The PRF used in TLSv1 and all earlier SSL versions does use an xor of MD5 and SHA1. Collisions against both hash algorithms are possible. MD5 collisions are much easier to generate. From wikipedia 2^24 MD5 vs 2^63 SHA1 operations. In TLSv2 the PRF rather than being hardcoded can now be negotiated in much the same way as underlying ciphers in earlier versions of SSL. The initial must implement for TLSv2 is unmixed SHA2.

However just because a hash is vulnerable to collisions does not necessarily render it insecure for all applications.

For example it is quite dangerous to use vulnerable hashes alone to verify the signature of a file because it is very feasable to alter the data in a way that maintains the original signature. (By finding a collision)

In the case of the PRF (Pseudo random function) what you want to do is provide predictable output based on the knowledge of a secret that cannot be feasibly reverse engineered to obtain the input secret. In this case successful search for collisions is not as useful as in the previous case.

Finding collisions should still be concerning to any use of a hash algorithm as history has shown it can open doors to FUTURE discovery of much more significant vulnerabilities.

Personally what is most alarming about TLS to me is the previous case where MD5/SHA1 is commonly used for signature verification when checking the trust chain between root and intermediary certificates. Forging of intermediaries by generating collisions has been successfully demonstrated.