Did you take a look at the relevant security advisory? You can see the fixed AireOS software versions within the "vulnerable products"paragraph.

Summarize
In case you have a 1800/2800/3800 access-points you have to wait for 8.2.170.0 / 8.3.131.0 or contact TAC for an escalation image. For the access-points based on IOS code (2600,3700 etc.) you can already go to 8.3.130.0. Cisco will also publish a fixed 8.0 release for customers with older access-point types like the 1242 (8.0.15x.0).

Keep in mind that the attacker needs to be able to perform MAC spoofing, which is something you should already monitor on as wireless network administrator with the help of wIPS. One exception is CVE-2017-13082 which hits 802.11r, the workaround for this specific CVE is to disable 802.11r. This is the only CVE for which the software on the infrastructure side needs to be really fixed, for all the other CVEs the end-point software need to be fixed. However, these CVEs can be mitigated within the software on the infrastructure side which is the what Cisco does with these releases.

I would stick to the regular software upgrade schedule/process for both the infrastructure and end-point side.

I did.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg10793

Known Fixed Releases:

Correct, there is 8.3.132.0 and again the information in the bug report is therefore incorrect/outdated, because the 8.3(130.6) release is still mentioned in there, but that is a TAC release only. The mentioned affected releases start at 8.2, but that is also not correct. The 802.11r functionality was introduced in 7.2, so all releases as of 7.2 are vulnerable. It is my first experience with bug reports and PSIRT, but to me it looks like Cisco was caught by surprise and has problems keeping different sources correct and up-to-date at the same time.

---

@Martin2m2 wrote:

Correct, there is 8.3.132.0 and again the information in the bug report is therefore incorrect/outdated, because the 8.3(130.6) release is still mentioned in there, but that is a TAC release only. The mentioned affected releases start at 8.2, but that is also not correct. The 802.11r functionality was introduced in 7.2, so all releases as of 7.2 are vulnerable. It is my first experience with bug reports and PSIRT, but to me it looks like Cisco was caught by surprise and has problems keeping different sources correct and up-to-date at the same time.

---

A quick update to anyone reading this thread and intending to upgrade to 8.3.132.0:
Cisco TAC has recommended anyone to HOLD OFF upgrading to 8.3.132.0. TAC has identified a Severity 1 bug which causes the controller to crash after upgrading to 8.3.132.0.
There are no reported issues in regards to other versions.

To summarize the current situation: stick with your current AireOS release, make sure to patch your clients ASAP and if you are really worried you can change the EAPoL key retry timers and disable 802.11r on your controller to mitigate all the CVE's.

So what now if you are a 8.3 customer?

The PSIRT notes this new bug: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

NOTE: As of October 25, 2017, all published 8.3.13x.0 releases are impacted by Cisco bug ID CSCvf87731. Customers should work with their support provider to determine if this bug may impact their deployment and if they should postpone a software upgrade until a fix becomes available.

? When is "until a fix becomes available"?

The bug report is useless for 8.3 customers. The bug is listed as fixed without mentioning 8.3.132.0 as affected and without having a fix in a 8.3 release.

It leaves the big question: Will there be a 8.3.x fix to both the wifi WPA bug and this new bug? And when?

Based on the "TAC Recommended AireOS Builds" technote, a new version for both 8.2 and 8.3 will be published on CCO tomorrow.

Thanks for the help. Should I have known about this troubleshoot technote?

It maybe a good idea if Cisco updates the PSIRT and the bug report to mention this new information.