http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0894 "MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message." 1.8.3 (current FE6) in the CVE entry is not listed as vulnerable, don't know if the omission is intentional. And whether installation path disclosure is an issue with Fedora packages can also be debated, reporting here just in case there's more to it.
Thanks for the heads-up (1.8.3 should be vulerable as well, it was probably forgotten in the list of vulnerable versions). Indeed for the package we aren't losing any more information than the attacker would already know (unless he doesn't even know he's attacking a Fedora server). For F7 upwards (and most possibly backporting to FC6/FC5) the code and data are being separated (code moves to %{_datadir}), so there won't be any direct requests possible at all. But this still needs some testing in F7/devel.
There is an update of mediawiki which among other fixes this. FC-5 and FC-6 will be updated to 1.8.4. F7 will be updated to 1.9.3. I'll close this bug once the packages make it to the master repo. Thanks!