It was found that the fix for CVE-2015-3148 did not correctly backported to curl in RHEL 6 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE.
The original issue was described as:
It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.
This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
Name: Paulo Andrade (Red Hat)
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2017:0847 https://rhn.redhat.com/errata/RHSA-2017-0847.html