A vulnerability in Bash up to 4.3 was discovered and allows for remote execution by defining a user-controlled environment variable to a specially crafted function definition.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

While the attack surface is probably very limited in a desktop scenario (it would happen when a script is spawned by mod_cgi, for instance), it would still be a good idea to plug the hole.

As of this writing, an incomplete fix was released for CVE-2014-6271; I suggest waiting for a revised solution.