It’s not an “outdated version”. It is what was the current version before this bug was found. I checked both my Linux boxes, and both were running a vulnerable version.
For my Raspberry Pi computer runs a somewhat obscure distro (Raspbian) that doesn’t even have an updated openssl package that does not have the issue. So I’ve had to take that machine off the internet for now (it was hosting my remotely accessible cat treat feeder, which has an HTTPS web site).
And even if the site owner updates openssl, there is no guarantee that the private key for his web site certificate wasn’t stolen in the interval before the software was updated. If an attacker was able to steal the private key, he could potentially impersonate the site and steal user’s passwords and other info.
This is a huge big deal that we will be sorting out for some time.
Oh don’t get me wrong, this is a significant exploit, but I was responding to the assertion that virtually all net traffic would become readable.
OpenSSL is used by linux-folks like us (I’ve already updated my slackware boxes) and a fraction of webservers - as you said often but not exclusively Linux-based webservers (and automated cat treat machines, sadly). That’s a far cry from all net traffic, though it still remains a significant exploit - especially for the cats.
This will result in a number of costly problems, but most M$ and Mac users out there aren’t going to be seeing it manifest personally, and are just going to be experiencing their web-services updating their software and shuffling around user-logins - most of what they’re going to have to be doing will likely be related to user-prompts and password changes popping up once sites start trying to sort out the mess of potentially compromised private master keys, potentially compromised session cookies, and spoofed site certifications.
On the admin side this is one hell of a hairball to sort out.