before v0.11.0 are not able to detect the [Log4j 2 CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
We are shipping an updated version of `docker scan` in this release to help you
scan your images for this vulnerability.

> [!NOTE]
>
> The `docker scan` command on Linux is currently only supported on x86 platforms.
> We do not yet provide a package for other hardware architectures on Linux.

The `docker scan` feature is provided as a separate package and, depending on your
upgrade or installation method, 'docker scan' may not be updated automatically to
the latest version. Use the instructions below to update `docker scan` to the latest
version. You can also use these instructions to install, or upgrade the `docker scan`
package without upgrading the Docker Engine:

On `.deb` based distributions, such as Ubuntu and Debian:

```console
$ apt-get update && apt-get install docker-scan-plugin
```

On rpm-based distributions, such as CentOS or Fedora:

```console
$ yum install docker-scan-plugin
```

After upgrading, verify you have the latest version of `docker scan` installed:

```console
$ docker scan --accept-license --version
Version:    v0.12.0
Git commit: 1074dd0
Provider:   Snyk (1.790.0 (standalone))
```

[Read our blog post on CVE-2021-44228](https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/)
to learn how to use the `docker scan` command to check if images are vulnerable.

### Packaging

- Update `docker scan` to [v0.12.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.12.0).
- Update `docker buildx` to [v0.7.1](https://github.com/docker/buildx/releases/tag/v0.7.1).
- Update Golang runtime to Go 1.16.12.


## 20.10.11
2021-11-17

> [!IMPORTANT]
>
> Due to [net/http changes](https://github.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), HTTP proxies configured through the `$HTTP_PROXY` environment variable are no longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` environment variable for handling requests to `https://` URLs. Refer to [Configure the daemon to use a proxy](/manuals/engine/daemon/proxy.md) to learn how to configure the Docker Daemon to use a proxy server.


### Distribution

- Handle ambiguous OCI manifest parsing to mitigate [CVE-2021-41190](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190) / [GHSA-mc8v-mgrf-8f4m](https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m).
  See [GHSA-xmmx-7jpf-fx42](https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42) for details.

### Windows

- Fix panic.log file having read-only attribute set [moby/moby#42987](https://github.com/moby/moby/pull/42987).

### Packaging

- Update containerd to [v1.4.12](https://github.com/containerd/containerd/releases/tag/v1.4.12) to mitigate [CVE-2021-41190](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190).
- Update Golang runtime to Go 1.16.10.


## 20.10.10
2021-10-25

> [!IMPORTANT]
>
> Due to [net/http changes](https://github.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), HTTP proxies configured through the `$HTTP_PROXY` environment variable are no longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` environment variable for handling requests to `https://` URLs. Refer to the [HTTP/HTTPS proxy section](/manuals/engine/daemon/proxy.md) to learn how to configure the Docker Daemon to use a proxy server.


### Builder

- Fix platform-matching logic to fix `docker build` using not finding images in
  the local image cache on Arm machines when using BuildKit [moby/moby#42954](https://github.com/moby/moby/pull/42954)

### Runtime

- Add support for `clone3` syscall in the default seccomp policy to support running
  containers based on recent versions of Fedora and Ubuntu. [moby/moby/#42836](https://github.com/moby/moby/pull/42836).
- Windows: update hcsshim library to fix a bug in sparse file handling in container