Several php-specific issues were called out in,
- libraries using phpecc are vulnerable to timing attacks with ecdsa signatures (we're not using them, afair), but should probably verify that across all extensions
- They critique a common implementation of hash_equals, which I think we use, showing that you need to use mb_strlen. Check if that applies to us
- They make vague allegations against php-gpg. We should look into those with @Tgr.