As mentioned in https://code.wildfiregames.com/D679?id=2703#inline-12860 there are four exploitable vulnerabilities in 2.9.4 that most likely are not applicable to 0AD,
but could be fixed preemptively by using a developmental snapshot instead of the latest release.
Afaics, these two commits fix those 4 CVEs CVE-2017-9050 CVE-2017-9049 CVE-2017-9048 CVE-2017-9047
https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
Since 932cc9896ab41475d4aa429c27d9afd175959d74 is the more recent commit, so that snapshot contains both fixes. Confirm by checking for the presence of a new file added by both commits.