Heartbleed was a memory leak that eventually, after carefully
   calculated exploiting, can lead to a remote root.

   Shellshock depends on a lot of environmental details, but is possible
   little more than a hard to reach shell with elevated permissions.

   I guess heartbleed was actually worse. Who runs webscripts and stuff in
   root? That's really foolhardy. But using OpenSSL ... We usually thought
   it good practice!

   On Sep 30, 2014 11:41 AM, "Georgi Guninski" <[1]guninski@guninski.com>
   wrote:

     Recently a bash(1) bug called shellsock died.
     It affected Apache, DHCP, SSH,qmail,Pure-FTPd and other stuff.
     Summary of affected:
     [2]https://github.com/mubix/shellshocker-pocs/blob/master/README.md
     I find this _much_ worse than the passive Heartbleed.
     How worse is the shellshock bash bug than Heartbleed?

References

   1. mailto:guninski@guninski.com
   2. https://github.com/mubix/shellshocker-pocs/blob/master/README.md