As #OpenBSD's de-facto wifi maintainer, I first learned about this WPA problem in June. A simple patch was provided which I could commit with slight modifications.
The original embargo was already 2 months long, and then extended again for 2 months.
The generall public (you) were left in the dark about this for at least 4 months.
This is a very sad state of affairs. It takes the industry much too long to apply a simple patch.