diff --git a/README.md b/README.md
index f333e8623c..e555ffae3d 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ Arduino core for ESP8266 WiFi chip
 
 # Quick links
 
-- [Latest release documentation](https://arduino-esp8266.readthedocs.io/en/2.7.3/)
+- [Latest release documentation](https://arduino-esp8266.readthedocs.io/en/2.7.4/)
 - [Current "git version" documentation](https://arduino-esp8266.readthedocs.io/en/latest/)
 - [Install git version](https://arduino-esp8266.readthedocs.io/en/latest/installing.html#using-git-version) ([sources](doc/installing.rst#using-git-version))
 
@@ -36,7 +36,7 @@ Starting with 1.6.4, Arduino allows installation of third-party platform package
 #### Latest release [![Latest release](https://img.shields.io/github/release/esp8266/Arduino.svg)](https://github.com/esp8266/Arduino/releases/latest/)
 Boards manager link: `https://arduino.esp8266.com/stable/package_esp8266com_index.json`
 
-Documentation: [https://arduino-esp8266.readthedocs.io/en/2.7.3/](https://arduino-esp8266.readthedocs.io/en/2.7.3/)
+Documentation: [https://arduino-esp8266.readthedocs.io/en/2.7.4/](https://arduino-esp8266.readthedocs.io/en/2.7.4/)
 
 ### Using git version
 [![Linux build status](https://travis-ci.org/esp8266/Arduino.svg)](https://travis-ci.org/esp8266/Arduino)
diff --git a/cores/esp8266/Esp.cpp b/cores/esp8266/Esp.cpp
index 1127eef80e..80d969e40c 100644
--- a/cores/esp8266/Esp.cpp
+++ b/cores/esp8266/Esp.cpp
@@ -697,15 +697,16 @@ static SpiFlashOpResult spi_flash_write_puya(uint32_t offset, uint32_t *data, si
         } else {
             bytesLeft = 0;
         }
-        rc = spi_flash_read(pos, flash_write_puya_buf, bytesNow);
+        size_t bytesAligned = (bytesNow + 3) & ~3;
+        rc = spi_flash_read(pos, flash_write_puya_buf, bytesAligned);
         if (rc != SPI_FLASH_RESULT_OK) {
             return rc;
         }
-        for (size_t i = 0; i < bytesNow / 4; ++i) {
+        for (size_t i = 0; i < bytesAligned / 4; ++i) {
             flash_write_puya_buf[i] &= *ptr;
             ++ptr;
         }
-        rc = spi_flash_write(pos, flash_write_puya_buf, bytesNow);
+        rc = spi_flash_write(pos, flash_write_puya_buf, bytesAligned);
         pos += bytesNow;
     }
     return rc;
diff --git a/cores/esp8266/Updater.cpp b/cores/esp8266/Updater.cpp
index 351a57746b..03bc5c3f8f 100644
--- a/cores/esp8266/Updater.cpp
+++ b/cores/esp8266/Updater.cpp
@@ -35,6 +35,7 @@ UpdaterClass::UpdaterClass()
 , _startAddress(0)
 , _currentAddress(0)
 , _command(U_FLASH)
+, _ledPin(-1)
 , _hash(nullptr)
 , _verify(nullptr)
 , _progress_callback(nullptr)
diff --git a/cores/esp8266/heap.cpp b/cores/esp8266/heap.cpp
index 2001579ef0..3f549716f4 100644
--- a/cores/esp8266/heap.cpp
+++ b/cores/esp8266/heap.cpp
@@ -164,7 +164,7 @@ void ICACHE_RAM_ATTR print_loc(size_t size, const char* file, int line)
         if (inISR && (uint32_t)file >= 0x40200000) {
             DEBUG_HEAP_PRINTF("File: %p", file);
         } else if (!inISR && (uint32_t)file >= 0x40200000) {
-            char buf[ets_strlen(file)] __attribute__ ((aligned(4)));
+            char buf[ets_strlen(file) + 1] __attribute__((aligned(4)));
             ets_strcpy(buf, file);
             DEBUG_HEAP_PRINTF(buf);
         } else {
diff --git a/cores/esp8266/umm_malloc/umm_local.c b/cores/esp8266/umm_malloc/umm_local.c
index 8f83f4b4ac..392ef13c8f 100644
--- a/cores/esp8266/umm_malloc/umm_local.c
+++ b/cores/esp8266/umm_malloc/umm_local.c
@@ -206,7 +206,7 @@ int ICACHE_FLASH_ATTR umm_info_safe_printf_P(const char *fmt, ...) {
       the PROGMEM address must be word (4 bytes) aligned. The destination
       address for ets_memcpy must also be word-aligned.
     */
-    char ram_buf[ets_strlen(fmt)] __attribute__ ((aligned(4)));
+    char ram_buf[ets_strlen(fmt) + 1] __attribute__((aligned(4)));
     ets_strcpy(ram_buf, fmt);
     va_list argPtr;
     va_start(argPtr, fmt);
diff --git a/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp b/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp
index 41d771fb6a..2a5f96cb5d 100644
--- a/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp
+++ b/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp
@@ -233,6 +233,16 @@ void ESP8266WiFiGenericClass::_eventCallback(void* arg)
         WiFiClient::stopAll();
     }
 
+    if (event->event == EVENT_STAMODE_AUTHMODE_CHANGE) {
+        auto& src = event->event_info.auth_change;
+        if ((src.old_mode != AUTH_OPEN) && (src.new_mode == AUTH_OPEN)) {
+            // CVE-2020-12638 workaround.  When we get a change to AUTH_OPEN from any other mode, drop the WiFi link because it's a downgrade attack
+            // TODO - When upgrading to 3.x.x with fix, remove this code
+            DEBUG_WIFI("WIFI_EVENT_STAMODE_AUTHMODE_CHANGE from encrypted(%d) to AUTH_OPEN, potential downgrade attack. Reconnecting WiFi. See CVE-2020-12638 for more details\n", src.old_mode);
+            WiFi.reconnect();  // Disconnects from STA and then reconnects
+        }
+    }
+
     for(auto it = std::begin(sCbEventList); it != std::end(sCbEventList); ) {
         WiFiEventHandler &handler = *it;
         if (handler->canExpire() && handler.unique()) {
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
index 89621b3671..c94ac79e0f 100644
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
@@ -105,6 +105,9 @@ WiFiClientSecure::WiFiClientSecure() : WiFiClient() {
   _clear();
   _clearAuthenticationSettings();
   _certStore = nullptr; // Don't want to remove cert store on a clear, should be long lived
+  _sk = nullptr;
+  _axtls_chain = nullptr;
+  _axtls_sk = nullptr;
   stack_thunk_add_ref();
 }
 
diff --git a/package.json b/package.json
index 235db02b9c..0d4b2bf2ff 100644
--- a/package.json
+++ b/package.json
@@ -2,5 +2,5 @@
     "name": "framework-arduinoespressif8266",
     "description": "Arduino Wiring-based Framework (ESP8266 Core)",
     "url": "https://github.com/esp8266/Arduino",
-    "version": "2.7.3"
+    "version": "2.7.4"
 }
diff --git a/package/build_boards_manager_package.sh b/package/build_boards_manager_package.sh
index 372fa2c63f..60a70cd01d 100755
--- a/package/build_boards_manager_package.sh
+++ b/package/build_boards_manager_package.sh
@@ -2,6 +2,15 @@
 
 #set -x
 
+if true; then
+
+# hand made
+ver=2.7.4
+visiblever=${ver}
+plain_ver=${ver}
+
+else
+
 ver=`git describe --tag`
 visiblever=$ver
 # match 0.0.*
@@ -29,6 +38,7 @@ else
     fi
     visiblever=$ver
 fi
+fi
 
 set -e
 
diff --git a/platform.txt b/platform.txt
index 2f0e8cb14a..ea45559251 100644
--- a/platform.txt
+++ b/platform.txt
@@ -5,8 +5,8 @@
 # For more info:
 # https://github.com/arduino/Arduino/wiki/Arduino-IDE-1.5-3rd-party-Hardware-specification
 
-name=ESP8266 Boards (2.7.3)
-version=2.7.3
+name=ESP8266 Boards (2.7.4)
+version=2.7.4
 
 # These will be removed by the packager script when doing a JSON release
 runtime.tools.xtensa-lx106-elf-gcc.path={runtime.platform.path}/tools/xtensa-lx106-elf