Just a quick update for those living in Cygwin-land.
Cygwin was vulnerable to the shellshock vulnerability, and the subsequent vulnerabilities that have been found. Bash has experienced a series of updates, which would seem to indicate that the maintainers are keeping pace with the security patches as they are released.
PHP has been released in the Cygwin installer, meaning that you no longer have to install it from cygports. I’ll update my apache guide soon to include getting php operational.
UPDATE (2018): I later learned at Ruxcon 13 that multiple shellshock-like vulnerabilities were fuzzed out of bash using American Fuzzy Lop. If you’ve felt over the last few years that there seem to be a lot of bash updates, that’s probably one reason why.