Rebase to 8.3.7

So fix low CVEs

• CVE-2024-2756 _Host-/_Secure- cookie bypass due to partial CVE-2022-31629 fix
• CVE-2024-3096 password_verify can erroneously return true,
  opening ATO risk
• CVE-2024-2757 mb_encode_mimeheader runs endlessly for some inputs

And add backport for ARGON2 support from OpenSSL 3.2 (from 8.4)