From this post: "The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work."
From https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/... : "Tails does not start I2P by default. […] Still, an attacker who would also be able to start I2P on your Tails, either by exploiting another undisclosed security hole, or by tricking you into starting it yourself, could then use this I2P security hole to de-anonymize you."
So either there are two security holes (one amazing one that actually starts I2P, and one contained to I2P that finds your IP address once I2P has started), or they're exagerrating.
From https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/... : "Tails does not start I2P by default. […] Still, an attacker who would also be able to start I2P on your Tails, either by exploiting another undisclosed security hole, or by tricking you into starting it yourself, could then use this I2P security hole to de-anonymize you."
So either there are two security holes (one amazing one that actually starts I2P, and one contained to I2P that finds your IP address once I2P has started), or they're exagerrating.