From my reading of the vulnerability, it "might" allow a man in the middle to steal a sesskey even if the connection is protected via SSL.
It would require:
A) the man in the middle to see all traffic from the victim and the server (even if it is encrypted)
B) control over the victims browser to make it submit requests to arbitrary urls (e.g. convincing them to visit a phishing site, or inject code into any "non-ssl" response)
If this is a concern, you can mitigate it completely by disabling gz compression (mod_deflate). This may impact the performance of your site.