In the light of the recent Bash vulnerability known as "Shellshock" (CVE-2014-6271 and CVE-2014-7169), we have reviewed its products to understand if any are at risk.
As far as we are aware, none of our products can be exploited by means of this bug.
As a matter of good security practice, we will be updating the various Sophos-supplied versions of Bash as soon as a stable and effective patch is available from the Bash maintainers.
For more information, see our Naked Security post: http://nakedsecurity.sophos.com/2014/09/25/bash-shellshock-vulnerability-what-you-need-to-know/
From noon on 29th September, we are shipping IPS Patterns with the ID numbers 31975 to 31978, and 31985. If IPS is activated on your UTM v9, the rules are activated by default and set to 'drop'. You will find the rules under Server | HTTP | CGI.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.