On second glance, it looks like NetBSD is only vulnerable if you aren't using hardware SHA-256, so still unlikely to affect anything but legacy. (Also, seriously NetBSD, CVS? It's 2019, even grandma uses a DVCS now)
Do you think it's possible to force software AES? That would be a cool attack. Probably wouldn't affect compiled code, but still..
I know active NetBSD developers who have no computers newer than about 2007, and have a core duo machine as their "build server".
Software AES is the only option for tons of folks who run NetBSD. Many of these folks run hardware on which their only real option is NetBSD - for them, and me, these platforms aren't legacy. They're just our computers.