Is SafeGuard Enterprise affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)? Designated cve-2014-160: https://www.openssl.org/news/secadv_20140407.txt
Applies to the following Sophos product(s) and version(s)
SafeGuard Management Center
SafeGuard Enterprise Server
While SafeGuard Enterprise uses some modules of OpenSSL, the affected functionality is not used at all in the SafeGuard Enterprise Server, SafeGuard Enterprise Management Console, or the SafeGuard Enterprise Client for Windows. All these use the Windows TLS implementation and are therefore unaffected.
On SafeGuard for Mac Clients the affected code is used by one helper process that is responsible for communication with the SafeGuard Enterprise Server. However, this process runs with restricted privileges and only transfers files it does not understand between the SafeGuard Enterprise Server and the SafeGuard for Mac Client. Any key material in such files is encrypted with keys that are unrelated to the SSL connection. The affected process therefore has no useful information that an attacker could extract.
Nevertheless, in the next SafeGuard Enterprise release all OpenSSL instances will routinely be updated to the latest version.