The Debian OpenSSH OpenSSL debacle

I haven't written about this issue yet but felt I should say something as it took most of my last week in resolving. I've read a lot about people dealing with this problem and yet very few seem to truly understand the implications. The bottom line as far as I'm concerned is that all Debian and Ubuntu systems built with the vulnerable package should be considered compromised. And that means a lot more work is needed to secure the systems than just regenerating ssh keys and ssl certificates. Now, I realize that rebuilding all machines might be too much work for many sysadmins. My plan is to rebuild all my host machines and simply consider my virtualized guests to be compromised. Whether that is a wise idea remains to be seen. At a minimum people should not only update all of their keys and certificates but also reset all passwords on the system. At that point one can just hope that no one compromised their machines during the extended period of vulnerability.