Saw this on Freshmeat today:

About: [some open source project] is a real-time collaboration (RTC) server. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). [some open source project] is incredibly easy to setup and administer, but offers rock-solid security and performance. Changes [in the new version]: A security flaw allowed authentication to be bypassed, allowing arbitrary code execution. This was fixed. JDBC and JID optimizations were done.

(Emphasis mine).

Wait, really? rock-solid security != arbitrary code execution, last time I checked.