Looks pretty harmless to me. The shell code is in the user-agent field, but it is not executed. I just tested it like this:
wget --user-agent="() { :;}; /bin/bash -c \"wget localhost - O /tmp/test\"" localhost
and the file /tmp/test was not created, at least not on my Debian PC, didn't test it on the Raspberry Pi so far (don't have access to it at the moment), but in the Apache access log it looks very similar to your line. Looks like there is some HTTP server out there which executes the user-agent field with this special text, which is really stupid.
If you don't need to access the Raspberry Pi from the internet, you should not make it accessible from the internet (e.g. with a NAT rule). If it is accessible from the internet, there are other things you have to take care of, like only allow to access port 80, otherwise someone could hack it with the default password for the ssh-login or the samba directory export. Note: changing the password for the pi-user doesn't change the password for the samba access. Maybe in the readme of the distribution some security notes should be added.
And maybe better to use something like Lighttpd instead of Apache? I use this on my internet server, because it has a better security history than Apache and it is not as heavy.