In this post I address comments both Jon and Artie made immediately above. First off, the only quick way to establish your Bash vulnerability status at the moment is to run a Bash check script or the equivalent Terminal commands.
The comment I made in post #31391 above about the Apple patches possibly not fixing all vulnerabilities was based on the result of a
Bash check script by Hanno Böck and run by
Rapid7 security researcher Greg Wiseman. Böck's script currently tests for 6 different Bash vulnerabilities. Running a check after an optimal patch should indicate that all 6 vulnerabilities have been patched. It was initially not clear whether Wiseman's results actually differed from those listed by
Francis Barr in MacInTouch on October 4th, or whether he interpreted them differently. But in
an Oct. 2 update Wiseman already stated that the vulnerabilities he found to be not addressed by the Apple patches were in fact not exploitable. This implies that the available Apple patches are OK, at least for now (see below).
The version of GNU bash shipped with Mac OS X is 3.2; the current version is 4.3. Both had 'the' flaw, and both were patched, with the patch number appended to the Bash version number. Which one the Bash-check produces depends on your OS X version and its associated Bash version, or the patch version which replaced it. While Apple stayed with 3.2 for their patch, TFF used v.4.3. In this context,
Bash 3.2, patches 52, 53, and 54 correspond to Bash 4.3 patches 25, 26, and 27.
All that said, there is really no such thing as 'the' flaw, since additional flaws are found on almost a daily basis once Bash came under increased scrutiny. Additional patches can be expected, as well as official Apple action in case of newly found exploitable flaws.
PS, it appears that a patch version number (i.e., 3.5.23) in the quote from MIT poster Francis Barr I included in post #31402 contained a typo. I have now marked it there as such. The Bash test result in Francis Barr's MIT post lists the proper version number, 3.2.53.
