In the scenario where the server is authenticated but the client isn't
(initial anonymous pull with the server's public key distributed some
other way, for instance), the man in the middle cannot impersonate the
server, and cannot gain any information that he could not have gotten
by just doing an anonymous pull himself.
In the scenario where neither side is authenticated (so we've fallen
back to D-H exchange) a man in the middle attack succeeds -- but this
is no worse than an unencrypted connection. If what you're worried
about is eavesdropping rather than spoofing, you've still gained
security.