The applet built using JDK 7u7 runs on JRE 7u72 installed - at risk of security issues in between?
Our Java applet is built using JDK 7u7.
We have a client who is concerned that this provides them with security flaws that were fixed between 7u7 and the current Java 7 release (7u72). (They are not worried about any specific known issues, just "worried".)
I believe the answer is that since the package depends on calls in the JRE libraries, it will call the (patched) 7u72 libraries, and therefore the fact that it was developed against 7u7 won't be a problem.
It is right? A link to authoritative statements on the subject would be much appreciated.
source to share
It is right. The compilation result is defined in the java VM spec in a class file format that hasn't changed between Java update versions, it doesn't matter if it's compiled to 7u7 or 7u72. *
You can see all the java virtual machine specifications since java 5 on this page . There are no other changes to the spec, so it only changed between major releases.
* on further thought, this assumption is only true if the JDK did not have security-related bytecode generation bugs in the JDK. I've never heard of one, and certainly not between the 7u7 and 7u72 versions. I think this is possible in theory, but at least for the cases you mentioned, there are no such security issues.
source to share