diff --git a/CHANGES b/CHANGES
index 6e4b211418..e3d20b84b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,23 @@
 
+2.1-397 | 2013-04-29 21:19:00 -0700
+
+  * Fixing memory leaks in CompHash implementation. Addresses #987.
+    (Robin Sommer)
+
+2.1-394 | 2013-04-27 15:02:31 -0700
+
+  * Fixed a bug in the vulnerable software script and added a test.
+    (Seth Hall)
+
+  * Fix schedule statements used outside event handlers. Addresses
+    #974. (Jon Siwek)
+
+  * Fix record coercion for default inner record fields. Addresses
+    #973. (Jon Siwek)
+
+  * Add bytestring_to_count function to bro.bif. Addresses #968. (Yun
+    Zheng Hu)
+
 2.1-386 | 2013-03-22 12:41:50 -0700
 
   * Added reverse() function to strings.bif. (Yun Zheng Hu)
diff --git a/VERSION b/VERSION
index 95253817be..4809e9f2e9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1-386
+2.1-397
diff --git a/aux/binpac b/aux/binpac
index 72d121ade5..a4b8dd0b69 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 72d121ade5a37df83d3252646de51cb77ce69a89
+Subproject commit a4b8dd0b691c3f614537ad8471fc80a82ce7b2df
diff --git a/aux/broctl b/aux/broctl
index 2b35d03313..786b83664c 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 2b35d0331366865fbf0119919cc9692d55c4538c
+Subproject commit 786b83664c6a15faeb153d118310526b7790deae
diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro
index aedb309dba..47c64885f5 100644
--- a/scripts/policy/frameworks/software/vulnerable.bro
+++ b/scripts/policy/frameworks/software/vulnerable.bro
@@ -43,15 +43,6 @@ export {
 
 global internal_vulnerable_versions: table[string] of set[VulnerableVersionRange] = table();
 
-event Control::configuration_update()
-	{
-	internal_vulnerable_versions = table();
-
-	# Copy the const vulnerable versions into the global modifiable one.
-	for ( sw in vulnerable_versions )
-		internal_vulnerable_versions[sw] = vulnerable_versions[sw];
-	}
-
 function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRange
 	{
 	# Create a max value with a dunce value only because the $max field
@@ -115,11 +106,27 @@ event grab_vulnerable_versions(i: count)
 		}
 	}
 
-event bro_init()
+function update_vulnerable_sw()
 	{
+	internal_vulnerable_versions = table();
+
+	# Copy the const vulnerable versions into the global modifiable one.
+	for ( sw in vulnerable_versions )
+		internal_vulnerable_versions[sw] = vulnerable_versions[sw];
+
 	event grab_vulnerable_versions(1);
 	}
 
+event bro_init() &priority=3
+	{
+	update_vulnerable_sw();
+	}
+
+event Control::configuration_update() &priority=3
+	{
+	update_vulnerable_sw();
+	}
+
 event log_software(rec: Info)
 	{
 	if ( rec$name !in internal_vulnerable_versions )
diff --git a/src/CompHash.cc b/src/CompHash.cc
index 05d3e515d2..e793a104e0 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -77,7 +77,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 		*kp = ( v ? 1 : 0);
 		kp0 = reinterpret_cast<char*>(kp+1);
 
-		if ( ! v ) 
+		if ( ! v )
 			return kp0;
 		}
 
@@ -181,16 +181,24 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 				Val* key = lv->Index(i);
 				if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key,
 				                            false)) )
+					{
+					Unref(lv);
 					return 0;
+					}
 
 				if ( ! v->Type()->IsSet() )
 					{
 					Val* val = tv->Lookup(key);
 					if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(),
 								    val, false)) )
+						{
+						Unref(lv);
 						return 0;
+						}
 					}
 				}
+
+			Unref(lv);
 			}
 			break;
 
@@ -454,16 +462,27 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
 				Val* key = lv->Index(i);
 				sz = SingleTypeKeySize(key->Type(), key, type_check, sz, false,
 				                       calc_static_size);
-				if ( ! sz ) return 0;
+				if ( ! sz )
+					{
+					Unref(lv);
+					return 0;
+					}
+
 				if ( ! bt->IsSet() )
 					{
 					Val* val = tv->Lookup(key);
 					sz = SingleTypeKeySize(val->Type(), val, type_check, sz,
 					                       false, calc_static_size);
-					if ( ! sz ) return 0;
+					if ( ! sz )
+						{
+						Unref(lv);
+						return 0;
+						}
 					}
 				}
 
+			Unref(lv);
+
 			break;
 			}
 
@@ -830,7 +849,10 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 				}
 
 			for ( int i = 0; i < n; ++i )
+				{
 				tv->Assign(keys[i], t->IsSet() ? 0 : values[i]);
+				Unref(keys[i]);
+				}
 
 			pval = tv;
 			}
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
new file mode 100644
index 0000000000..21b5342a13
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2013-04-25-18-55-26
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
+1366916126.685057	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+1366916126.685057	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+#close	2013-04-25-18-55-26
diff --git a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro
new file mode 100644
index 0000000000..2ea7009a21
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro
@@ -0,0 +1,23 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+@load frameworks/software/vulnerable
+
+redef Software::asset_tracking = ALL_HOSTS;
+
+global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=43]];
+global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=20]];
+redef Software::vulnerable_versions += {
+        ["Java"] = set(java_1_6_vuln, java_1_7_vuln)
+};
+
+event bro_init()
+	{
+	Software::found([$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], 
+	                [$name="Java", $host=1.2.3.4, $version=[$major=1, $minor=7, $minor2=0, $minor3=15]]);
+	Software::found([$orig_h=1.2.3.5, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], 
+	                [$name="Java", $host=1.2.3.5, $version=[$major=1, $minor=6, $minor2=0, $minor3=43]]);
+	Software::found([$orig_h=1.2.3.6, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], 
+	                [$name="Java", $host=1.2.3.6, $version=[$major=1, $minor=6, $minor2=0, $minor3=50]]);
+
+	}