Today we released moregroupware 0.6.8. It does (as already announced) *not* completely fix the security issues that have been published.
But direct access to files stored in the files module is no longer possible when using Apache, an appropriate .htaccess file is created automatically (as already used to be in webmail2).
The impact of possible cross-site scripting attacks to hijack a session is lowered by the fact that a session by default bound to the originating IP.
Anyway, this release is mainly an interim bug fix release, and should by used with the mentioned restrictions in mind. We would be happy to get some feedback, though, especially on the new calendar2 module. Give it a try.
The next release is scheduled in about 4 weeks (earlier if possible), and it will contain fixes for the remaining security problems.
Thanks for using more.groupware!