A patch is on the way to eventually make this unnecessary but there's absolutely no ETA for it. Are we talking days, weeks, (gasp) months? They do deserve credit for responding to the comments but it would be good to have a better ETA.
It seems to say that you shouldn't tell people which flavor of 5xx he got, since that's useful info to an attacker.
As I mentioned in another thread, this doesn't seem like it would affect any real sites, so it's not a case of waiting for (gasp) months for a patch while your server is in real jeopardy.
Security warnings like this come through for ASP.NET a couple times a year, but nearly all of them are of the "don't do the stuff you already shouldn't be doing, or bad things might happen" variety.
In order for this to happen to your site, you would have to have CustomErrors turned off, or otherwise have your site set up to display stack traces to the general public. That's a quick recipe to get your site hacked regardless of technology, so the fact that it leaves you a little more open to a specific type of crypto attack is neither here nor there.
So basically, if you're following best practices (not just for ASP.NET, but web dev in general) and not displaying stack traces to your users, you're not in danger of this happening to you.
They seem intentionally vague about how someone can use this to get asp.net to dump the web.config however.
So this is kind of a big deal.
