Maybe we need an official stance about shellshock I mainly use php-fpm and mod_php (I didn't used php under cgi for years)
http://jaxbot.me/articles/cases-where-bash-shellshock-is-safe-09-25-2014 http://www.reddit.com/r/programming/comments/2hc1w3/cve20146271_remote_code_execution_through_bash/ckrdqdb PHP scripts executed with mod_php are not affected even if they spawn subshells. https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
