While you're waiting for a GNU BASH update for CVE-2014-7169 and its pal CVE-2014-6271, if you happen to have systemtap and bash debuginfo handy, try:

# stap -g -e 'probe process("/bin/bash").function("initialize_shell_variables") { $privmode=1 }' &

On versions of bash as old as 3.2 and as new as 4.3.24, this appears to fool all future /bin/bash processes into skipping processing of input environment variables, just as if the bash -p flag was given (q.v.), and with Strictly Unofficial Testing, appears to make it immune to the vulnerabilities.

(Adding conditionals based on uid() etc. are left to the reader. Kudos to wmealing for pointing me to the -p option.)