This is all public information, easily verified with Google. C'mon people, if you're going to make snarky comments, at least do a little research!
Any program that can be tricked into passing an arbitrary string to execute in a bash shell (pretty much any shell, really, unless it is proved secure) presents a security hole. Bash is known not to be secure. Therefore, if you can pass an arbitrary string to bash, you have a security hole. This isn't hard to understand.
But, how can DHCP pass an arbitrary string to bash? The DHCP protocol works like this (simplified):
1. Client sends DHCP Discover
2. DHCP server sends DHCP Offer
3. Client sends DHCP Request
4. DHCP server sends DHCP ACK
The problem comes in step 4 (DHCP ACK). In addition to the many standard fields, a DHCP Server can send optional fields. One of these optional fields (number 114) requests setting remote variables and passes to the client machine arbitrary fields for those environmental variables. These environmental variables are then passed (unmodified) to a number of shell scripts (on Unix/BSD/Linux/OSX). These shell scripts are, in fact, bash scripts. This all probably seemed like a good idea when DHCP was designed, 20 odd years ago. It isn't.
So here is what happens:
During step 4 above, the (malicious) DHCP server sends (at least) one option 114 field to set certain environmental variables in the DHCP server. This was, in the past, expected and allowed behavior. It is what tells the DHCP server to remotely configure the network interface.
BUT, you have this scenario: Arbitrary input is being passed to bash, and neither the program passing the data nor bash itself adequately screen the input for form. Instead, arbitrary strings are allowed. These strings can contain a separator that tells bash, 'execute everything after me as a commend'. So, you can use these environmental variables to (remotely) execute code (see generally ShellShock). In nearly all systems (including OSX), these scripts are executed in the root environment (i.e. by the most privileged user id).
This is oversimplified, but it should give the general idea.
Is this only theory? No. A metsploit module has already been released that exploits this 'feature' of DHCP. And, metasploit can hijack the DHCP function without your machine noticing it. It's had this ability for years. Several billion (yes, billion) cases of attempted exploits have been tracked by several security firms, in the wild, on the internet. Nobody knows how many have succeeded, but a lot of machines are vulnerable.
But, you say, my DHCP server is the one given to me by my ISP ... and surely its safe, and anyway, it can't talk to my Mac directly. But, consider, the DHCP server for your (home) network very likely runs on your router, which probably is running Linux, so if it's been hacked, your Mac is indeed vulnerable. And, your home router gets its own tcp/ip address by using ... DHCP. And it faces the internet raw. Its firmware hasn't been updated (probably) in years, and it very possibly has an implementation of bash (or another shell script to handle 114 messages which is equally vulnerable), and if it does, then it is possibly vulnerable to the ShellShock exploit. Oh, and by the way, did I mention that it faces out into the mean, cruel internet?
Penultimately, is this all reason to panic? No. If you're concerned about security, click on the button on the Apple site that fixes it. There, that's not so hard, is it? You can fix your router's vulnerability too, but that's not what this thread is about. Why didn't Apple push this code fix harder? I have no clue--ask Apple.
And finally, perhaps people who don't have any clue what they're talking about should moderate their comments...