NOTE: this only affects versions >=1.5.0 which are currently in ~arch. mediawiki-1.5.3 has been released on December 4th with a security fix: "Validation of the user language option was broken by a code change in May 2005, opening the possibility of remote code execution as this parameter is used in forming a class name dynamically created with eval()." Thanks, Max
Web-apps please bump.
*** Bug 114582 has been marked as a duplicate of this bug. ***
Fixed with comment on bug #114582