From oss-security mailing list:
Hi. a few months ago the following bugs were reported in gajim and do
not yet have CVE-ID allocation:
1. https://trac.gajim.org/ticket/7031, 'Assisted' code
execution (if the user clicks a link)
2. https://trac.gajim.org/ticket/7034, SQL injection via jids
Note: these two issues are fixed in the latest gajim release.
 http://gajim.org/ - "Gajim 0.15 is here! (18 March 2012)"
is it ready to go to stable?
I'd say to do it in bug 412215
0.15 can go stable no problems here.
Creating new GLSA request.
This issue was resolved and addressed in
GLSA 201208-04 at http://security.gentoo.org/glsa/glsa-201208-04.xml
by GLSA coordinator Sean Amoss (ackle).
The exec_command function in common/helpers.py in Gajim before 0.15 allows
user-assisted remote attackers to execute arbitrary commands via shell
metacharacters in an href attribute.