It was found that cURL performed client credentials delegation during the client-to-server GSS security mechanisms negotiation. A remote, rogue server could use this flaw to impersonate the cURL client (victim) against the correct (originally intended) server, potentially leading to denial of cURL tool services for victim client.
This issue affects the versions of the curl package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the curl package, as shipped with Fedora release of 13, 14, and 15.
Public now via: [1] http://curl.haxx.se/docs/adv_20110623.html
Created curl tracking bugs for this issue Affects: fedora-all [bug 715553]
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0918 https://rhn.redhat.com/errata/RHSA-2011-0918.html