That's a feasible option on laptops running macOS or Linux, but not for Android clients. Running a SSH VPN (tunneling all traffic) requires root and has a severe performance penalty (which you will notice on your battery). You'd notice it on the laptops as well, but I guess that matters less.

Funny enough, OpenBSD didn't impleemnt WPA(2) for a while. Instead, they were forcing their users to use IPsec and OpenSSH instead.

Debian repos and inherently Ubuntu's repos also have wpa_supplicant 2.4, we will see if they update to 2.6 or release a patch. Probably patch before 2.6.

It would be nice if there was a rule which package repos and distros would adhere to. The rule would adapt, such as all the packages that have had a security issues, will always be required to be updated to the latest versions in the next release or sooner. As vulnerabilities are discovered, the list of packages would grow and hopefully would prevent some future attacks. Obviously it's not full proof but every little bit counts.

There has always been a rule for bug-fix and security updates:

Apply the minimum necessary change to solve the problem.

This means cherry-picking the mainline patches where possible, or back-porting them where modification is required for them to apply (and work as intended) on older releases.

Especially with older versions it often isn't possible to update to a later upstream release because that depends on later versions of other packages. The dependencies can rapidly multiply to affect tens or even hundreds of packages.

Ubuntu patches were prepared and released within 4 hours of the security team being aware of the vulnerability. Same goes for Debian.

where do i go to get the patch?

i looked here and i don't know where to pick up the patch also ran update manager in my ubuntu distro but no dice :(

https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1723909 http://people.canonical.com/~ubuntu-security/cve/pkg/wpa.htm...

just dropped, woohoo :)

OpenVPN doesn't require root. You can use your own server or find a trusted commercial provider. I recommend airvpn, https://airvpn.org/?referred_by=287899

I had my home wifi configured like that for few years. AP without any security wired into network that was firewalled such that it only allowed ICMPv6 and OpenVPN. Sadly this worked ten years ago, but is completely unusable for various IoT-ish devices (for me, Wii was the device that made me to switch to WPA2-PSK)

Edit: also at that time this was at least subjectively significantly easier to setup than wpa_supplicant ;)

Yep! That's what I'm doing right now.