We just released (a)Smack 4.0.7. This is a bugfix only release.
It was found that the passed “hostname” argument to the configured HostnameVerifier in Smack 4.0 was server controllable, which could allow a malicious attacker to circumvention hostname verification. Hostname verification is disabled by default in Smack 4.0, but enabled by default in Smack 4.1. The faulty code was long ago removed in the Smack 4.1 branch, so most Smack 4.1 (pre-)releases are not affected.
As a reminder: The second release candidate of Smack 4.1 is available. Consider updating when possible, but please refer to the Smack 4.1 Readme and Upgrade Guide · igniterealtime/Smack Wiki · GitHub first.