As you probably know already, both CERT and Wietse are not exactly
willing to give out information about security holes.  Without taking
the time to study how Wietse's code has changed over time, I can't say
definitively what the problem or the fix was.

However, the S/Key implementation in NetBSD is derived from the
Bellcore distribution, which is claimed to not have this hole.  To the
best of my knowledge at this time, we are not vulnerable to this
attack.