"Shellshock" bash bug

[Colin Law]

On 27 September 2014 01:31, Gene Heskett <gheskett at wdtv.com> wrote:
> On Friday 26 September 2014 17:17:06 Colin Law did opine
> And Gene did reply:
>> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com> wrote:
>> > There has been a code-injection vulnerability in bash for the last 22
>> > years, recently discovered and named "Shellshock".  It's nasty.
>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>
>> I don't fully understand the description.  I have a system that cannot
>> be updated that has an ssh port open to the internet, with access by
>> keys only.  Is that system vulnerable to attack?
>>
>> Colin
>>
> Top posting, bah! Read the rest of the message below, open a terminal

Who is top posting?  I had read the rest of the post.  My question
related to the the quoted section.

>
>> > Here's a quick one-liner to see if you're vulnerable:
>> > $ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
>> > vulnerable
>
> And enter into the terminal from the keyboard, the above line starting
> with "env", to the end at 'test"', duplicating the quotation marks etc you
> see above.
>
> Then hit enter and you should get the vulnerable return if you are, or the
> bash error shown below, ending in the last line 'this is a test'.  That
> response says you are not vulnerable.

No, the message tells me that I have a vulnerable version of bash
installed, not whether my system is vulnerable to attack as I asked.
The point is that with a machine that is only open to the internet via
ssh  with access by keys only, is the system vulnerable?  So far that
answer seems to be no, provided one's router is not hacked.

Colin