Its nothing like as serious as heartbleed (or the Apple "goto" bug or the GNUTLS one) as it requires a MITM attack between a vulnerable client AND a vulnerable server. The only widely used browser that is vulnerable seems to be Chrome on Android (and presumably some other Android browsers as well).
Funny how so many SSL vulnerabilities seem to be surfacing at once. It looks as though no one bothered properly auditing it until the "goto" bug woke people up, and once they started looking it all started appearing.
It does make me suspicious about the remaining major SSL libraries: NSS, the Windows one, and the Java one. Are they better designed, or STILL not properly audited, or even deliberately keeping a vulnerability in for the NSA.