Just a quick update for those living in Cygwin-land.
Cygwin was vulnerable to the shellshock vulnerability, and the subsequent vulnerabilities that have been found. Bash has experienced a series of updates, which would seem to indicate that the maintainers are keeping pace with the security patches as they are released.
PHP has been released in the Cygwin installer, meaning that you no longer have to install it from cygports. I’ll update my apache guide soon to include getting php operational.