Just in case you don't see it elsewhere

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

Remedy for Debian
apt-get update; apt-get install bash

CentOS
yum update

Apparently the patches didn't solve it first time round

https://twitter.com/taviso/status/514887394294652929

I don't think I understand. The article says that to exploit via SSH the user needs to be authenticated, but the CVE says authentication not needed.

So in essence, if someone were physically present and had a keyboard and monitor connected to the machine, he could easily exploit this, but if remote would need to be authenticated. Is that right?

In other words, am I worried about a VPS with only one user, me, who has SSH/bash login rights?

It affects both authenticated and non authenticated users. An example is any scripts that run on the server are likely to have access to BASH too and even routers that are running DHCP are also affected.

IMO, this is a larger problem than heartbleed.

A quick test to see if you are vulnerable:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it echos

vulnerable
this is a test

then you are.

It is likely to be much harder to test all your routers and other devices than a simple C&P though

>even routers that are running DHCP are also affected
oh wow, bigger than heartbleed indeed.

Everything you need to know about the Shellshock Bash bug

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

<added>

ShellShock exploited in the wild: kernel exploit with CnC component (github.com)
Ok, shits real. Its in the wild... src:162.253.66.76

https://gist.github.com/anonymous/929d622f3b36b00c0be1

=========

Quick notes about the bash bug, its impact, and the fixes so far

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

==========

Bash 'shellshock' bug is wormable

http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html#.VCQPrPldWSo