Reputation: 3794
Applet built using JDK 7u7, runs on JRE 7u72 installed - at risk for security issues in between?
Our Java Applet is built using JDK 7u7.
We have a client who is worried that this exposes them to security flaws that were patched between 7u7 and the current Java 7 release (7u72). (They're not worried about any specific known issues, just "concerned".)
I believe the answer is that because the package is dependent on calls to the JRE libraries, it will call the (fixed) 7u72 libraries, and therefore the fact that it was developed against 7u7 will not be an issue.
Is this correct? A link to authoritative statements on this point would be much appreciated.
Upvotes: 3
Views: 127
Answers (1)
Reputation: 53462
It is correct. Output of compilation is defined in the java VM specification in class file format, which has not changed between java update releases, it doesn't matter if it's compiled in 7u7 or 7u72.*
You can see all the java virtual machine specifications since java 5 on this page. There are no other changes to the specification, so it has only changed between major releases.
*on further thought, this assumption is true only if there hasn't ever been security-related bytecode generation bugs in JDKs. I've never heard of one, and certainly between versions 7u7 and 7u72 there isn't any. I guess it is possible in theory, but at least for the cases you specified there aren't such security issues.
Upvotes: 2
Related Questions
- Java applet security model incompatibility between OS X JREs 6 and 7: any workaround?
- Applet doesn't work on JRE 7
- Warning on Permissions attribute when running an applet with JRE 7u45
- Applet blocked by java security settings in java 7
- Java applet stopped working after update to JRE 7u21
- Is it possible to open self-signed java applet with java version 7 update 51 without decreasing security level
- Java 7 security restrictions for applets
- Java security vulnerability for basic applet
- Java Applet has strange quirks on clients running JRE 1.7
- JRE 1.7 Vulnerability