The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.

Regression since cb4e2be7

CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html

Reported-by: Marcus Hoffmann

- If the server has provided another challenge use it as the replacement
  input token if stale=TRUE. Otherwise previous credentials have failed
  so return CURLE_LOGIN_DENIED.

Prior to this change the stale directive was ignored and if another
challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.

Ref: https://tools.ietf.org/html/rfc2617#page-10

Bug: https://github.com/curl/curl/issues/928


Reported-by:  <tarek112@users.noreply.github.com>

Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch

Closes #1264

Since negative values are errors and not only -1. This makes SFTP upload
with --create-dirs work (again).

Closes #1269

- on the first invocation: keep security context returned by
  InitializeSecurityContext()

- on subsequent invocations: use MakeSignature() instead of
  InitializeSecurityContext() to generate HTTP digest response

Bug: https://github.com/curl/curl/issues/870
Reported-by: Andreas Roth

Closes https://github.com/curl/curl/pull/1251

Follow-up to 4b86113f

Fixes https://github.com/curl/curl/issues/793
Fixes https://github.com/curl/curl/issues/942

Properly resolve, convert and log the proxy host names.
Support the "--connect-to" feature for SOCKS proxies and for passive FTP
data transfers.

Follow-up to cb4e2be7

Reported-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1248

- While negotiating auth during PUT/POST if a user-specified
  Content-Length header is set send 'Content-Length: 0'.

This is what we do already in HTTPREQ_POST_FORM and what we did in the
HTTPREQ_POST case (regression since afd288b2).

Prior to this change no Content-Length header would be sent in such a
case.

Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
Reported-by: Dominik Hölzl

Closes https://github.com/curl/curl/pull/1242

Closes #1265

It isn't easily solved, but with some thinking someone could probably
come up with a working approach?

Closes #1241

For example allow ranges like [1-1] and [a-a] etc.

Regression since 5ca96cb8.

Bug: https://github.com/curl/curl/issues/1238
Reported-by: R. Dennis Steed

Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
< 2.1.0 (the older API)

... and fix the session_id mixup brought in 04b4ee54

Fixes #1220

The warning message had a typo. The argument long form is --time-cond
not --timecond

Closes #1263

When the threaded resolver option is specified for configure the default
thread library is pthreads. This change makes it possible to
--disable-pthreads and then configure can fall back on Win32 threads for
native Windows builds.

Closes https://github.com/curl/curl/pull/1260

Reported-by:  <zelinchen@users.noreply.github.com>
Fixes #1229

When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
the user explaining possible solutions such as --cacert and --insecure.

This change appends to that message similar options --proxy-cacert and
--proxy-insecure when there's a specified HTTPS proxy.

Closes https://github.com/curl/curl/issues/1258

Fixes #1252

- Document in --socks* opts they're still mutually exclusive of --proxy.

Partial revert of 423a93ce; I had misinterpreted the SOCKS proxy +
HTTP/HTTPS proxy combination.

- Document in --socks* opts that --preproxy can be used to specify a
  SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.

If the NSS code was in the middle of a non-blocking handshake and it
was asked to finish the handshake in blocking mode, it unexpectedly
continued in the non-blocking mode, which caused a FTPS connection
over CONNECT to fail with "(81) Socket not ready for send/recv".

Bug: https://bugzilla.redhat.com/1420327

... instead of the OpenSSL mutex page.

Follow up to 7fe81ec2: make sure 'host' is either NULL or malloced.

Fixes #1255

Reported-by: Dan Fandrich
Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html

When removing an easy handler from a multi before it completed its
transfer, and it had pushed streams, it would segfault due to the pushed
counted not being cleared.

Fixed-by:  <zelinchen@users.noreply.github.com>
Fixes #1249