, Jay Wu,
-  Jess Lowe, Karthikdasari0423 on github, Lealem Amedie, Lin Sun, Marcel Raad,
-  Mark Huang, Mark Sinkovics, Mauricio Scheffer, Michał Antoniak, Mike Hommey,
-  Mohammadreza Hendiani, Ozan Cansel, Patrick Monnerat, Pavel Pavlov,
-  Ray Satiro, RevaliQaQ on github, Richard Levitte, Sergey Bronnikov,
-  Sergey Markelov, sfan5 on github, Stefan Eissing, Tatsuhiko Miyagawa, Theo,
-  Thomas Ferguson, Viktor Szakats, Xi Ruoyao, Yadhu Krishna M, Yedaya Katsman,
-  Yifei Kong, YX Hao, zengwei, zengwei2000
-  (60 contributors)
+  Graham Campbell, Hans-Christian Egtvedt, Harry Sintonen, Haydar Alaidrus,
+  hgdagon on github, Hiroki Kurosawa, iAroc on github, ivanfywang,
+  janko-js on github, Jay Wu, Jess Lowe, Karthikdasari0423 on github,
+  Lealem Amedie, Lin Sun, Marcel Raad, Mark Huang, Mark Sinkovics,
+  Mauricio Scheffer, Michał Antoniak, Mike Hommey, Mohammadreza Hendiani,
+  Ozan Cansel, Patrick Monnerat, Pavel Pavlov, promptfuzz_ on hackerone,
+  Ray Satiro, RevaliQaQ on github, Richard Levitte, Scarlett McAllister,
+  Sergey Bronnikov, Sergey Markelov, sfan5 on github, Stefan Eissing,
+  Tatsuhiko Miyagawa, Tatsuhiro Tsujikawa, Theo, Thomas Ferguson,
+  Viktor Szakats, Xi Ruoyao, Yadhu Krishna M, Yedaya Katsman, Yifei Kong,
+  YX Hao, zengwei, zengwei2000, ウさん  (65 contributors)
 
 References to bug reports and discussions on issues:
 
@@ -186,7 +214,6 @@ References to bug reports and discussions on issues:
  [10] = https://curl.se/bug/?i=12495
  [11] = https://curl.se/bug/?i=12489
  [12] = https://curl.se/bug/?i=12224
- [13] = https://curl.se/bug/?i=12535
  [14] = https://curl.se/bug/?i=12534
  [15] = https://curl.se/mail/archive-2023-12/0026.html
  [16] = https://curl.se/bug/?i=12524
@@ -271,6 +298,7 @@ References to bug reports and discussions on issues:
  [95] = https://curl.se/bug/?i=12614
  [96] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65661
  [97] = https://curl.se/mail/lib-2024-01/0019.html
+ [98] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66184
  [99] = https://curl.se/bug/?i=12671
  [100] = https://curl.se/bug/?i=12760
  [102] = https://curl.se/bug/?i=12730
@@ -282,10 +310,12 @@ References to bug reports and discussions on issues:
  [108] = https://curl.se/bug/?i=12652
  [109] = https://curl.se/bug/?i=12661
  [110] = https://curl.se/bug/?i=12734
+ [112] = https://curl.se/bug/?i=12808
  [113] = https://curl.se/bug/?i=12742
  [115] = https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65839
  [116] = https://curl.se/bug/?i=12727
  [117] = https://curl.se/bug/?i=12720
+ [119] = https://curl.se/bug/?i=12803
  [120] = https://curl.se/bug/?i=12726
  [121] = https://curl.se/bug/?i=12645
  [122] = https://curl.se/bug/?i=12713
@@ -298,7 +328,31 @@ References to bug reports and discussions on issues:
  [129] = https://curl.se/bug/?i=12701
  [130] = https://curl.se/bug/?i=12700
  [131] = https://curl.se/bug/?i=12695
+ [132] = https://curl.se/bug/?i=12804
  [133] = https://curl.se/bug/?i=12697
  [134] = https://curl.se/bug/?i=12691
  [136] = https://curl.se/bug/?i=12693
  [137] = https://curl.se/bug/?i=12480
+ [138] = https://curl.se/bug/?i=12789
+ [139] = https://curl.se/bug/?i=12801
+ [140] = https://curl.se/bug/?i=12802
+ [142] = https://curl.se/bug/?i=10259
+ [143] = https://curl.se/bug/?i=12788
+ [144] = https://curl.se/bug/?i=12797
+ [146] = https://curl.se/bug/?i=12794
+ [148] = https://curl.se/bug/?i=12792
+ [149] = https://curl.se/bug/?i=12793
+ [150] = https://curl.se/bug/?i=12791
+ [151] = https://curl.se/bug/?i=12787
+ [154] = https://curl.se/bug/?i=12784
+ [155] = https://curl.se/bug/?i=12724
+ [156] = https://curl.se/bug/?i=12785
+ [157] = https://curl.se/bug/?i=12765
+ [158] = https://curl.se/bug/?i=12778
+ [159] = https://curl.se/bug/?i=12757
+ [161] = https://curl.se/bug/?i=12773
+ [162] = https://curl.se/bug/?i=12775
+ [163] = https://curl.se/bug/?i=12768
+ [164] = https://curl.se/bug/?i=12764
+ [166] = https://curl.se/bug/?i=12759
+ [168] = https://curl.se/bug/?i=12758