Hello everyone.
Unfortunately there's been a mistake in generating the 1.28.1 and 1.27.2 tarball releases, where the wrong version of SyntaxHighlight_GeSHi extension was included. The version of this extension that was included has publically known severe security issues in it.
Until such a time as a new release is issued (which will hopefully be soon) I reccomend that people either disable that extension or download a new version from https://www.mediawiki.org/wiki/Special:ExtensionDistributor/SyntaxHighlight_... . The version of this extension in git, or from extension distributor is fine. Only the version in the most recent tarball is wrong. The rest of the release is also fine. The 1.23.16 and 1.23.17 release was not affected by this issue.
Sorry for the confusion, -- Brian
mediawiki-l@lists.wikimedia.org