This situation regarding the "Shellshock" family of bash flaws is very fluid right now and there is still research being done on the breadth and impact of these flaws. As such, patches/updates that have come out have been insufficient and require new patches/updates; so the question of whether or not something has been patched becomes a bit confusing.
On top of the patch confusion, as mentioned earlier, being vulnerable to these flaws does not mean that the flaws are exploitable. At the base of it, taking advantage of these flaws as a basic Linux user account will provide no more access than that user already has.
If there are any questions regarding the impact of the "Shellshock" family of vulnerabilities on Symantec Messaging Gateway, please open a case with support for the latest information.