Oh God. That's a pretty remarkable claim considering that no one at Canonical had anything to do with the discovery or the patching of the bug. Let's have a quick look at the actual sequence of events:
1. Shellshock was discovered by Stéphane Chazelas, who reported it to bash maintainer Chet Ramey and a few others, and assigned CVE identifier CVE-2014-6271.
2. "CVE-2014-6271: remote code execution through bash" by Florian Weimer of Red Hat (2014-09-24) was one of the first public disclosures of the problem.
3. Florian Weimer (Debian contributor and Red Hat employee) posts a patch for bash that counters the attack.
4. Red Hat, CentOS, Fedora, Oracle Linux, Debian, and Ubuntu adopt Weimer’s patch. Apple’s later OS X bash update 1.0 includes it as well.
5. Chet Ramey posts bash43-027 at 2014-09-27 22:50:07, accepting Weimer's patch into the upstream mainline.
Remember, it's always good to cite your sources (if you have any).
And now, it's been fun but good night!