In the very short: Yes, update right now. If you want more details read below.
What is ShellShock vulnerability?
ShellShock is a nickname given to remote exploit vulnerability in bash CVE-2014-6271. It could allow an attacker to gain control over a targeted computer if exploited successfully. All Linux installations running Bash shell are vulnerable to this exploit.
It is important to understand that ShellShock is a vulnerability in bash, not in SSH but SSH is one of the vectors of possible attack, alongside with HTTP and DHCP vectors. by sending commands to CGI scripts.
You can watch a detailed explanation here in the video by Symantec:
https://www.youtube.com/watch?v=ArEOVHQu9nk
Is your server vulnerable?
To check if your Linux server is vulnerable to the bug run the below code in ssh:
x='() { :;}; echo SERVER IS VULNERABLE TO SHELLSHOCK BUG' bash -c :
On a vulnerable system:
$ x='() { :;}; echo SERVER IS VULNERABLE TO SHELLSHOCK BUG' bash -c :
SERVER IS VULNERABLE TO SHELLSHOCK BUG
On a patched system:
$ x='() { :;}; echo SERVER IS VULNERABLE TO SHELLSHOCK BUG' bash -c :
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
Or empty output.
My server is vulnerable to ShellShock bug: What do I do?
In order to fix ShellShock bug on your server you need to update bash. Depending on your Operating System run one of the following commands below.
Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade bash
CentOs
sudo yum update bash
Run the testing script again to make sure that update was completed successfully.
Security Advisories by Linux Vendors
Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
- Debian—https://www.debian.org/security/2014/dsa-3032
- Ubuntu—http://www.ubuntu.com/usn/usn-2362-1/
- Red Hat—https://access.redhat.com/articles/1200223*
- CentOS—http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
- Novell/SUSE— http://support.novell.com/security/cve/CVE-2014-6271.html