ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.
#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell
#i am doing everything in the /usr/src dir
cd /usr/src
wget
http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1
# download and apply all patches, including the latest one that patches CVE-2014-6271
#note if you are on say older version like 3.2 of bash I would use
#for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done
# compile and install to /usr/local/bin/bash
./configure && make
make install
# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo
#then get rid Delete the old one thats a problem
rm /bin/bash.old
I hope this helps othere folks