Yes, there is now a second remote hole in OpenBSD. In the last 10 years there was only one, yesterday Theo de Raadt posted the second one (discovered by Core Security Technologies) to misc@openbsd.org. The vulnerability involves a mbuf remote kernel buffer overflow in the IPv6 code.
So you should patch immediately if you use IPv6 or disable it through PF (as it is enabled by default):
block in inet6
Apart from that the upcoming 4.1 release (“Puffy Baba & the 40 Vendors”) release is available for pre-order.
