Would like to check whether the Shellshock affect older version of splunk 5.0.4, any document to state that it does not impact this version? thks
To answer your versioning question, there is no meaningful difference between 5.0.4 and 5.0.9 that MarioM links in regard to shellshock. Shellshock is a bash vulnerability with a broad attack surface, for which the correct thing to do is to update bash.
For the security conscious user, I would strongly encourage following the current maintenance release of whatever line of product they choose to deploy.
We did not update 5.0.4 in regards to heartbleed. However, since older versions of OpenSSL were not affected by this particular bug, 5.0.x versions were not affected by this particular bug either.
In general, however, 5.0.4 lacks many updates to many other components. I would not select a significantly antiquated release for the security-conscious, which was gkanapathy's point.
5.0.4 is not a current maintenance release, and will certainly have vulnerabilities that are not in the current 5.0.x maintenance release. For example, 5.0.4 is still vulnerable to Heartbleed.