Just in case you don't see it elsewhere
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
Remedy for Debian
apt-get update; apt-get install bash
CentOS
yum update
Apparently the patches didn't solve it first time round
https://twitter.com/taviso/status/514887394294652929
I don't think I understand. The article says that to exploit via SSH the user needs to be authenticated, but the CVE says authentication not needed.
So in essence, if someone were physically present and had a keyboard and monitor connected to the machine, he could easily exploit this, but if remote would need to be authenticated. Is that right?
In other words, am I worried about a VPS with only one user, me, who has SSH/bash login rights?
It affects both authenticated and non authenticated users. An example is any scripts that run on the server are likely to have access to BASH too and even routers that are running DHCP are also affected.
IMO, this is a larger problem than heartbleed.
A quick test to see if you are vulnerable:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If it echos
vulnerable
this is a test
then you are.
It is likely to be much harder to test all your routers and other devices than a simple C&P though
>even routers that are running DHCP are also affected
oh wow, bigger than heartbleed indeed.
Everything you need to know about the Shellshock Bash bug
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
<added>
ShellShock exploited in the wild: kernel exploit with CnC component (github.com)
Ok, shits real. Its in the wild... src:162.253.66.76
https://gist.github.com/anonymous/929d622f3b36b00c0be1
=========
Quick notes about the bash bug, its impact, and the fixes so far
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
==========
Bash 'shellshock' bug is wormable
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html#.VCQPrPldWSo