My Bash shell version is GNU bash, version 4.1.2(2)-release (x86_64-redhat-linux-gnu).
I tested shellshock bug by using below command
x='() { :;}; echo VULNERABLE' bash -c :.
It was not printed VULNERABLE message back.
I have read that the bug exist up to bash version 4.3 ( https://www.youtube.com/watch?v=u1H12rMdLTg )
what could be the reason.
Updated packages with patches backported to the locally-supported version of bash were released for major distros within days of shellshock being identified. (Indeed, they were released in rather a hurry, and the interim fixes often used a different environment variable format for exported functions than what the final releases do, meaning that a function exported in one version of the shell often won't be recognized by another running as a subprocess).
Just because upstream didn't have a final patch merged doesn't mean your operating system or distribution didn't push a backport -- indeed, it would be wildly irresponsible for them not to.