Errata patches for expat have been released for OpenBSD 6.4 and 6.5. Libexpat 2.2.6 was affected by the heap overflow CVE-2019-15903.
Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility. Source code patches can be found on the respective errata page: https://www.openbsd.org/errata64.html https://www.openbsd.org/errata65.html
