Some comments I've seen recently seem to imply that if your default shell is not Bash then you're not vulnerable to the Shellshock bug.
However, the
Shellshock FAQ says (emphasis mine):
Michael Lin and Larry Seltzer wrote:Bash can be called directly by the CGI (i.e. A Bash script), or it could be called via a subprocess or system command. If Bash is started at any point within the context of this malicious CGI request, then the vulnerability will be triggered.
I think this means that it doesn't matter whether Bash is your default shell or not. As long as it's installed on the vulnerable system and an attacker can
formulate the right command to injectdo something to start Bash, you still have a risk of getting pwned.