We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.
The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).