In 3.6 and 4.0, a User object may be leaked in AuthorizationManager::acquireUserForSessionRefresh if an error condition block is taken.
The User object's ref count must be decremented in this error block.
The affected code is only in 3.6 and 4.0. It was rewritten in 4.2.