I think the title on HN is a bit misleading. This issue applies to ALL languages and PHP has specific functions (since version 5.6) to avoid timing issues for you: hash_equals and password_verify. PHP is specifically trying to address poor authentication mechanisms by adding the (ingenious) password module to PHP's core.
It's misleading because it implies this is a unique problem scoped in PHP. That is factually incorrect and hence misleading any reader to assume this article is about PHP's poor security against timing attacks.
It'd simply be nice if the scope of the discussion was about how all languages have more or less the same flaws. Anyone writing code with security in mind should understand how to avoid those flaws.
There are many ways to alleviate the problem specified in the pull request that may be better. Pecl is one route that was mentioned on internals. Also, possibly just cache the hex value in memory and avoid the bin2hex conversion outright (with randomization of your cold cache times).
Edit: As an aside, I want to also greatly express that the requirement to attack the bin2hex vulnerability is so high for most cases the attacker would require complete, private, 1-hop, uninterrupted access to a single target machine. Usually this implies the attack not being remote but I do understand the mental exercise.
The second you say "install this PECL extension" people hop on the fast train to nopesville. That is the problem I ran into getting people to adopt libsodium :\
It's an extra dependency. Often, people don't even have php5-dev installed, so it's more than one step to get it done. (Even that first additional step is more work than people are willing to put forth!)
Especially since all this does is patch the behavior of one function. :|
And if you have PECL, you might as well go all the way and install libsodium.
