Do you have any minimal reproducer that triggers this flaw? I presume the was requesting Negotiate authentication.
Reading the patch, I'm wondering if it does what it was intended to do. Based on the previous comments and article L596, it seems intention was to cancel even non-Negotiate authentication after 3 failures by moving "Too many authentication tries" error to a common code path. However, following precedes that check:
if ((http->digest_tries > 1 || !http->userpass) &&
strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9))
which leads to password callback call for non-Negotiate authentications and reset of digest_tries counter. So instead of "Too many tries" error, there's another password prompt. Depending on the callback function, this may keep resending password to the server which replies with "unauthorized" without being cancelled as expected (?). Or was there some additional loop that did not involve active request-unauthorized network communication?
The intent was to make sure that non-password authentication was not tried too many times. When password authentication is requested we'll keep retrying until the password callback returns NULL or the server returns a "forbidden" status.