diff -cr ssh-3.0.0/CHANGES ssh-3.0.1/CHANGES
*** ssh-3.0.0/CHANGES	Thu Jun  7 21:25:58 2001
--- ssh-3.0.1/CHANGES	Fri Jul 20 08:54:28 2001
***************
*** 1,3 ****
--- 1,13 ----
+ 2001-07-19  Graeme Ahokas  <gahokas@ssh.com>
+ 
+         * ssh-3.0.1.
+ 
+ 2001-07-19  Graeme Ahokas  <gahokas@ssh.com>
+ 
+         * Fixed security problem which allowed users access with
+           any password to an account whose encrypted password in
+           /etc/shadow is two characters long.
+ 
  2001-05-28  Sami J. Lehtinen  <sjl@ssh.com>
  
  	* ssh-3.0.0.
diff -cr ssh-3.0.0/NEWS ssh-3.0.1/NEWS
*** ssh-3.0.0/NEWS	Thu Jun  7 21:25:58 2001
--- ssh-3.0.1/NEWS	Thu Jul 19 23:21:07 2001
***************
*** 1,4 ****
! CHANGES IN SSH-3.0.0 INCOMPATIBLE WITH 2.4.0 AND OLDER VERSIONS
  ***************************************************************
  
  configure
--- 1,4 ----
! CHANGES IN SSH-3.0.1 INCOMPATIBLE WITH 2.4.0 AND OLDER VERSIONS
  ***************************************************************
  
  configure
diff -cr ssh-3.0.0/README ssh-3.0.1/README
*** ssh-3.0.0/README	Thu Jun  7 21:25:58 2001
--- ssh-3.0.1/README	Thu Jul 19 23:20:55 2001
***************
*** 1,10 ****
! SSH 3.0.0 README
  ================
  
          Timo J. Rinne <tri@ssh.com>
  	Sami Lehtinen <sjl@ssh.com>
  	Anne Carasik  <anne@ssh.com>
!         April 4, 2001.
  	
  	See the file LICENSE for licensing terms.
  
--- 1,10 ----
! SSH 3.0.1 README
  ================
  
          Timo J. Rinne <tri@ssh.com>
  	Sami Lehtinen <sjl@ssh.com>
  	Anne Carasik  <anne@ssh.com>
!         July 19, 2001.
  	
  	See the file LICENSE for licensing terms.
  
***************
*** 454,460 ****
  	   Note that you need to redirect also stderr (2) to stdout (1). 
  	   We need those warnings and errors to appear in the log too.
  
!         g) Version number of the Secure Shell release (e.g. 3.0.0) that
             you're using.
  
     See the template in the file BUG.REPORT .
--- 454,460 ----
  	   Note that you need to redirect also stderr (2) to stdout (1). 
  	   We need those warnings and errors to appear in the log too.
  
!         g) Version number of the Secure Shell release (e.g. 3.0.1) that
             you're using.
  
     See the template in the file BUG.REPORT .
diff -cr ssh-3.0.0/apps/ssh/ssh2version.h ssh-3.0.1/apps/ssh/ssh2version.h
*** ssh-3.0.0/apps/ssh/ssh2version.h	Thu Jun  7 21:26:04 2001
--- ssh-3.0.1/apps/ssh/ssh2version.h	Thu Jul 19 23:19:26 2001
***************
*** 1 ****
! #define SSH2_VERSION "3.0.0"
--- 1 ----
! #define SSH2_VERSION "3.0.1"
diff -cr ssh-3.0.0/lib/sshsession/sshunixuser.c ssh-3.0.1/lib/sshsession/sshunixuser.c
*** ssh-3.0.0/lib/sshsession/sshunixuser.c	Thu Jun  7 21:26:03 2001
--- ssh-3.0.1/lib/sshsession/sshunixuser.c	Fri Jul 20 00:01:49 2001
***************
*** 948,953 ****
--- 948,956 ----
    }
  #endif /* _AIX41 */
  
+   if (strlen(correct_passwd) < 13)
+     return FALSE;
+ 
    /* Authentication is accepted if the encrypted passwords are identical. */
    return strncmp(encrypted_password, correct_passwd,
                   strlen(correct_passwd)) == 0;