[kag]

>> 2. uninstall Bash and use a barebones POSIX-like shell without extra features.

It's not that simple. True, djb doesn't say you need bash. But qmail uses /bin/sh (not configurable without recompiling). Try changing /bin/sh to, say, ksh on Ubuntu and watch as nothing else on the system works. The distributions make use of shell-specific features.

[comex]

Doesn't Ubuntu ship dash as /bin/sh already? dash isn't ksh, but it is minimalist (and not vulnerable to this).

[kag]

Yeah, it does. I meant Debian, but it looks like Debian changed too. My bad. My point was that changing /bin/sh from the distro-chosen one to something else could cause problems.