fix examples/network/clone.c: heap-buffer-overflow

security updates for v0.25

None of our crypto backends actually reject RC4 as a cipher so don't
test for it and instead keep it as something we'd like to do.

We must make sure that we're getting a certificate error from the
library so we know that we're testing the right thing.

Format of a length of string to the correct format is:%.*s

The Git protocol does not specify what should happen in the case
of an empty packet line (that is a packet line "0004"). We
currently indicate success, but do not return a packet in the
case where we hit an empty line. The smart protocol was not
prepared to handle such packets in all cases, though, resulting
in a `NULL` pointer dereference.

Fix the issue by returning an error instead. As such kind of
packets is not even specified by upstream, this is the right
thing to do.

Each packet line in the Git protocol is prefixed by a four-byte
length of how much data will follow, which we parse in
`git_pkt_parse_line`. The transmitted length can either be equal
to zero in case of a flush packet or has to be at least of length
four, as it also includes the encoded length itself. Not
checking this may result in a buffer overflow as we directly pass
the length to functions which accept a `size_t` length as
parameter.

Fix the issue by verifying that non-flush packets have at least a
length of `PKT_LEN_SIZE`.

Make sure that the callbacks do also get a 'valid' value of zero when
the certificate we're looking at is in valid and assert that within the
test.

Mention field addition in breaking API changes

Allow Windows with WinHTTP to use external http-parser

Fix issue #4046 Seg fault in config_files()

Fix BIO_* functions method linking when compiled with libressl (OpenBSD).

rebase: check the result code of rebase_init_merge

mempack: set the odb backend version

ref:
https://github.com/gentoo/libressl/blob/672ac74ce7b7cb2e4799b2d66bc0b1b1efa3454e/media-video/ffmpeg/files/ffmpeg-3.2-libressl.patch

Documentation fixes

http: bump the pretend git version in the User-Agent

We want to keep the git UA in order for services to recognise that we're
a Git client and not a browser. But in order to stop dumb HTTP some
services have blocked UAs that claim to be pre-1.6.6 git.

Thread these needles by using the "git/2.0" prefix which is still close
enough to git's yet distinct enough that you can tell it's us.

sysdir: don't re-guess when using variable substitution

Don't hard-code HTTPS cap & clarify the meanings of the features enum

README: be more explicit in the goals and scope

Gift deprecated in favor of SwiftGit2

refdb: bubble up recursive rm when locking a ref

pack: dereference cached pack entry on error

Fix off-by-one problems in git_signature__parse

Make it clearer from the get-go that we do not aim to implement
user-facing commands from the git tool.

We should replace it with whatever the user set, not start again.

When given $PATH as part of a search path, we guess again instead of
substituting what the user already set.