On 26 Sep 2014 05:46, "Cliff Pratt" <enkiduonthenet at gmail.com> wrote: > > Take the case of an Apache Bash CGI. This will have been loaded when Apache > started, so Apache will have to be restarted to get the new one. There may > be other similar cases. So the best thing is to reboot. > This is false and a major misunderstanding of the vulnerability. 1) the vulnerability is just during initialisation of bash. Once it is running it is beyond the vulnerable stage and needs no restarting 2) in a CGI of #!/bin/bash or for a system call with any other language for CGI bash gets executed on demand... It does not do what you say...