Bash Shellshocked Bug Of Doom
The intertubes are currently ablaze with the news of the Bash Shellshocked bug, with the usual glut of misinformed commentary through to apocalyptic doom-mongering. What I haven't seen mentioned is that there's a relatively straightforward workaround that I think you could use if you can't get hold of a patched version of bash and you have to expose bash scripts to the outside world - which of course you shouldn't be doing anyway, right? ;-) It's to make sure that any such scripts use the -p flag to bash when they are invoked:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
$ env x='() { :;}; echo vulnerable' bash -cp "echo this is a test"
this is a test
As the bash manpage says:
-p Turn on privileged mode. In this mode, the
$ENV and $BASH_ENV files are not processed,
shell functions are not inherited from the
environment, and the SHELLOPTS, BASHOPTS,
CDPATH, and GLOBIGNORE variables, if they
appear in the environment, are ignored. If the
shell is started with the effective user
(group) id not equal to the real user (group)
id, and the -p option is not supplied, these
actions are taken and the effective user id is
set to the real user id. If the -p option is
supplied at startup, the effective user id is
not reset. Turning this option off causes the
effective user and group ids to be set to the
real user and group ids.
So simply add -p to the #!/bin/bash line at the start of your scripts, i.e. #!/bin/bash -p. This isn't entirely devoid of side-effects, as the manpage segment says, and there may be clever ways of hacking around even this protection but I'm surprised I haven't seen it mentioned anywhere as a potential workaround.
