diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest b/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest
index a1ee0e150e..54880538a2 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest
@@ -1,2 +1,2 @@
-DIST go1.24.7.src.tar.gz 30794506 BLAKE2B 850ffc97c83843c83d4dfb672dbe18c16b6feda5b76b70213241d583b5ef6c2c8d0bf532e15fa58cb4fceaaf1f66b52166d3badfc294ebecd1076ddd9c7a572e SHA512 656bb879244ba888af18b6e609fb2c4bc067b919827b9026c3ee44b3e2d0c7bffde262945de989880066196846b669c215da2e8c5d9adfb8491bb5d52af0d49a
-DIST go1.25.1.src.tar.gz 31974863 BLAKE2B a9f0d27a292b8197ed2307bcfe90af0adccaa1e0e8de0d59df5b65f57ac7dd2cbaee1905401f81af994934fa83070e42c24ff6090affe56461198e89457842c7 SHA512 e77ae799a0dcd4ded40a196c3645da5b7e808e417831d2c5441387b0fd0ed5f946b678305294c52fda0a258889225c24c6073bb0973c3531ba4aa107b6afe849
+DIST go1.24.9.src.tar.gz 30800154 BLAKE2B 30e5ea7dac441a94bd023e152075651583b697c555da73e1581b6eef3dfdee0f7c30a774b8e9704940af60c43e97c8e8ba89b9e84d672a4805b5c969a4140ee8 SHA512 f553a6bdafa9e59d33756c99f6180dcb7e51762733f300488cdab1d42b918e0fff87fa42d714a6b667e039dd22e1ea14ef5f6e3eb1c9c215ff620d559a5c091a
+DIST go1.25.3.src.tar.gz 31980799 BLAKE2B 4119c93544545b3e30b93ce4e1e9420447f7c9f8c68f9ef9debc8359028225e875e976aad91e390e3f0c7e5747d68d1e070280bd8376a56bd83c1894d68e6427 SHA512 91d32bbff864c06b5ee7b914d3d95c59462352a4c395adba85eaab72704a8aa4d19ac2a361ed64774dce3c8e01a8d4feadf1a788814f6d7b4072a3bdfefbb3b4
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.24.9-ipv6-validation.patch b/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.24.9-ipv6-validation.patch
new file mode 100644
index 0000000000..f9db3f7ee8
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.24.9-ipv6-validation.patch
@@ -0,0 +1,86 @@
+From e02a9d02d0181394e243cbc3b356e86896a78e2c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 08 Oct 2025 17:13:12 -0700
+Subject: [PATCH] [release-branch.go1.24] net/url: allow IP-literals with IPv4-mapped IPv6 addresses
+
+The security fix we applied in CL709857 was overly broad. It applied
+rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
+these were later allowed in RFC 3986, which is the canonical URI syntax
+RFC.
+
+Revert the portion of CL709857 which restricted IPv4-mapped addresses,
+and update the related tests.
+
+Updates #75815
+Fixes #75831
+
+Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/710375
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Ethan Lee <ethanalee@google.com>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+(cherry picked from commit 9db7e30bb42eed9912f5e7e9e3959f3b38879d5b)
+---
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index c686239..1d9c1cd 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -670,13 +670,13 @@
+ 
+ 		// Per RFC 3986, only a host identified by a valid
+ 		// IPv6 address can be enclosed by square brackets.
+-		// This excludes any IPv4 or IPv4-mapped addresses.
++		// This excludes any IPv4, but notably not IPv4-mapped addresses.
+ 		addr, err := netip.ParseAddr(unescapedHostname)
+ 		if err != nil {
+ 			return "", fmt.Errorf("invalid host: %w", err)
+ 		}
+-		if addr.Is4() || addr.Is4In6() {
+-			return "", errors.New("invalid IPv6 host")
++		if addr.Is4() {
++			return "", errors.New("invalid IP-literal")
+ 		}
+ 		return "[" + unescapedHostname + "]" + unescapedColonPort, nil
+ 	} else if i := strings.LastIndex(host, ":"); i != -1 {
+diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
+index 3206558..6084fac 100644
+--- a/src/net/url/url_test.go
++++ b/src/net/url/url_test.go
+@@ -726,7 +726,7 @@
+ 	{"https://[2001:db8::1]/path", true},            // compressed IPv6 address with path
+ 	{"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and query
+ 
+-	{"https://[::ffff:192.0.2.1]", false},
++	{"https://[::ffff:192.0.2.1]", true},
+ 	{"https://[:1] ", false},
+ 	{"https://[1:2:3:4:5:6:7:8:9]", false},
+ 	{"https://[1::1::1]", false},
+@@ -1672,16 +1672,17 @@
+ 		{"cache_object:foo/bar", true},
+ 		{"cache_object/:foo/bar", false},
+ 
+-		{"http://[192.168.0.1]/", true},             // IPv4 in brackets
+-		{"http://[192.168.0.1]:8080/", true},        // IPv4 in brackets with port
+-		{"http://[::ffff:192.168.0.1]/", true},      // IPv4-mapped IPv6 in brackets
+-		{"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port
+-		{"http://[::ffff:c0a8:1]/", true},           // IPv4-mapped IPv6 in brackets (hex)
+-		{"http://[not-an-ip]/", true},               // invalid IP string in brackets
+-		{"http://[fe80::1%foo]/", true},             // invalid zone format in brackets
+-		{"http://[fe80::1", true},                   // missing closing bracket
+-		{"http://fe80::1]/", true},                  // missing opening bracket
+-		{"http://[test.com]/", true},                // domain name in brackets
++		{"http://[192.168.0.1]/", true},              // IPv4 in brackets
++		{"http://[192.168.0.1]:8080/", true},         // IPv4 in brackets with port
++		{"http://[::ffff:192.168.0.1]/", false},      // IPv4-mapped IPv6 in brackets
++		{"http://[::ffff:192.168.0.1000]/", true},    // Out of range IPv4-mapped IPv6 in brackets
++		{"http://[::ffff:192.168.0.1]:8080/", false}, // IPv4-mapped IPv6 in brackets with port
++		{"http://[::ffff:c0a8:1]/", false},           // IPv4-mapped IPv6 in brackets (hex)
++		{"http://[not-an-ip]/", true},                // invalid IP string in brackets
++		{"http://[fe80::1%foo]/", true},              // invalid zone format in brackets
++		{"http://[fe80::1", true},                    // missing closing bracket
++		{"http://fe80::1]/", true},                   // missing opening bracket
++		{"http://[test.com]/", true},                 // domain name in brackets
+ 	}
+ 	for _, tt := range tests {
+ 		u, err := Parse(tt.in)
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.25.3-ipv6-validation.patch b/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.25.3-ipv6-validation.patch
new file mode 100644
index 0000000000..4f162b2b09
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.25.3-ipv6-validation.patch
@@ -0,0 +1,86 @@
+From 83449b7e2f261c94ea46842012c0992a3a714ce5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 08 Oct 2025 17:13:12 -0700
+Subject: [PATCH] [release-branch.go1.25] net/url: allow IP-literals with IPv4-mapped IPv6 addresses
+
+The security fix we applied in CL709857 was overly broad. It applied
+rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
+these were later allowed in RFC 3986, which is the canonical URI syntax
+RFC.
+
+Revert the portion of CL709857 which restricted IPv4-mapped addresses,
+and update the related tests.
+
+Updates #75815
+Fixes #75832
+
+Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/710375
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Ethan Lee <ethanalee@google.com>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+(cherry picked from commit 9db7e30bb42eed9912f5e7e9e3959f3b38879d5b)
+---
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 40faa7c..1c50e06 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -673,13 +673,13 @@
+ 
+ 		// Per RFC 3986, only a host identified by a valid
+ 		// IPv6 address can be enclosed by square brackets.
+-		// This excludes any IPv4 or IPv4-mapped addresses.
++		// This excludes any IPv4, but notably not IPv4-mapped addresses.
+ 		addr, err := netip.ParseAddr(unescapedHostname)
+ 		if err != nil {
+ 			return "", fmt.Errorf("invalid host: %w", err)
+ 		}
+-		if addr.Is4() || addr.Is4In6() {
+-			return "", errors.New("invalid IPv6 host")
++		if addr.Is4() {
++			return "", errors.New("invalid IP-literal")
+ 		}
+ 		return "[" + unescapedHostname + "]" + unescapedColonPort, nil
+ 	} else if i := strings.LastIndex(host, ":"); i != -1 {
+diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
+index 3206558..6084fac 100644
+--- a/src/net/url/url_test.go
++++ b/src/net/url/url_test.go
+@@ -726,7 +726,7 @@
+ 	{"https://[2001:db8::1]/path", true},            // compressed IPv6 address with path
+ 	{"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and query
+ 
+-	{"https://[::ffff:192.0.2.1]", false},
++	{"https://[::ffff:192.0.2.1]", true},
+ 	{"https://[:1] ", false},
+ 	{"https://[1:2:3:4:5:6:7:8:9]", false},
+ 	{"https://[1::1::1]", false},
+@@ -1672,16 +1672,17 @@
+ 		{"cache_object:foo/bar", true},
+ 		{"cache_object/:foo/bar", false},
+ 
+-		{"http://[192.168.0.1]/", true},             // IPv4 in brackets
+-		{"http://[192.168.0.1]:8080/", true},        // IPv4 in brackets with port
+-		{"http://[::ffff:192.168.0.1]/", true},      // IPv4-mapped IPv6 in brackets
+-		{"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port
+-		{"http://[::ffff:c0a8:1]/", true},           // IPv4-mapped IPv6 in brackets (hex)
+-		{"http://[not-an-ip]/", true},               // invalid IP string in brackets
+-		{"http://[fe80::1%foo]/", true},             // invalid zone format in brackets
+-		{"http://[fe80::1", true},                   // missing closing bracket
+-		{"http://fe80::1]/", true},                  // missing opening bracket
+-		{"http://[test.com]/", true},                // domain name in brackets
++		{"http://[192.168.0.1]/", true},              // IPv4 in brackets
++		{"http://[192.168.0.1]:8080/", true},         // IPv4 in brackets with port
++		{"http://[::ffff:192.168.0.1]/", false},      // IPv4-mapped IPv6 in brackets
++		{"http://[::ffff:192.168.0.1000]/", true},    // Out of range IPv4-mapped IPv6 in brackets
++		{"http://[::ffff:192.168.0.1]:8080/", false}, // IPv4-mapped IPv6 in brackets with port
++		{"http://[::ffff:c0a8:1]/", false},           // IPv4-mapped IPv6 in brackets (hex)
++		{"http://[not-an-ip]/", true},                // invalid IP string in brackets
++		{"http://[fe80::1%foo]/", true},              // invalid zone format in brackets
++		{"http://[fe80::1", true},                    // missing closing bracket
++		{"http://fe80::1]/", true},                   // missing opening bracket
++		{"http://[test.com]/", true},                 // domain name in brackets
+ 	}
+ 	for _, tt := range tests {
+ 		u, err := Parse(tt.in)
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.7.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.9.ebuild
similarity index 95%
rename from sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.7.ebuild
rename to sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.9.ebuild
index 0b04ca1987..3d6ed30afa 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.7.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.9.ebuild
@@ -18,7 +18,7 @@ case ${PV}  in
 	inherit git-r3
 	;;
 *)
-	SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
+	SRC_URI="https://go.dev/dl/go${MY_PV}.src.tar.gz "
 	S="${WORKDIR}"/go
 	KEYWORDS="-* amd64 arm arm64 ~loong ~mips ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
 	;;
@@ -67,6 +67,7 @@ go_cross_compile() {
 PATCHES=(
 	"${FILESDIR}"/go-1.24-skip-gdb-tests.patch
 	"${FILESDIR}"/go-1.24-dont-force-gold-arm.patch
+	"${FILESDIR}"/go-1.24.9-ipv6-validation.patch # https://go-review.googlesource.com/c/go/+/712142
 	"${FILESDIR}"/go-never-download-newer-toolchains.patch
 )
 
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.25.1.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.25.3.ebuild
similarity index 95%
rename from sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.25.1.ebuild
rename to sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.25.3.ebuild
index 6f8697ab12..4f6f1729fb 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.25.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.25.3.ebuild
@@ -18,7 +18,7 @@ case ${PV}  in
 	inherit git-r3
 	;;
 *)
-	SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
+	SRC_URI="https://go.dev/dl/go${MY_PV}.src.tar.gz "
 	S="${WORKDIR}"/go
 	KEYWORDS="-* amd64 arm arm64 ~loong ~mips ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
 	;;
@@ -68,6 +68,7 @@ PATCHES=(
 	"${FILESDIR}"/go-1.24-skip-gdb-tests.patch
 	"${FILESDIR}"/go-1.24-dont-force-gold-arm.patch
 	"${FILESDIR}"/go-1.25-no-dwarf5.patch
+	"${FILESDIR}"/go-1.25.3-ipv6-validation.patch # https://go-review.googlesource.com/c/go/+/712240
 	"${FILESDIR}"/go-never-download-newer-toolchains.patch
 )
 
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-9999.ebuild
index 4f9caabf8a..16a403f5dc 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-9999.ebuild
@@ -18,7 +18,7 @@ case ${PV}  in
 	inherit git-r3
 	;;
 *)
-	SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
+	SRC_URI="https://go.dev/dl/go${MY_PV}.src.tar.gz "
 	S="${WORKDIR}"/go
 #	KEYWORDS="-* ~amd64 ~arm ~arm64 ~loong ~mips ~ppc64 ~riscv ~s390 ~x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
 	;;
@@ -65,6 +65,7 @@ go_cross_compile() {
 }
 
 PATCHES=(
+	"${FILESDIR}"/go-1.24-skip-gdb-tests.patch
 	"${FILESDIR}"/go-1.24-dont-force-gold-arm.patch
 	"${FILESDIR}"/go-never-download-newer-toolchains.patch
 )