When was the shellshock (CVE-2014-6271/7169) bug introduced, and what is the patch that fully fixes it?

**Some context about the bug: [CVE-2014-6271](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271)** > Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. For example, an environment variable setting of > > VAR=() { ignored; }; /bin/id > > will execute /bin/id when the environment is imported into the bash process. Source: http://seclists.org/oss-sec/2014/q3/650 **When was the bug introduced, and what is the patch that fully fixes it?** (See [CVE-2014-7169](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169)) What are the vulnerable versions beyond noted in the CVE (initially) (3.{0..2} and 4.{0..3})? **Has the buggy source code been reused in other projects?** Additional information is desirable. --- Related: [What does env x='() { :;}; command' bash do and why is it insecure?](https://unix.stackexchange.com/questions/157329/what-does-env-x-command-bash-do-and-why-is-it-insecure)