Hi,
an additional remotely exploitable vulnerability has been discovered by Hanno Boeck in bash and it is also unpleasant. The vulnerability has the CVE identifier CVE-2014-7169 and has been given the name Shellshock #2 by some folks out here.
Debian Wheezy (and Squeeze LTS) as well as other Linux distributions have provided security upgrades already; but maybe in case you have to patch an old Debian Lenny distribution you might find it useful, that I’ve fixed and recompiled the latest official Debian Lenny bash v3.2 with the latest patches up to #53 (CVE-2014-7169) including #52 (CVE-2014-6271).
UPDATE: I’ve recompiled this package including #54 by Florian Weimer to resolve an additional issue with clashes; like i.e.
env X='() { (a)=>\’ sh -c “echo date”; cat echo
Please update your package to version bash version 3.2-16!
You may grab the binaries here: https://4ufiles.flo.sh/bash/debian-lenny/
-Flo
