1.0.5 release images are available for download from packages.vyos.net, and soon will be available from mirrors when they sync.
TrustedSec demonstrated a successfull attack on dhclient that used the shellshock vulnerability for remote code execution, so it ceased to be just a good excuse to make a maintenance release, and making a fix as soon as possible became the primary objective.
This release included only security fixes. Both shellshock vulnerabilities were patches, along with a number of less known and less exploitable ones, you can see the full list in release notes.
1.1.0 beta release is still vulnerable. Security updates will be pulled into the development repos soon and included in the upcoming 1.1.0 release.