According to the vulnerability test script from shellshocker.net, the latest bash versions on CentOS5 and CentOS6, 3.2-33.el5_11.4 and 4.1.2-15.el6_5.2, resp., are still vulnerable to CVE-2014-6277. In fact, on CentOS6, abrtd will send you a nice report about it. Does anyone know if upstream is working on a fix?
[root@host ~]# bash ~/shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable /root/shellshock_test.sh: line 16: 17229 Segmentation fault (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null CVE-2014-6277 (segfault): VULNERABLE CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable [root@host ~]#