[ahmett]

And the good old shellshocked bash version 3.2 http://opensource.apple.com/source/bash/bash-94.1.2/version....

[0x0]

You have to look for the vulnerable code, not just the version string. Supposedly it has already been patched.

[ctpide]

a patch was released for OS X versions below 10.10 only, so I would assume it should be applied to OS X 10.10: http://support.apple.com/kb/HT6495

[0x0]

I would assume that the patch has already been applied to the shipping final version of 10.10.0; installing system packages designed for older OSX releases sounds dangerous.

[redwall_hp]

Just install a newer bash with homebrew ¯\_(ツ)_/¯

That's what I did, before Apple even released a patch for Mavericks.

[jammi]

That's not shipping or has patches added:

---------

rutina:~/git/bashcheck@master$ uname -a

Darwin rutina.local 14.0.0 Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64 x86_64

rutina:~/git/bashcheck@master$ ./bashcheck

Testing /bin/bash ...

Bash version 3.2.53(1)-release

Variable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable

Not vulnerable to CVE-2014-6271 (original shellshock)

Not vulnerable to CVE-2014-7169 (taviso bug)

Found non-exploitable CVE-2014-7186 (redir_stack bug)

Test for CVE-2014-7187 not reliable without address sanitizer

Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)

Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)