Yup, this is a serious black eye for the Debian team, which (until now) had a pretty good track record on security issues.
We found and replaced a couple of "bad" keys on a Debian server we recently set up where I work. Fortunately, none of the affected services were exposed outside our workgroup before the flaw was discovered, so we should be in the clear.
The years just pass like trains. I wave, but they don't slow down.
-- Steven Wilson