We’ve verified that for Windows platforms only, the Chef Client, Chef DK, and Push Jobs Client packages contain versions of the bash command interpreter that are affected by CVE-2014-6271, the “ShellShock” advisory.
Chef Software has reviewed the advisory and does not believe that this presents a critical risk to users because the bash shell is not commonly used on Windows and is invoked in a limited context by Chef Client, Chef DK, and Push Jobs Client software.
We will release corrected versions of the affected bash shell in the next scheduled release of each of the packages, and will update plans if needed as we monitor developments around the advisory.
Linux and other non-Windows platform packages are not affected by the advisory because shells are not distributed with non-Windows packages.
For Chef Client and the other affected packages, bash is primarily used as part of the toolchain to compile native Ruby gems at gem install time. Chef Client can also invoke bash when the bash resource is used in a Chef recipe.