The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability.
Debian-LTS has updated dcmtk (buffer overflows/underflows).
Red Hat has updated gstreamer-plugins-bad-free (RHEL6: code execution), gstreamer-plugins-good (RHEL6: multiple vulnerabilities), thunderbird (RHEL5,6,7: multiple vulnerabilities), and vim (RHEL6,7: code execution).
Scientific Linux has updated gstreamer-plugins-bad-free (SL6: code execution), gstreamer-plugins-good (SL6: multiple vulnerabilities), thunderbird (SL5,6,7: multiple vulnerabilities), and vim (SL6,7: code execution).
SUSE has updated kernel (SLE11-SP4: two vulnerabilities).
Ubuntu has updated kernel (16.10; 16.04; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), linux-raspi2 (16.10; 16.04: multiple vulnerabilities), linux-snapdragon (16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: information leak).