Security update for curl (moderate)

This update for curl to version 7.60.0 fixes the following issues:

These security issues were fixed:

• CVE-2018-1000300: Prevent heap-based buffer overflow when closing down
  an FTP connection with very long server command replies (bsc#1092094).
• CVE-2018-1000301: Prevent buffer over-read that could have cause reading
  data beyond the end of a heap based buffer used to store downloaded RTSP
  content (bsc#1092098).

These non-security issues were fixed:

• Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
• Add --haproxy-protocol for the command line tool
• Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
• FTP: fix typo in recursive callback detection for seeking
• test1208: marked flaky
• HTTP: make header-less responses still count correct body size
• user-agent.d:: mention --proxy-header as well
• http2: fixes typo
• cleanup: misc typos in strings and comments
• rate-limit: use three second window to better handle high speeds
• examples/hiperfifo.c: improved
• pause: when changing pause state, update socket state
• curl_version_info.3: fix ssl_version description
• add_handle/easy_perform: clear errorbuffer on start if set
• cmake: add support for brotli
• parsedate: support UT timezone
• vauth/ntlm.h: fix the #ifdef header guard
• lib/curl_path.h: added #ifdef header guard
• vauth/cleartext: fix integer overflow check
• CURLINFO_COOKIELIST.3: made the example not leak memory
• cookie.d: mention that "-" as filename means stdin
• CURLINFO_SSL_VERIFYRESULT.3: fixed the example
• http2: read pending frames (including GOAWAY) in connection-check
• timeval: remove compilation warning by casting
• cmake: avoid warn-as-error during config checks
• travis-ci: enable -Werror for CMake builds
• openldap: fix for NULL return from ldap_get_attribute_ber()
• threaded resolver: track resolver time and set suitable timeout values
• cmake: Add advapi32 as explicit link library for win32
• docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
• test1148: set a fixed locale for the test
• cookies: when reading from a file, only remove_expired once
• cookie: store cookies per top-level-domain-specific hash table
• openssl: RESTORED verify locations when verifypeer==0
• file: restore old behavior for file:////foo/bar URLs
• FTP: allow PASV on IPv6 connections when a proxy is being used
• build-openssl.bat: allow custom paths for VS and perl
• winbuild: make the clean target work without build-type
• build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
• curl: retry on FTP 4xx, ignore other protocols
• configure: detect (and use) sa_family_t
• examples/sftpuploadresume: Fix Windows large file seek
• build: cleanup to fix clang warnings/errors
• winbuild: updated the documentation
• lib: silence null-dereference warnings
• travis: bump to clang 6 and gcc 7
• travis: build libpsl and make builds use it
• proxy: show getenv proxy use in verbose output
• duphandle: make sure CURLOPT_RESOLVE is duplicated
• all: Refactor malloc+memset to use calloc
• checksrc: Fix typo
• system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
• vauth: Fix typo
• ssh: show libSSH2 error code when closing fails
• test1148: tolerate progress updates better
• urldata: make service names unconditional
• configure: keep LD_LIBRARY_PATH changes local
• ntlm_sspi: fix authentication using Credential Manager
• schannel: add client certificate authentication
• winbuild: Support custom devel paths for each dependency
• schannel: add support for CURLOPT_CAINFO
• http2: handle on_begin_headers() called more than once
• openssl: support OpenSSL 1.1.1 verbose-mode trace messages
• openssl: fix subjectAltName check on non-ASCII platforms
• http2: avoid strstr() on data not zero terminated
• http2: clear the "drain counter" when a stream is closed
• http2: handle GOAWAY properly
• tool_help: clarify --max-time unit of time is seconds
• curl.1: clarify that options and URLs can be mixed
• http2: convert an assert to run-time check
• curl_global_sslset: always provide available backends
• ftplistparser: keep state between invokes
• Curl_memchr: zero length input can’t match
• examples/sftpuploadresume: typecast fseek argument to long
• examples/http2-upload: expand buffer to avoid silly warning
• ctype: restore character classification for non-ASCII platforms
• mime: avoid NULL pointer dereference risk
• cookies: ensure that we have cookies before writing jar
• os400.c: fix checksrc warnings
• configure: provide --with-wolfssl as an alias for --with-cyassl
• cyassl: adapt to libraries without TLS 1.0 support built-in
• http2: get rid of another strstr
• checksrc: force indentation of lines after an else
• cookies: remove unused macro
• CURLINFO_PROTOCOL.3: mention the existing defined names
• tests: provide ‘manual’ as a feature to optionally require
• travis: enable libssh2 on both macos and Linux
• CURLOPT_URL.3: added ENCODING section
• wolfssl: Fix non-blocking connect
• vtls: don’t define MD5_DIGEST_LENGTH for wolfssl
• docs: remove extraneous commas in man pages
• URL: fix ASCII dependency in strcpy_url and strlen_url
• ssh-libssh.c: fix left shift compiler warning
• configure: only check for CA bundle for file-using SSL backends
• travis: add an mbedtls build
• http: don’t set the "rewind" flag when not uploading anything
• configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
• transfer: don’t unset writesockfd on setup of multiplexed conns
• vtls: use unified "supports" bitfield member in backends
• URLs: fix one more http url
• travis: add a build using WolfSSL
• openssl: change FILE ops to BIO ops
• travis: add build using NSS
• smb: reject negative file sizes
• cookies: accept parameter names as cookie name
• http2: getsock fix for uploads
• all over: fixed format specifiers
• http2: use the correct function pointer typedef