The Java 11 package installs Java 10. This was supposed to be a short term hack (because Ubuntu's long term supported version 18.04 was being released shortly before Java's long term supported version 11) but it's been a good while now - six months or so.
The short term support version 18.10 of Ubuntu has Java 11 so it's very non-obvious what the blocker is.
To me this seems like a really poor choice. The result of installing the Java 11 package but getting Java 10 clearly fails the principle of least astonishment. If we can live without the fix a quarter of the way to the next LTS edition of Ubuntu then we could have lived with Java 10 as the preferred (and correctly named) package in the first place.
Meanwhile the bug asks us not to spam with requests for updates yet there's no suggestion of where we can go to gauge what the timescales we're up against are.
It definitely dents my confidence in Ubuntu as a well organised distribution.
(Meanwhile, apparently, some users have come to expect an upstream release to get into ubuntu stable updates within 2 days ?!)
If the package is called "openjdk-11", I want JDK 11.
Though I doubt and hope Ubuntu didn't base their stuff on the backports branch...
I'm not a Debian maintainer. They'll probably have a better answer if you asked them :)
The last official comment was it was delayed till Thursday, Feb. 14:
Those preparing the release will update release notes and fixed bug lists (like this one) before the release.
Canonical really should enable https as an additional layer of protection. This isn't the first time a bug in apt's authentication was found and it's unlikely that this bug will be the last.
edit: the updated, point release ISOs will have the fix