I am using Debian 8.0 and the bash shellshock bug still works. That is why I should use zsh instead. My home Fedora 25 machine uses the zsh shell and I do not have that problem at all. It is only the bash shell that has this vulnerability. This is very concerning, but I guess that the developers would need to change how bash runs scripts to prevent this. And that could break Linux systems that use a lot of scripts.
┌─[jason@neo]─[~] └──╼ $env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text |
The code above is what I used to test this. The one-liner successfully created a new file in my home directory. This proves that the bug has not been fixed yet and is still an issue for Linux users. Hopefully this will be addressed in a patch eventually. Here is more information on this shellshock bug. http://securitronlinux.com/bejiitaswrath/a-variant-of-the-shellshock-bug-that-still-works-with-the-bash-4-3-11-shell/. This is quite serious, but you do not read anything about this anymore.
On my Debian 8.7 system, this still works.
X='() { (a)=>\' bash -c "echo date" |
The file echo is created and this contains the text “Hello World”.