Hello Guys

I was hopping around internet news and found out this
A newly discovered security bug in a widely used piece of Linux software, known as "Bash," could pose a bigger threat to computer users than the "Heartbleed" bug that surfaced in April, cyber experts warned on Wednesday.

Bash is the software used to control the command prompt on many Unix computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.

The Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc's Mac OS X.
Anyone knows how can someone control a Linux / Unix as we all know bash is a local script called internally from the server
and the only way to make it run every 1 minute as the minimum time using crontab
2nd thing getting on my mind how can you hack using bash if you can't get ssh access with a username / password to a public linux server

3rd on local desktop like Ubuntu , LinuxMinit , Debain , Fedora , CentOS etc.. you got access to bash using terminal from a username but we all know that the user has a privilege he can't bypass to use a root privilege still he can do some evil things on it but you can easily catch it .
It's not a ~privilege escalation issue.
The issue is how environment variables are processed resulting in bash running code you didn't intend it to do.
Not to hijack the conversation, but this is one of these days where I'm happy that I'm running Windows on my server. I was not directly affected by the SSL bug earlier this year either, although a couple of server processes might have been.
There are other nice things about Windows as well.
Godaddy shared hosts are still vulnerable after so many hours, unless they did some other workaround.
-bash-3.2$ env x='() { :;}; echo vulnerable'  bash -c "echo vun"
vulnerable
vun
rolf wroteNot to hijack the conversation, but this is one of these days where I'm happy that I'm running Windows on my server. I was not directly affected by the SSL bug earlier this year either, although a couple of server processes might have been.
There are other nice things about Windows as well.
Not to beat down on Microsoft or you, but Microsoft does still have its fair share of vulnerabilities, some of them spooky.
http://www.cvedetails.com/vulnerability-list/vendor_id-26/year-2014/Microsoft.html

Anyway, Microsoft is becoming less of a major target with all the move to Android and Linux Servers...
A final patch has been released earlier today. If you patched yesterday, you are required to re-patch today.

Some mirrors are still getting updated though.
More info:
https://rhn.redhat.com/errata/RHSA-2014-1306.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760#56

To test if your server is vulnerable:

CVE-2014-6271 (Yesterday's patch) 
env x='() { :;}; echo vulnerable'  bash -c "echo vun"
you're vulnerable if the output is:
vulnerable
vun


CVE-2014-7169 
env X='() { (a)=>\' sh -c "echo date"; cat echo
You're vulnerable if a file is created called "echo" containing the current date
hussam wroteCan't find a new patch http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
Compiling the last version from the source is not vulnerable as far as I know.

But I meant if you're updating from the repos, you have to re-update because the patch that were released yesterday were incomplete.
Thank you for the heads-up Hybrid. The Debian wheezy repos have been updated with the properly patched version.