I have several computers that run Linux, and bash is the shell program that I prefer. All these computers were showing that they were vulnerable.
One of those, which internet users don’t have access to anything that would let them try bash scripts, run Ubuntu. The last update from Ubuntu included a fix for bash, and it now checks out clean.
A couple other computers run the latest Slackware Linux distributions. They are showing as also being vulnerable, but I have a security update for bash that just came out, and I am assuming that will fix the problem there. Again, at this point in time, users out on the internet do not have access to these computers.
Another computer runs a very old version of Slackware — the bash on it has a timestamp back in 2000. It also is showing it as being vulnerable. I don’t believe there are any updates available for it, and I guess maybe it is time to consider updating that old thing. But, it just keeps on ticking away! I do have some users that can log into that computer, but I guess I have to trust my friends as being my friends, and not trying to screw things up for me too much. I had considered swapping in one of the other shell programs for bash — but they all lack features that bash has.
So, I guess I’m sort of worried, but depend upon the bad guys not being able to get to the computers that are vulnerable.
It’s important to note that this vulnerability requires being able to set a shell variable, so we’re really only talking about webservers running traditional CGI applications which isn’t very common. Most servers use mod_perl, mod_php, etc. instead of CGI, and if you’re just running a Linux desktop computer, it shouldn’t affect you at all.