0.28.0 includes "Mbed TLS 3.6.2 branch released 2024-10-14", which itself is included in the premake-core-5.0.0-beta7 tarball inside 0ad.
CVE-2017-14032 was addressed in mbedtls 2.1.9. CVE-2019-16910 was addressed in mbedtls 2.19.0. Anyway, as noted in the upstream bug report: That said, premake5 is a build only dep and the embedded mbedtls won't end up in 0ad at all.
