Ideally, all services in ClearOS need to have SSLv3 disabled, so we'll be putting together some documentation on this topic. Unfortunately, that only makes things a tiny bit better since it won't stop an attacker from doing a man-in-the-middle attack. The real solution is to fix client-side software (browsers, mail clients, etc.) to make sure these do not attempt using an older protocol like SSLv3.
The roundcubemail upgrade is probably a nasty one, but that's just a guess. Most of the others (GeoIP, openvpn, pptpd, imapsync) are bleeding edge, but are likely just fine. These EPEL RPMs are automatically pushed to the clearos-test repository. We then push them through the usual updates-testing -> updates workflow for some sanity checking and QA.
We're still waiting on upstream. I have a feeling Red Hat decided to skip their usual 6 month minor release schedule due to the release of RHEL 7. RHEL 6.5 was released in November 2013, so we were expecting RHEL 6.6 in May. That didn't happen.