The version in the tarball still had T158689 not fixed. From what i understand this is in the worst case a remote code execution vuln, that is now public, so we should treat this urgently. To avoid confusion we should release a new tarball with a minor version bump.
I sent a warning to mediawiki-l and wikitech-l (https://lists.wikimedia.org/pipermail/mediawiki-l/2017-April/046524.html) arguably an issue of this type deserves a warning to mediawiki-announcements but i dont have send access to that mailing list.
Thanks for taking these actions @Bawolff
It looks like MediaWiki is not available in Debian 8, but it is included in the testing & unstable releases. Ubuntu, Fedora & Arch Linux also ship the wrong versions. I've informed them via their security contact emails. It is likely that this also affects other distros.
The details were already public when T158689: Parameters injection in SyntaxHighlight results in multiple vulnerabilities was made public (including my email address :( ) as it contains a copy of the advisory as attachment, including a phpinfo() poc.