I found this interesting down at the bottom of the lead page
For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)
POST ... seems to me most open and closed source Carts use POST. I however do not do a lot of online shopping/bill paying.
There has been one successful attack against this bug that I know of, but it required a few XSS holes on the server webapp side. Twitter was the one that was attacked and we all know they are full of XSS. The worst thing about the one successful attack is the person was able to get back unencrypted data that was sent. They had it print out onto their Twitter page through the XSS.
I personally wish they would have tried against someone like Amazon, if they could do it there, then I'd be much more concerned. Amazon/Twitter = Apples/Lemons
As such, there is a patch for Apache that is a partial fix. Depending on your configuration, with this patch and openssl <= 0.9.8k you would still be vulnerable. It will be included in 2.2.15. There seems to be no rush to get 2.2.15 out the door now that OpenSSL 0.9.8L has been released.