Not in 4.3.11, dating from April
My Ubuntu system uses bash version 4.3.11(1)-release (says "bash --version"). My executable dates from April 23 (says "ls -l `which bash`).
Yet the test in the article shows my bash (from April) isn't vulnerable to Shell Shock.
The advisory says bash through 4.3 is vulnerable. I'm not entirely clear what "through" means, but evidently some time after 4.3.0, there was a fix released such that 4.3.11 is not vulnerable.
The advisory makes it clear that the recent bug discovery was really made only recently, so I'm very puzzled as to why 4.3.11(1)-release isn't vulnerable.
Was the Shell Shock bug fixed accidentally, somehow, before April 23? Or did someone spot the exposure and quietly patch it over? Who made the fix? Someone at Bash Central, or Debian, or Canonical? Which versions, exactly, after 4.3.0 are not vulnerable?
Biting the hand that feeds IT
