I thought dash was supposed to be the default shell on Debian. ...
I am confused, too. But from what I read in the net, my understanding is as follows:
echo $SHELL
shows what shell you currently are logged in.
lrwxrwxrwx 1 root root 4 Jan 10 2014 sh -> dash
shows what a sh-script (#!/bin/sh) is actually using
cat /etc/passwd | grep sh
shows you what various users use as default shell. It's *bash* here for root and normal users.
As to panic about this bug:
The point is, *I* don't feel really equipped to evaluate how easy this bug is exploitable. I read "remote", "webserver", "ssh" and my first reaction was: Is my test apache still runing by default (not sure whether or not cgi is activated ;-) ), and how affects this bug my always runing sshd (used in my LAN). And as I am sure I am visiting websites who's owner happily will try to find out what vulnerability they can discover behind my IP, I really want to update to a secure version of bash as quick as possible.
# apt-cache policy bash
bash:
Installiert: 4.3-9.2