[kainsavage]

Isn't this irrelevant since no one is 1) using CGI on Macs and 2) no one is using a Mac as a server?

[Doji]

1) CGI is only one known way to exploit shellshock. There are probably many others.

2) People do use Macs as servers. It's unwise, clearly, but it is done. https://www.apple.com/osx/server/

3) OSX server is setup for CGI by default, all you have to do is throw some scripts in the right directory.

[y0ghur7_xxx]

i belive the bug can be used to execute code on your mac with a dhcp server

https://www.trustedsec.com/september-2014/shellshock-dhcp-rc...

[jerf]

The attack surface for shellshock is insanely large, and it's crazy to leave bash unpatched even if one or two currently-known vectors happen to not currently be known to be exploitable. People will be finding ways to tickle it for years to come.

[glitch]

Incorrect. OS X does not use bash scripts for DHCP client tasks and was demonstrated to NOT be affected.

The DHCP vector was demonstrated to be an issue with various Linux distributions.

[nutate]

That's not applicable here. Even NetworkManager on Linux isn't susceptible to this hack. dhclient and dnsmasq can apparently be shocked on unpatched Linux, though.