WPA2 KRACK Vulnerability - solved via 2.296 OTA update?

Sorry for crossposting: https://volumio.org/forum/wpa-vulnerability-krack-t7813.html,
but i do not see wpasupplicant updated running OTA update on 2 different RasPi systems.
Volumio ver 2.285 -> OTA update to ver 2.296

The wpasupplicant is stil ver 2.3-1+deb8u4
(in my understanding KRACK vulnerability was fixed in 2.3-1+deb8u5 for Jessie
(see: packages.debian.org/search?sear … ywords=wpa )

Did you manually install any package or upgrade?

Hi Michelangelo,
no manual install. I used the download to write a fresh 2.285 to each of the 2 SD cards 2 weeks ago. Nothing modified but enabling ssh via volumio/DEV and connecting my NAS via cifs.

Once I read about KRACK and learned the Volumio team published ver 2.296 solving the issue I just went to the web interface of my 1st RPI and did the upgrade.
Yesterday I did it the same way (with same result) on my 2nd system.
Both are connected via WLAN only, not via cable.
Hope this helps?

Seems ok for me:

volumio@volumio:~$ dpkg -l | grep wpasupplicant ii wpasupplicant 2.3-1+deb8u5 armhf client support for WPA and WPA2 (IEEE 802.11i)

I flashed v2.296 and OTA updated to dev version v2.298

Did you notice the wpasupplicant version before updating to dev v2.298?
(I assume 2.3-1+deb8u5 was there before you did the dev upgrade via OTA?)

Nonetheless, when i read in the volumio changelog that v2.296 contains a Patch against KRACK vulnerability (https://volumio.org/forum/changelog-t1575.html),
I understood OTA update to v2.296 will do the job, no need to reflash the SD Card with v2.296.
I understood the only way to patch this is to update the wpasupplicant package to 2.3-1+deb8u5.
My findings on 2 different RPI systems as well as your quote points to:
A reflash is needed to get rid of the KRACK issue, to get the updated wpasupplicant package?!
(But I am absolutely unsure and still wondering that no one else in this forum confirms or negates this whith own checks)