From the ‘Not all A records are alike’ files:
Mozilla released Firefox 36.0.1 on March 5, fixing a number of bugs, none which are identified as having a direct security impact, or an associated CVE.
That said that this one flaw that was fixed that is ANYthing but usual.Bug 1093983 is titled, “DNS resolver should not use ‘ANY’ to get cached records for TTL”. The issue is that instead of using an ‘A’ for IPv4 and a ‘AAAA’ record for IPv6, Firefox 36 was using ‘A’ and ‘ANY’. The bug report notes that:
In these days ANY query is not widely used because it multiplies response packet length which can be (ab)used for DoS, DNS amplification attack. Some resolvers might filter out all queries (include A/AAAA) from client which sent number of ANY queries.
So no not technically a security CVE, but it’s clearly a flaw that does have some security implications. In any event, it looks like Mozilla was first advised of the issue on November 11, 2014, long before Firefox 36.0 became generally available on February 24 2015. Better late than never, right?
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist