There’s been alot of news in the past couple of days about this Bash bug, some of it hysterically saying that 500 million sites could be impacted. Well maybe that’s how many sites are running the Bash command-line utility susceptible to the bug, but only a small fraction of those are actually exploitable. And exploitable is what matters. This has been an issue with Bash for 20 years, since inception.
First of all, if you’re a Debian user you can relax. Almost all scripts call /bin/sh, symlinked to /bin/dash, which does not have the vulns.