According to http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained, shellshock is exploited when someone submits commands in place of parameter data to a server, which then tries to shove the info into an environment variable by a bash invocation.
I (and I suspect many people) only use bash as a command line user interface. I don't run any services from the cygwin installation, and I don't invoke any cygwin commands from Windows services (I know very little about Windows services). Would it be correct to say that the vulnerability doesn't exist in such a scenario? I can update some cygwin installations, but some I cannot (and in those cases, cygwin is installed under non-administrator accounts). -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple