针对旧 JDK 编译的安全问题 [英] Security issues of compiling against older JDKs

问题描述

针对较旧的 JDK 进行编译是否存在任何已知的安全问题?例如，假设 Oracle 决定更改其实施之一中的某些内容，以关闭安全漏洞.如果我们针对旧版 JDK 进行编译，我们是否仍然容易受到攻击?

Are there any known security issues with compiling against an older JDK? For instance lets say Oracle decides to change something in one of their implementations that was to close a security vulnerability. If we compile against the older JDK would we still be vulnerable?

编辑

我们针对 JDK 6 运行，针对 Java 5 进行编译，这是我试图为看到此问题的任何其他人解决的问题的症结所在.为了完整起见，我们假设在 ant 构建中我们的目标是 1.5

We are running against JDK 6 and we compile against Java 5, which is the crux of the issue I was attempting to get at for any one else whom sees this question. For the sake of completeness lets say that in the ant build we target 1.5

编辑 2

此外，应用程序中存在调用问题，这些调用可能具有无法直接访问的私有 API/实现.

Additionally there is the issue of calls in the application that potentially have private APIs/implementations that are not directly accessed.

推荐答案

除了一些尚未发生的非常假设的利基情况外，唯一重要的是执行应用程序的版本.

Aside from some very hypothetical niche situation that hasn't ever happened yet, the only thing that matters is the version with which the application is executed.

我认为@deprecated 没有修复"任何已知的安全问题，因为这并不合适.

I don't think there are any known security issues that have been "fixed" with @deprecated, because that wouldn't really be appropriate.

这里有两个问题:1) 您可以让 Java 编译器生成与旧版本二进制兼容的二进制文件.这会影响您可以使用的语言功能.

There are two issues at play here: 1) You can have your Java compiler produce binaries that are binary compatible with older versions. That affects the language features available to you.

2) 您可以针对旧版本的 Java 系统库进行编译，这将影响可用的方法/类，因为它们总是在添加新的.

2) You can compile against the Java system libraries of an older version, and that will affect what methods/classes are available, as they are always adding new ones.

但是这些都不会影响您的应用程序的安全性.重要的是执行应用程序的运行时版本.

But neither of these affects the security of your application. What matters is the runtime version with which the application is executed.

注意安全问题是在更新之间修复的，而不是在主要版本之间修复，这会引入语言本身的变化.例如，Java 6 当前处于更新 21.Java 6 更新 19 修复了在 Java 6 更新 18 中易受攻击的内容.

Observe that security problems are fixed between updates, not the major versions, which introduce changes in the language itself. For example, Java 6 is currently at update 21. Java 6 update 19 fixed stuff that was vulnerable in Java 6 update 18.

在 Java 6 更新 19 发布时，针对 Java 1.5 和 Java 1.4 发布了更新，以修复 Java 1.5(更新 24)和 Java 1.4(更新 26)中的相同问题.请参阅此处的安全基线表:http://www.oracle.com/technetwork/java/javase/6u19-141078.html

When Java 6 update 19 was released, updates were released for Java 1.5 and Java 1.4, to fix the same issues in Java 1.5 (update 24) and Java 1.4 (update 26). See the security baseline table here: http://www.oracle.com/technetwork/java/javase/6u19-141078.html

这篇关于针对旧 JDK 编译的安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！