Official statement on shellshock?

Is there an official statement that talks to the Asteriskl and the Bash/shellshock vulnerabilities?


Asterisk doesn’t use bash, except during installation, and startup, unless the user explicitly invokes it. There are various statements about the impact on FreePBX on the FreePBX forum.

There is no injection path for rogue environment variables in the startup or installation code and any attack based on the ability to run scripts from the dialplan would be better achieved without subterfuge.