I wasn't going to post about this, but it seems that, for my own sanity, I must. As you might know by now, a Debian Security Advisory came out, talking about a problem that affected the OpenSSL package, not only for Debian but for its derivatives too, like Ubuntu.

My first two remarks, and probably the most important ones for my thoughts about this issue:

• If what you know about this issue is what you read on Slashdot, YOU'RE WRONG. Even the news itself is wrong, and the comments are clueless, written by people that don't know shit about what are they talking about. Worse than useless, that story on /. is disinformative.
  Average: Select ratingPoorOkayGoodGreatAwesome

Following the security problem on openssl/openssh specific to Debian (apparently, a lack of randomness in the generation of the keys for the whole OpenSSL library), it is time to renew your SSL certificates and SSH keys (a bit of cleaning). Why not turn it into the occasion to test a new certificate with the capability of answering to different names (with only one certificate and IP), as explained here?

I currently have to maintain an out-of-tree patch for openssh (in Debian, and probably elsewhere).

The rationale for this patch are the two merged bugs (#313317 and #408029) in Debian:
the environment variables sent by AcceptEnv/SendEnv functionalities
should take precedence over PAM variable settings, especially for
locale and terminal related settings (or commands that are
locale-sensitive or terminal sensitive might give incomprehensible
gibberish as output to the user). TERM is already managed in a special
way, but not LANG or LC_* variables.