The bash page on the Debian security tracker shows that the Shellshock vulnerability (IIRC Shellshock was covered in CVE-2014-6277, CVE-2014-6278 and CVE-2014-7169) has been patched in bash 4.1-3+deb6u2 (Squeeze LTS).

FWIW you will note that there is a current open vulnerability (CVE-2012-3410) in the Squeeze LTS (i.e. TKL v12.x) version of bash (fixed in Wheezy/TKL v13.x). However it is noted as minor and can apparently only be exploited locally...

I have the version mentioned, but the bug is still there, at least according to this test -

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns the text “this is a test,” your system is vulnerable.

R.

jlad provides some useful links in a post above. The first link (to a TurnKey blog post) gives you a couple of upgrade (to v13.x) possibilities too if you want...

As you may or may not be aware, v11.x was based on Ubuntu (rather than Debian - since v12.0) and Ubuntu do things a little differently to Debian.

From what I can gather from a quick bit of research is that Ubuntu 10.04 (which v11.x was based on) is still supported with security patches (at least the 'main' server repo anyway...) and as TurnKey has had auto-security updates I would assume that it would have been auto patched.

However, I can't find info about what version you need to have to be assured that the bug is patched. So sorry I can't help there. The following should make sure that you have the latest Ubuntu Lucid version of bash:

apt-get update && apt-get install --reinstall bash

Regardless it may be worth planning your migration to a newer version of TurnKey as Ubuntu 10.04 support will finish April next year. So there is no rush yet, but probably good to start planning - especially if you have php code that may need updating for a newer version of php.