Yeah this is very scary and the fact that it was there for 2 years even more so. It really makes you wonder if it was planted there by a dev, who is actually an NSA infiltrator. I still think open source is better than proprietary stuff, but this is one "flaw" of open source, as almost anyone can make it on the dev team if they can prove themselves. Then again I imagine the same could happen with proprietary software even if the company has good intentions, but typically what happens with proprietary software, they are just bribed.
Interestingly my servers are so out of date that I'm not affected. Though my home VPN server is affected, running OpenSSL 1.0.1e-fips which falls within the affected range. I turned it off till they add the patch to the repository. I really don't want to try to do it from source when it was previously installed with yum. Just going to make a mess.
The issue with using distros that use yum/apt-get is you are sorta limited to whatever versions they put in the repos, typically these versions are very behind the times.
From what I'm understanding, once you fix the issue you should completely wipe all keys, CAs etc... basically all cert files, and regenerate them all from scratch. VERY VERY important for VPN especially as with the proper compromised info one could just walk right into your internal network.
I also wonder how banks and other high importance SSL sites are handling this right now.
I think it's probably a good idea for everyone to change all their passwords. Wait like a month, and change them again. (in case they did not fix it and the new password ends up compromised)