The more severe of the two errors is that the functions
that support client-to-server character set conversion
can be called from SQL commands by unprivileged users,
but these functions are not designed to be safe against
malicious choices of argument values. This problem exists
in PostgreSQL 7.3.* through 8.0.*. The recommended fix is
to disable public EXECUTE access for these functions. This
does not affect normal usage of the functions for character
set conversion, but it will prevent misuse.
The other error is that the contrib/tsearch2 module
misdeclares several functions as returning type "internal"
when they do not have any "internal" argument. This breaks
the type safety of "internal" by allowing users to
construct SQL commands that invoke other functions accepting
"internal" arguments. The consequences of this have not been
investigated in detail, but it is certainly at least possible
to crash the backend.