Number two has been discovered! Their main page now reads:

Only two remote holes in the default install, in more than 10 years!

According to Core it seems like you have to be on the same network or on IPv6 to exploit the hole, so the slow adoption of IPv6 actually works in their favor to mitigate the risk. A patch has been released already and there is also a workaround.