By now you've probably all heard about CVE-2014-6271:

Overview

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

http://seclists.org/oss-sec/2014/q3/650 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

This affects bash in linux distributions and bash in OS X also appears to be vulnerable.

Test with the following in the shell...

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If you get the following output, then the system is vulnerable.

vulnerable
this is a test


More info:
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

But things might be worse than it appears, as the latest patches do not appear to cover all cases of string processing in bash, so there might be additional exploits to come.
https://news.ycombinator.com/item?id=8365158