[T]he initial fix for the issue still left Bash vulnerable to attack
Please excuse me if I'm being a noob but, as recommended by this link, I tried the following commands on an up-to-date Debian Wheezy install:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
...and the results were:
me@myserver:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
completed
me@myserver:~$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed
So isn't the solution just an 'apt-get upgrade' away?
And FWIW:
me@myserver:~$ echo $0
-bash
me@myserver:~$ bash --version
GNU bash, version 4.2.37(1)-release (i486-pc-linux-gnu)
...
FYI, I accidentally posted this AC at first so am re-posting, hope nobody minds...