Shellshock resolution - is patching alone enough?

I was researching a mess that a user left on a box and searching for (deleted) files with lsof (I'm sure many of you know what I am talking about ;-)

Anyhow.. I discovered the following in my output

PROCESS.s 13039       jboss  txt       REG              253,1     903336    1180605 /bin/bash (deleted)

Which I believe is due to the fact that the process was started, then bash was updated (replaced) leaving that orphaned file and remaining resident in memory.

Does anyone know if the comprimise vector only applies to when a new bash process is spawned? Or is it also an issue with the parents?

Thoughts?