Reading about the Shellshock bug on the BBC this morning, I immediately went and checked the logs of lighttpd running on my RPi.
Sure enough there were half a dozen probes of the bash vulnerability!
Interestingly, though, if I try the published test command [1] directly, it shows the Pi (running bash 4.2.37(1)) not to be vulnerable -- even though the version is supposedly in the buggy range! The output is different from a patched bash, though. It just ignores the trap and goes on to execute the following command (so I only see "this is a test").
-- Pete --
[1] env BUG='() { :;}; echo vulnerable' sh -c 'echo this is a test'