curl and libcurl 8.20.0

 Public curl releases:         274
 Command line options:         273
 curl_easy_setopt() options:   308
 Public functions in libcurl:  100
 Authors:                      1460
 Contributors:                 3640

This release includes the following changes:

 o async-thrdd: use thread queue for resolving [144]
 o build: make NTLM disabled by default [90]
 o cmake: drop support for CMake 3.17 and older [108]
 o lib: add thread pool and queue [74]
 o lib: drop support for < c-ares 1.16.0 [64]
 o lib: make SMB support opt-in [18]
 o multi.h: add CURLMNWC_CLEAR_ALL [127]
 o rtmp: drop support [91]

This release includes the following bugfixes:

 o asyn-ares: drop orphaned variable references [86]
 o asyn-ares: fix HTTPS-lookup when not on port 443 [100]
 o asyn-thrdd: fix clang-tidy unused value warning [125]
 o autotools: limit checksrc target to ignore non-repo test sources [12]
 o badwords-all: exit with correct code on errors [50]
 o badwords: combine the whitelisting into a single regex [1]
 o badwords: detect the the and with with [51]
 o badwords: only check comments and strings in source code [61]
 o badwords: rework exceptions, fix many of them [15]
 o boringssl: fix more coexist cases with Schannel/WinCrypt [170]
 o build: assume `snprintf()` in `mprintf`, drop feature check [107]
 o build: compiler warning silencing tidy-ups [4]
 o build: drop `openssl` module dependency for BoringSSL from `libcurl.pc` [33]
 o build: drop duplicate `pthread.h` includes [158]
 o build: drop redundant `USE_QUICHE` guards [159]
 o build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues [84]
 o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [132]
 o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [63]
 o cf-socket: avoid low risk integer overflow on ancient Solaris [56]
 o cmake: add CMake Config-based dependency detection [87]
 o cmake: add CMake Config-based dependency detection for c-ares, wolfSSL [134]
 o cmake: document functions used from Windows system DLLs [103]
 o cmake: resolve targets recursively when generating `libcurl.pc` [45]
 o cmake: rework binutils ld hack to not read `LOCATION` property [41]
 o cmake: silence bad library `Threads::Threads` warning [131]
 o cmake: use `AIX` built-in variable (with CMake 4.0+) [163]
 o config2setopts: make --capath work in proxy disabled builds [113]
 o configure: fix `--with-ngtcp2=<path>` option for crypto libs [26]
 o configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic [3]
 o configure: prefer dependency-specific variables over `$withval` [35]
 o configure: remove superfluous experimental warning for HTTP/3 [169]
 o curl-wolfssl.m4: fix to use the correct value for pkg-config directory [36]
 o curl.h: replace macros with C++-friendly method to enforce 3 args [110]
 o curl_ctype.h: fix spelling in a couple of locally used macros [28]
 o curl_get_line: error out on read errors [9]
 o curl_get_line: fix potential infinite loop when filename is a directory [46]
 o curl_ngtcp2: extend and update callbacks for 1.22.0+ [165]
 o curl_ntlm_core: drop redundant PP condition [140]
 o curl_sha512_256: support delegating to wolfSSL API [149]
 o curl_version_info.md: clarify age details [69]
 o CURLOPT_HAPROXY_CLIENT_IP.md: mention assuption on data format [96]
 o CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse [105]
 o curlx_now(), prevent zero timestamp [93]
 o DEPRECATE: fix minor release number typo
 o digest: pass in the user name quoted (as well) [34]
 o dnscache: own source file, improvements [116]
 o docs/lib: fix typos [53]
 o docs: enable more compiler warnings for C snippets, fix 3 finds [71]
 o docs: list more dependencies for running Python HTTP tests [123]
 o docs: mention more zip bomb precautions [166]
 o docs: minor wording tweaks
 o doh: fix memory-leak when doing a second DoH resolve [55]
 o examples/websocket: fix to sleep more on Windows [92]
 o examples: drop warning silencers no longer hit [14]
 o examples: fix typo in comment [75]
 o file: init fd to -1 to prevent close fd 0 on early failure [40]
 o fopen: for temp files, inherit permissions only for owner [146]
 o ftp: do not strdup DATA hostname [29]
 o ftp: make the MDTM date parser stricter (again) [115]
 o ftp: reject PWD responses containing control characters [95]
 o gcc: guard `#pragma diagnostic` in core code for <4.6 [94]
 o generate.bat: remove extra % from VC11 and VC12 runs
 o genserv.pl: make external calls safe [119]
 o getinfo: initialize `PureInfo` field `used_proxy` [43]
 o gnutls: fix clang-tidy warning with !verbose [126]
 o hostip: clear the sockaddr_in6 structure before use [20]
 o hsts: when a dupe host adds subdomains, use that [130]
 o http2: clear the h2 session at delete [99]
 o http2: prevent secure schemes pushed over insecure connections [181]
 o http2: return error on OOM in push headers [65]
 o HTTP3.md: drop outdated mentions of OpenSSL-QUIC [2]
 o http: fix Curl_compareheader for multi value headers [11]
 o http: make Curl_compareheader handle multiple commas in header
 o imap: reset the UIDVALIDITY state between transfers [7]
 o include: drop 'will' from public headers [73]
 o keylog.h: replace literal number with macro in declaration [171]
 o keylog: drop unused/redundant includes and guards [172]
 o ldap: drop duplicate `ldap_set_option()` on Windows [42]
 o ldap: fix to initialize cleartext connection on Windows [49]
 o lib: always use Curl_1st_fatal instead of Curl_1st_err [89]
 o libssh2: fix error handling on quote errors [21]
 o libssh: propagate error back in SFTP function [178]
 o libtest: drop duplicate include [111]
 o location/follow: mention netrc [138]
 o md4, md5: switch to wolfCrypt API in wolfSSL builds [139]
 o mk-ca-bundle.pl: make generated timestamps deterministic [44]
 o multi: fix connection retry for non-http [180]
 o multi: improve wakeup and wait code [118]
 o netrc: find login-less password when user is given in URL [6]
 o netrc: remove unused parsenetrc() macro for netrc-disabled [121]
 o netrc: skip malformed macdef lines [67]
 o openssl channel_binding: lookup digest algorithm without NID [117]
 o openssl: drop obsolete SSLv2 logic [27]
 o openssl: fix build with 4.0.0-beta1 no-deprecated [184]
 o openssl: fix memory leaks in ECH code (OpenSSL 3) [78]
 o openssl: trace count of found / imported Windows native CA roots [8]
 o OS400: add new definitions to the ILE/RPG binding. [153]
 o os400sys: fix typo in comment (symetry -> symmetry) [58]
 o perl: harden external command invocations [133]
 o progress: count amount of data "delivered" to application [66]
 o protocol.h: fix the CURLPROTO_MASK [31]
 o protocol: use scheme names lowercase [38]
 o proxy: chunked response, error code [143]
 o pytest: add additional quiche check for flaky test_05_01 [22]
 o rand: use `BCryptGenRandom()` in UWP builds [88]
 o ratelimit: reset on start [150]
 o request: reset resp_trailer in new requests [186]
 o scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl) [109]
 o scripts: harden / tidy up more Perl `system()` calls [70]
 o sha256, sha512_256: switch to wolfCrypt API [147]
 o sha256: support delegating to wolfSSL API [148]
 o share: concurrency handling, easy updates [104]
 o socks: reject zero-length GSSAPI/SSPI tokens from proxy [157]
 o src: use ftruncate() unconditionally [128]
 o sshserver.pl: harden more `system()` calls [81]
 o sshserver.pl: pass command-line to `system()` safely [82]
 o strerr: correct the strerror_s() return code condition [25]
 o sws: fix potential OOB write [80]
 o synctime: fix off-by-one read and write to a read-only buffer (Windows) [85]
 o test459: switch to mode="warn" for stderr check [5]
 o testcurl.pl: replace shell commands with Perl `rmtree()` [76]
 o tests/unit/README: describe how to unit test static functions [60]
 o tool: check for curlinfo->age when determining if ssh backend [77]
 o tool: fix memory mixups [106]
 o tool: fix two more allocator mismatches [155]
 o tool_cb_hdr: only truncate etags output when regular file [129]
 o tool_cb_rea: make waitfd() return void [168]
 o tool_cb_wrt: fix no-clobber error handling [39]
 o tool_cfgable: free the SSL signature algorithms [62]
 o tool_formparse: propagate my_get_line errors when reading headers [102]
 o tool_getparam: use correct free function for libcurl memory [68]
 o tool_ipfs: accept IPFS gateway URL without set port number [13]
 o tool_msgs: avoid null pointer deref for early errors [98]
 o tool_operate: actually apply the --parallel-max-host limit [167]
 o tool_operate: drop the scheme-guessing in the -G handling [54]
 o tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows) [79]
 o tool_operate: fix memory-leak on failed uploads [124]
 o tool_operate: fix minor memory-leak on early error [23]
 o tool_operhlp: fix `add_file_name_to_url()` result on OOM [32]
 o tool_operhlp: iterate through all slashes to find name [114]
 o tool_operhlp: propagate low-level OOM in `add_file_name_to_url()` [112]
 o tool_setopt: return error on OOM correctly [152]
 o tool_urlglob: fix memory-leak on glob range overflow [19]
 o top-complexity: prevent filename-based shell injection risk [101]
 o transfer: clear the URL pointer in OOM to avoid UAF [179]
 o transfer: enable custom methods again on next transfer [30]
 o transfer: enhance secure check [10]
 o url: do not reuse a non-tls starttls connection if new requires TLS [145]
 o url: use the socks type for socks proxy [47]
 o url: use URL for url even in comments [52]
 o urlapi: fix handling of "file:///" [122]
 o urlapi: make dedotdotify handle leading dots correctly [97]
 o urlapi: verify the last letter of a scheme when set explicitly [16]
 o urldata: connection bit ipv6_ip is wrong [59]
 o urldata: import port types and conn destination format [57]
 o urldata: make hstslist only present in HSTS builds [120]
 o urldata: make speeder_c uint32 [37]
 o urldata: remove trailers_state [17]
 o wolfssl: document v5.0.0 (2021-11-01) as minimum required [151]
 o wolfssl: fix handling of abrupt connection close [24]
 o x509asn1: fix to return error in an error case from `encodeOID()` [83]
 o x509asn1: fixed and adapted for ASN1tostr unit testing [48]
 o x509asn1: improve encodeOID [72]

This release includes the following known bugs:

 See https://curl.se/docs/knownbugs.html

For all changes ever done in curl:

 See https://curl.se/changes.html

Planned upcoming removals include:

 o local crypto implementations
 o NTLM
 o SMB
 o TLS-SRP support

 See https://curl.se/dev/deprecate.html

This release would not have looked like this without help, code, reports and
advice from friends like these:

  am-perip on hackerone, Arkadi Vainbrand, Carlos Henrique Lima Melara,
  crawfordxx, Dan Fandrich, Daniel Stenberg, dependabot[bot], Dexter Gerig,
  Ercan Ermis, fds242 on github, Flavio Amieiro, Greg Kroah-Hartman,
  Harry Sintonen, Henrique Pereira, James Fuller, Jason Stangroome, Kai Pastor,
  Kaixuan Li, lg_oled77c5pua on hackerone, M42kL33 on hackerone,
  m777m0 on hackerone, Marcel Raad, Martin Dürrmeier, Michael Hendricks,
  Michael Kaufmann, Orgad Shaneh, Otis Cui Lei, Patrick Monnerat, Ray Satiro,
  renovate[bot], Richard Tollerton, Rob Crittenden, Scott Boudreaux,
  Sergey Fedorov, Stefan Eissing, Viktor Szakats, Vladimír Marek,
  xkilua on hackerone, Yoshiro Yoneya
  (39 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/bug/?i=20880
 [2] = https://curl.se/bug/?i=20914
 [3] = https://curl.se/bug/?i=20889
 [4] = https://curl.se/bug/?i=20908
 [5] = https://curl.se/bug/?i=20910
 [6] = https://curl.se/bug/?i=20950
 [7] = https://curl.se/bug/?i=20962
 [8] = https://curl.se/bug/?i=20899
 [9] = https://curl.se/bug/?i=20958
 [10] = https://curl.se/bug/?i=20951
 [11] = https://curl.se/bug/?i=20894
 [12] = https://curl.se/bug/?i=20898
 [13] = https://curl.se/bug/?i=20957
 [14] = https://curl.se/bug/?i=20896
 [15] = https://curl.se/bug/?i=20886
 [16] = https://curl.se/bug/?i=20893
 [17] = https://curl.se/bug/?i=20960
 [18] = https://curl.se/bug/?i=20846
 [19] = https://curl.se/bug/?i=20956
 [20] = https://curl.se/bug/?i=20885
 [21] = https://curl.se/bug/?i=20883
 [22] = https://curl.se/bug/?i=20952
 [23] = https://curl.se/bug/?i=20954
 [24] = https://curl.se/bug/?i=21002
 [25] = https://curl.se/bug/?i=20955
 [26] = https://curl.se/bug/?i=18022
 [27] = https://curl.se/bug/?i=20945
 [28] = https://curl.se/bug/?i=20810
 [29] = https://curl.se/bug/?i=20953
 [30] = https://curl.se/bug/?i=21037
 [31] = https://curl.se/bug/?i=21031
 [32] = https://curl.se/bug/?i=21011
 [33] = https://curl.se/bug/?i=20926
 [34] = https://curl.se/bug/?i=20940
 [35] = https://curl.se/bug/?i=20944
 [36] = https://curl.se/bug/?i=20943
 [37] = https://curl.se/bug/?i=21036
 [38] = https://curl.se/bug/?i=21033
 [39] = https://curl.se/bug/?i=20939
 [40] = https://curl.se/bug/?i=21029
 [41] = https://curl.se/bug/?i=20839
 [42] = https://curl.se/bug/?i=20930
 [43] = https://curl.se/bug/?i=21020
 [44] = https://curl.se/bug/?i=20528
 [45] = https://curl.se/bug/?i=20840
 [46] = https://curl.se/bug/?i=20823
 [47] = https://curl.se/bug/?i=21025
 [48] = https://curl.se/bug/?i=21013
 [49] = https://curl.se/bug/?i=20927
 [50] = https://curl.se/bug/?i=20934
 [51] = https://curl.se/bug/?i=20934
 [52] = https://curl.se/bug/?i=20935
 [53] = https://curl.se/bug/?i=20933
 [54] = https://curl.se/bug/?i=20992
 [55] = https://curl.se/bug/?i=20929
 [56] = https://curl.se/bug/?i=21111
 [57] = https://curl.se/bug/?i=20918
 [58] = https://curl.se/bug/?i=20923
 [59] = https://curl.se/bug/?i=20919
 [60] = https://curl.se/bug/?i=21018
 [61] = https://curl.se/bug/?i=20909
 [62] = https://curl.se/bug/?i=20915
 [63] = https://curl.se/bug/?i=21057
 [64] = https://curl.se/bug/?i=20911
 [65] = https://hackerone.com/reports/3636044
 [66] = https://curl.se/bug/?i=20787
 [67] = https://curl.se/bug/?i=21049
 [68] = https://curl.se/bug/?i=21075
 [69] = https://curl.se/bug/?i=21052
 [70] = https://curl.se/bug/?i=21007
 [71] = https://curl.se/bug/?i=21006
 [72] = https://curl.se/bug/?i=21003
 [73] = https://curl.se/bug/?i=21005
 [74] = https://curl.se/bug/?i=20916
 [75] = https://curl.se/bug/?i=21001
 [76] = https://curl.se/bug/?i=21053
 [77] = https://curl.se/bug/?i=21050
 [78] = https://curl.se/bug/?i=20993
 [79] = https://curl.se/bug/?i=20989
 [80] = https://curl.se/bug/?i=20988
 [81] = https://curl.se/bug/?i=20997
 [82] = https://curl.se/bug/?i=20996
 [83] = https://curl.se/bug/?i=20991
 [84] = https://curl.se/bug/?i=20990
 [85] = https://curl.se/bug/?i=20987
 [86] = https://curl.se/bug/?i=20999
 [87] = https://curl.se/bug/?i=20814
 [88] = https://curl.se/bug/?i=20983
 [89] = https://curl.se/bug/?i=20980
 [90] = https://curl.se/bug/?i=20698
 [91] = https://curl.se/bug/?i=20673
 [92] = https://curl.se/bug/?i=20978
 [93] = https://curl.se/bug/?i=21034
 [94] = https://curl.se/bug/?i=20892
 [95] = https://curl.se/bug/?i=20949
 [96] = https://curl.se/bug/?i=21042
 [97] = https://curl.se/bug/?i=20974
 [98] = https://curl.se/bug/?i=20967
 [99] = https://curl.se/bug/?i=20975
 [100] = https://curl.se/bug/?i=20966
 [101] = https://curl.se/bug/?i=20969
 [102] = https://curl.se/bug/?i=20963
 [103] = https://curl.se/bug/?i=20965
 [104] = https://curl.se/bug/?i=20870
 [105] = https://curl.se/bug/?i=21164
 [106] = https://curl.se/bug/?i=21099
 [107] = https://curl.se/bug/?i=20763
 [108] = https://curl.se/bug/?i=20407
 [109] = https://curl.se/bug/?i=21009
 [110] = https://curl.se/bug/?i=20709
 [111] = https://curl.se/bug/?i=21046
 [112] = https://curl.se/bug/?i=21011
 [113] = https://curl.se/bug/?i=21063
 [114] = https://curl.se/bug/?i=21165
 [115] = https://curl.se/bug/?i=21041
 [116] = https://curl.se/bug/?i=20864
 [117] = https://curl.se/bug/?i=20590
 [118] = https://curl.se/bug/?i=20832
 [119] = https://curl.se/bug/?i=20971
 [120] = https://curl.se/bug/?i=21068
 [121] = https://curl.se/bug/?i=21067
 [122] = https://curl.se/bug/?i=21070
 [123] = https://curl.se/bug/?i=21110
 [124] = https://curl.se/bug/?i=21062
 [125] = https://curl.se/bug/?i=21061
 [126] = https://curl.se/bug/?i=21060
 [127] = https://curl.se/bug/?i=20968
 [128] = https://curl.se/bug/?i=21109
 [129] = https://curl.se/bug/?i=21103
 [130] = https://curl.se/bug/?i=21108
 [131] = https://curl.se/bug/?i=21170
 [132] = https://curl.se/bug/?i=21167
 [133] = https://curl.se/bug/?i=21097
 [134] = https://curl.se/bug/?i=21098
 [138] = https://curl.se/bug/?i=21091
 [139] = https://curl.se/bug/?i=21093
 [140] = https://curl.se/bug/?i=21096
 [143] = https://curl.se/bug/?i=21084
 [144] = https://curl.se/bug/?i=20936
 [145] = https://curl.se/bug/?i=21082
 [146] = https://curl.se/bug/?i=21092
 [147] = https://curl.se/bug/?i=21090
 [148] = https://curl.se/bug/?i=21078
 [149] = https://curl.se/bug/?i=21077
 [150] = https://curl.se/bug/?i=21086
 [151] = https://curl.se/bug/?i=21080
 [152] = https://curl.se/bug/?i=21083
 [153] = https://curl.se/bug/?i=20672
 [155] = https://curl.se/bug/?i=21150
 [157] = https://curl.se/bug/?i=21159
 [158] = https://curl.se/bug/?i=21144
 [159] = https://curl.se/bug/?i=21135
 [163] = https://curl.se/bug/?i=21134
 [165] = https://curl.se/bug/?i=21152
 [166] = https://curl.se/bug/?i=21143
 [167] = https://curl.se/bug/?i=21147
 [168] = https://curl.se/bug/?i=21127
 [169] = https://curl.se/bug/?i=21139
 [170] = https://curl.se/bug/?i=21136
 [171] = https://curl.se/bug/?i=21141
 [172] = https://curl.se/bug/?i=21137
 [178] = https://curl.se/bug/?i=21122
 [179] = https://curl.se/bug/?i=21123
 [180] = https://curl.se/bug/?i=21121
 [181] = https://curl.se/bug/?i=21113
 [184] = https://curl.se/bug/?i=21119
 [186] = https://curl.se/bug/?i=21112